MALICIOUS
86
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious OLE file containing VBA macros, indicated by multiple high-severity heuristic firings including AutoOpen and Workbook_Open. The presence of VBA macros suggests an attempt to execute code upon opening, likely to download and run a secondary payload. The embedded URL is benign, but the overall structure points to a macro-based attack.
Heuristics 7
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
' Line #26: ' FuncDefn (Sub AutoOpen()) ' Line #27: -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
' Line #29: ' FuncDefn (Sub Workbook_Open()) ' Line #30: -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
' Line #10: ' FuncDefn (Sub Auto_Open()) ' Line #11: -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 88972 bytes |
SHA-256: b5ca8da167109fcc5d1394031ffb4e1b518fb69ffce6014b8fd8052aba3be0e9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
DO={s
[C*A
}s$W
.7z,
dUMpV
*m-D0R
mX{@
uWp,#
UD:F
/x#:;}
+.U_
4uX.
B6z6
kn%[
R^cVr
6l\n
Wy<L
d~-m
\vk?
9)"3t
9jD$
B^r
1T$y
:721!&
[cw6)
GP|A
UVSM
.%^M
}1!f
~+MYw
GP29O
},Kr8
PG@
2mbv8
&0g+
b*KQ
hV@\
Vh+d^
I.>N
>k9;<
!il.
.[K15
_q)E|
1n0!=<
Cf3e{
PWO
,Cb|%0
<7&2x
Yw2B
u-hOJ
p h;
uF#V!8_8T
"E8C
Vsz-
N"%
(N/P
56-X{[Yw
N[Kdt
p+Su
bh'OA
%@o"|)?
a = $)lX
va"s
D<R"'h
)B2&
1q2u
fdw2
lMJpL
PS2
T&p`
!~s7C
Z'D:tV
Y18;k
m`V8|
Tu:gH8
^qK=8
a!Bi
_{FD
(/oF
1~K-~p
&RWi
bwb
Jl8!
~!8TB
&.(b
v]`#z(
J8~:
NW+X
\uDr
Vkq-
.Tj&
;d5d
U@V,
UgVU
GL*
!Uet
$9ne
VYhW
zlWp
{{Bf
B\)l
d@hI
z"N
X{Hc
owm|
][m\
'qw9$
?3cY
4$HK8
_@)q
szD]
NDX;%
QarP6
v!,?
XDR=
6Rf&
\AOVYi$o
GF{J
'0l=8
n>Yh
p^?%
dA(x
H]lD
We?F
*s[es
/3fg}
y+F8E
,Nr}
~cnL
QH-g
F00u
4=02e
mPe7`
F,YT
Q$5v<
BYQu
Q`('`*
jTe?
H[+@34
SwDHU
Nfq7
"M1Xt
WDHj
yE0n
M58h
qVd<
,Un]"
2won
Q[HC
Mz[u
&kngA"
'\Z:
m01WB
cCC/
%J@g
;+-F
qyQZ
l4}%hDB
Q*[JX
@L$5
<ym}
5&dP
9C*A*
Eo*.
+@bQV
f!0J}'
"Q{\
o8l.
EN|.x
?[QD
d:3K&
u[>4
E;4>
2\}K
2uek3)
sQ$hn
>5OwN6
jL,uR
zkN\G
+z~8:
LszFZ
MAJe(
Pnkd
s.6F
sq?m
6AHO
)]N
CL\LMf
nV{q
_;q8&p
.At
:gZ+
)Z_&z
<^-
!_(f
Ediw
#nsx
'~/G
:97R
&T9U
Nlt1
*8{@/
v 1z
NE*
*%s#
y'|e1s
W;CeK
T9q'7
3k5rO
YfcY
=]5+{|
h-]s
>U:l
Vo1
o~{r
;c2Y
]``Q
@s%>
g6O9
Eo-J
e'D3
YQys
@4Q9>
k/+9B]
Zr|&
Z*CP
S$%[
g:tx
B8sWgpQ
%k^q=
~m 6
JQ!$
hT4Qy
Tp.,
\-H(
)MTB
Qb4c
Hm%K
Norix
}Y:;w
X(HE^(/U`
< vv
Hne~
SYy:#!
aC6J
hh7I
HDz8
<NPX
(SwG'&Iu
arXr
_4 0
m2!W
CX6Z
1erx
N[ b
|^p.q^
K<|m
?1!}^
r9G;
.[cI
~;elY%H
M]F
TkNi
T6Ge~pC
)K&py
,IUPj`|
eCnk
K_\R;(
xfN`
Q}]J
mOK7
3c(z4
[d;c
l9iy]e
-{9e
)j:O
qt\A
Nk;G)
:0^!
_E\8
:P_
FV?L_I-Y
R,nu
LNDG_
p$;W
zOp
6:Eh
fidr-5t
"Dk?[
ekRK6(
RpMI
=if4
O @a
;?%<4
_Alt
k Sk
/]vU
Ox.q
q ;m
HF7[
5[^{
6-op
.H>0
Vtq|
'_YG
p&B)-
.N-[e"
Dk^V
9OLI
G[Xi
Z'Wp
|bHY
jtlu
*Q H2Y
.<vPT
nTQ=
C48,
GBA}
=rh`
"U])
Y @*
==qR
G*$*
|Mj|
T|EN
T'#l
nL/ 5
WEV;
-+$L
1(uY
A!!B
)zo6V
Yixo
|&^
p;6IT"1
;=rjma?
O[hXa*_
Ko^+
PuiH
'7,?
e}4esMj
bdEyr
1WEe'
fyB"
Cbz 6f
D[R{
$M>\
c.w@
;y7g
VD!G1w
X\Vu3
=Yz~}Vtey-
3HHy
e.18
/%>i
el`!V
!!b64
eN[0
;tg`
KU$3B
<*mRV{
wF!i4
0`}^
Ovca
a o
XE{*
^WW~b
,(I5r
%x`5
lwib
4g>$
3;Vz|K
2%{9~
U{L4
Mc C
qi4T
BkG&
bi1g
=(p=n
24S7v
3jd4
f_K(w
rvU Y!`
V :LFY
x9 Y
3eoqe
p$_2>
E^C#
rP0C
=h^}a
1 0q$?
"P~F
;<[Y~
=; a
Xr6UI
}9a.P
ov9/7/mt
=VDaZ
o8M_
[ nP2I
Mz$J
MvS`
P1LqV
l$jo
%Bq#S
\Nka~K
f&?p
$&pl-
c['G?!
kew#9
BkHN
Uh1)
6]vl
wq*(
E`.S(#
p1OQ
\6`^
]\ncM
7d~!
D{ v
k18Ma
`2J@1
gVuM
N(vAs+
v:i6
B8+~
kD(?
)DJ".x
R-WJ
2#O:
MSOE
m.nv
DwRh
+Pv2?
)S[Q
-17M
eLCA
fG+s
j"qS
Py9m
i@jc
6UQI
f[.P
F[P'
b3\v
O{/
XM0#E
~.[en6U
^6*]
L%K|{2K
/>5$
SZ6!
Y c\
;tk42
%iA[
S&EP;,
i~uZ
oZjV
YbU
u5Ns
2=6/H
~7_V^%80
w"x7
hgmA
az4)#
y*U~
0dDmMfO
\)PC
f|Ijt*Z
7OLe`O7r<
En8+
M&:>~
&z:J
/2f^
_"I5&
'R5PedG
z&T&
x<lAN
6x~Z
5xmX%
uV,K!
4f0v
3YGB'
u|b]KDu
^Uc#
! za{>
Rq[m
('T8
MCw7%
&*)b/G?_
j3D?A
tnu\
QuJKYNFlh
A_
@5OvB(
W:Qy
g7@q
oyS/
rKt8
gu/=^
fvOg
/@nO@Y4
^&ae
3)JU
sZ;I3;
?$~j
DD{m
ZxRn
*u;]Yi#
4^\|=
t5U1I
n"D(RH
+-|G
${]GVx;d
{._.O
\i`9
3MaX
sU0q0;
58r@
jVJFp
b`Gm
0iwZ
uZ/8d
&zTM
SV#o
~oPi
joOM
?v 3
dHE\
4qVP
knO}
I:r(dp
Bw4i
S5p`j
tG6F
0xB[
RCa?=
* O~
1)9Ox
1;KN
KI`,
\"8Y
DZ=p
)<!;
_I?gB
rG(S
6*0N
YkJX
v{TP
h}D]D
,!UR
%\`6SH
~X9)
(\mOHI
nCI2HX%
q& opx
o: UihY
J><C6]
3K '
}8t>
#$:[
/WP#
'E:N
bs35fl
;|BC!
}%)(
IK+PP
9UIc
"p8i}
g^C
oP0g
xl&9
ST9OTW?
BNW]
{:4M-
JIsL//
Z:=W
QT,#iY
=`Z_J
Z8=MT\
7-*
O?#OW
ug(.N
4hUf5
[D8ob
@xdz
vez!B
7]+}
/ "S
ja M
)gUl
2&b$f
hT@L
I^~`
;UM-
5RJU
jv,L9
QNd
Gm+{2
4:nr
nLms
1Z*p+
+} 9
@}+YQ
W6VA.m
D5Ic
:oOW
cJYs
9\%Z
Jtrbr
1@|^x
O"y!
aUFe
j%niy
vnCE
^9{x
rYG5%5t
&XEO
_M~z
}ip[
5L(Q
nIIC
mX\Z
,1zA
vS-^
_;NIb
v{bF
1CFi
({7&
Z9:
/v(%
f&sE
H\TVEx
%;C2%
ZreI5R
K1M]
{HAi
8H7f
skx+
j}az
A't=
W lN
ecGwA
nl$T
cFL
?r.!
;LKfJAnq6
#TTX
)_gfb
N}Flt
A~uk]j
M)T
'&DP
S-`bn
QBTq
dwUy
)?mAR
gzTq
=b3)2U3
whgEB
p4M7/I^
bYEF
"P{`
WC1#
Xqo.:[
L&d?
Nm h
eb(?
Ua1sU
n'R8
P)f
8+eEp
TG(j
ouA3
@B3o
s+R/
J/O3#
7dF=
~yR,
?qj$t
Z/".
9@Z"
3Z=n
~@n9
]ca&d
l:`.C
:KX+\_m
;&3G
5h(q
[t@>s
kPx{_K
}7py
k_@.A
X<B!
5kLO
i1em
Z7?ba0
tLTf~
^7z\
"6>f
h/ 7?
@AFo7
;32b7I
,6)H
%rb
I&/O
!SZn
wr-1
],:-
T6!t
2$1J
`h0H
y/lG
pp"m
H>C0
7 1bb|G
SB0Ao
LYU[
)fgH
`dwD
,]~{
t3.l
Zyyq
C(Zpk
yl8"P
GP[_
eqK9
W|3k?
5"2~
Id9L
[HC)
}jw<
$F\xZ
YVg7
o.I+|y
Y6~jE
JXxP
vq@*%
^]lo_*
dN"9
^N@B
ipan
wQkD
`4l
hsMo\
>j O
7('4
{}rv
%HP8
"cXn0
F)_F{v,3
[2'W
bPr&
sAG}
1b~C
@NY_Zxe~
aq!O
PdV#
zKl|
g6/}
&-c
5,0SR
GH.a
DwFt
THqR
9S N9
DxAr
f!OZ~
$;2>%
g8|t#C
6>~
!D"g
+XHG
CU3y
7njp
B<me
fuy[
0+~G
>bqn
_'Ww8b!
]zy9U
v?Yg
fNs{hS
U.-1_
2cw"
_J&\
L]BH=
&b2f
ObES?
-N^?
ng@F
aE M;g90
:_ G
ylD5
?b\.
sZa7r
d&`_
W|+%
n}k6
|T 1(!
>DFu
>mQa
kY{]X33
OjpJ86
"{7?
_/b0
{rgV
~f5R_J
-fGV
4XlW
v`tl)'s7
@ZK-
nwla
,zxJw
q>
{2lF
R#Cn
4 ~Q
(HI~
rdim
3rT&
faHV
4PS-
FIqp
Eg|J
Di],
70wql_,
hxU}
d +V
*CR.
f]ga
,dC13
E[w.
;fHA1
D\K+;
pU\Q
M0!>
NgM_
X+2I
(KeC
_b}Zn
Eteij
jF`\
:S%2O}#
P&&M
yg40
TfNxq
l79]l
L5Gu
4b0KI
bcZ:e
2K|#[?
P6|Fq
z//:uH
jPC~
EWfB
!-]*
5"YSD
;b4y
_+6vw
ADvK=
;-8h#=
K*Q5
yT~Dq f9>P
j (|
jxWR
@\t%
w\#$
1hOX
$TST
f] n
;DeK
bbAQ
z3?V
-og3G
CcwQ
9Ab8i
4B'>
94@HT
}xq/7
E%Dz
ftNU
aDEn
{=Gv
M1X,
Q0^
P!p$
Z]4/
jt&r
!cV(~
kfEv
Y+,o
v9X\
w!>
yk~]
ynkp
$)HA"f!
9.jV
s7Q7
exdc
|.e
0+M6
.>)
t-,~
feeAN
vI8&
1^{636{^
m}|0
WB&|
y q!
%>y
Ic6}
!YsFH
D[op
DQ!4
H*1I3
d-gmv
D$J|
I8g:>S
b#w^xx
4*Zo
,+_v
]S7z
"F?[
7C:bF
!Bchv
J``o
5Er>
9JH;.
Z79H
8AX.5N
?&Nx,
[\_;
X[{;
;J7h
c%P>
3I^8
{v@:
vHT@
UCCe
(dPC
?-.A
P1Nu<
NfOZ
^iV=
Ksb0
)fNm
9KL3
AabZ
e 61
(o~I
bI>Wd
UmBBT
:qZXN=
l\:m8
hp8>6
xNl]
a^qM{
1u&$
Xr3i
1=xZ
_`5k
1^1z
{ b)h
&Rt4]
Re*:<
I[s+E
?1Zu
JN#W
kYGSj
y hb
;xhV
35]=
T1rY
s%l,
H,$.
3e2Q
}F?ABFA6
]_79k
GT(\E
/D7%
]Dxb
-Wdz
&*dC
yi;Z
^#\f
$NKd2
q5V>
N.<:
6$.N
K=#j
5$"&
w"BT
v<FVe
]7lDG
J;r`
3lS:U=
seRK
5$&*
&+ XO
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.