MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a Microsoft Office document containing VBA macros. The 'Document_Open' macro is present and triggers a 'Shell()' call, indicating an attempt to execute an external command. This is a common technique for downloading and executing further malicious payloads. No specific family could be identified from the available evidence.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12679 bytes |
SHA-256: d84f6c175b2ed845e2adf3a32650e5df64d6bf6b0f70846ef80dcc5cb4c779f9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function xikybi(gbixmuwy) xikybi = gbixmuwy End Function Function sebak(kikxosu) sebak = kikxosu End Function Function iqem(goho) iqem = goho End Function Function yvijh(yxoc) yvijh = yxoc End Function Function hvese(ixraxzi) hvese = ixraxzi End Function Function omnufa(uniwe) omnufa = uniwe End Function Function ijimko(rifwibn) ijimko = rifwibn End Function Function etuqx(ikvefwe) etuqx = ikvefwe End Function Function ysedur(ygovoxx) ysedur = ygovoxx End Function Function ufyl(izocitj) ufyl = izocitj End Function Function ghuve(holmukbe) ghuve = holmukbe End Function Function xbevroh(vovecta) xbevroh = vovecta End Function Function yqyfwo(qsifu) yqyfwo = qsifu End Function Function tmatrovcy(ibrotnih) tmatrovcy = ibrotnih End Function Function qimenvu(epazp) qimenvu = epazp End Function Function bipuv(jitrome) bipuv = jitrome End Function Function pnomell(luglusfe) pnomell = luglusfe End Function Function wjyhitd(equng) wjyhitd = equng End Function Function arvaze(tafifdo) arvaze = tafifdo End Function Function yzsoxzu(tusdufqo) yzsoxzu = tusdufqo End Function Function szali(iqyqt) szali = iqyqt End Function Function ecdizyp(pesofx) ecdizyp = pesofx End Function Function nqykyqo(qsyjnids) nqykyqo = qsyjnids End Function Function xavu(enuxj) xavu = enuxj End Function Function abuba(yfynxats) abuba = yfynxats End Function Function aqupazf(ybam) aqupazf = ybam End Function Function zmemxuwu(xabpy) zmemxuwu = xabpy End Function Function dcano(enib) dcano = enib End Function Function fuda(arajcu) fuda = arajcu End Function Function ypgylna(mudhur) ypgylna = mudhur End Function Function alqyjehf(ewsahm) alqyjehf = ewsahm End Function Function akubocf(qage) akubocf = qage End Function Function uhqidu(uffufjen) uhqidu = uffufjen End Function Function bzyhizd(gucuzza) bzyhizd = gucuzza End Function Function zundof(imzuvka) zundof = imzuvka End Function Function ewev(quhe) ewev = quhe End Function Function kite(lolqotmy) kite = lolqotmy End Function Function ervecpyxk(afvylla) ervecpyxk = afvylla End Function Function uppush(hqaqabl) uppush = hqaqabl End Function Function qradegy(roxenni) qradegy = roxenni End Function Function tifetti(dxuwone) tifetti = dxuwone End Function Function ibyssu(ykrifi) ibyssu = ykrifi End Function Function xoveklo(wvupqamta) xoveklo = wvupqamta End Function Function epeb(bviga) epeb = bviga End Function Function yxunl(ykbuhkyk) yxunl = ykbuhkyk End Function Function bvebi(iddopky) bvebi = iddopky End Function Function lusdun(iwsecwar) lusdun = iwsecwar End Function Function tarpi(eskowhyc) tarpi = eskowhyc End Function Function edfovvap(vave) edfovvap = vave End Function Function mkogvyvfo(afyfnyvr) mkogvyvfo = afyfnyvr End Function Function bzamlera(hcughy) bzamlera = hcughy End Function Function tupli(mbemkek) tupli = mbemkek End Function Function puhce(abypj) puhce = abypj End Function Function eqjavku(synxyfzu) eqjavku = synxyfzu End Function Function yzijn(afunlym) yzijn = afunlym End Function Function afajbodl(ykinis) afajbodl = ykinis End Function Function ehnatf(wemy) ehnatf = wemy End Function Function ltadjiqc(keldohnu) ltadjiqc = keldohnu End Function Function qupi(omxynymh) qupi = omxynymh End Function Function ruhce(avyl) ruhce = avyl End Function Function uvhukj(unofemk) uvhukj = unofemk End Function Function kqicy(odywe) kqicy = odywe End Function Function kqathesq(ewozijd) kqathesq = ewozijd End Function Function ajhatno(eqyhxaf) ajhatno = eqyhxaf End Function Function opqebsucz(uqoxsenp) opqebsucz = uqoxsenp End Function Function borojwi(xuruxk) borojwi = xuruxk End Function Function hyvil(atqimu) hyvil = atq ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.