MALICIOUS
244
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The sample contains VBA macros, including an AutoOpen macro that uses Shell() and CreateObject() calls, indicating malicious intent. The document body presents a deceptive 'Request for Proposal' for maintenance services, aiming to trick the user into interacting with the malicious content. The VBA script likely attempts to download and execute a second-stage payload or harvest information.
Heuristics 8
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: word/vbaProjectSignature.bin)
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMEDThe VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
VBA project is signed but not by a recognised publisher info VBA_SIGNED_UNTRUSTEDThe VBA project carries a digital signature, but the signer does not chain to a recognised code-signing publisher/CA (self-signed, unknown issuer, or unparseable). A signature alone is not evidence of benignity — malware is routinely self-signed or signed with stolen certificates.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://cdp.pki.niedersachsen.de/niedersachsen-ca-internal.crl0H�F�D�Bhttp://cdp1.pca.dfn.de/niedersachsen-internal-ca/pub/crl/cacrl.crl0H�F�D�Bhttp://cdp2.pca.dfn.de/niedersachsen-internal-ca/pub/crl/cacrl.crl0��In document text (OOXML body / shared strings)
- http://ocsp.pca.dfn.de/OCSP-Server/OCSP0RIn document text (OOXML body / shared strings)
- http://cdp1.pca.dfn.de/niedersachsen-internal-ca/pub/cacert/cacert.crt0RIn document text (OOXML body / shared strings)
- http://cdp2.pca.dfn.de/niedersachsen-internal-ca/pub/cacert/cacert.crt0In document text (OOXML body / shared strings)
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12954 bytes |
SHA-256: 38bdd7314c596442b3b939a9830d0384d265fab22d986188f93283bdaa43a0c2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TB99, 9, 9, MSForms, TextBox"
Attribute VB_Control = "OB3, 8, 10, MSForms, OptionButton"
Attribute VB_Control = "OB2, 7, 11, MSForms, OptionButton"
Attribute VB_Control = "OB1, 6, 12, MSForms, OptionButton"
Attribute VB_Control = "AN_pruefen, 5, 13, MSForms, CommandButton"
Attribute VB_Control = "AG_pruefen, 4, 14, MSForms, CommandButton"
Attribute VB_Control = "TB4, 3, 15, MSForms, TextBox"
Attribute VB_Control = "TB3, 2, 16, MSForms, TextBox"
Attribute VB_Control = "TB2, 1, 17, MSForms, TextBox"
Attribute VB_Control = "TB1, 0, 18, MSForms, TextBox"
Dim leer$
Dim Fehlertext$
Dim i As Integer
Dim fehler As Boolean
Dim ok As Boolean
Sub FelderAktualisieren()
ActiveWindow.View.Type = wdNormalView
ActiveWindow.View.Type = wdReadingView
ActiveWindow.View.Type = wdPrintView
End Sub
Dim Start As Integer
Private Sub AG_Pruefen_Click()
Dim Fragewert
Dim Merkauswahl
Start = 1
Fragewert = MsgBox("Bitte prüfen Sie, ob Sie das Dokument jetzt sperren wollen!" & Chr$(13) & Chr$(13) & _
"Sie können dann keine weiteren Eingaben tätigen." & Chr(13) & Chr(13) & _
"Wollen Sie das Dokument jetzt sperren?", 292, "Elektronische Angebotsaufforderung Wartung 2018")
If Fragewert <> 6 Then
Exit Sub
End If
ok = True
Fehlertext$ = ""
leer$ = TB1.Text: i = 1: Datum_Test leer$, i, fehler: If fehler = True Then TB1.BackColor = &HFF& Else TB1.BackColor = &HE0E0E0
leer$ = TB2.Text: i = 2: Leerprüfung leer$, i, fehler: If fehler = True Then TB2.BackColor = &HFF& Else: TB2.BackColor = &HE0E0E0
leer$ = TB4.Text: i = 3: Leerprüfung leer$, i, fehler: If fehler = True Then TB4.BackColor = &HFF& Else: TB4.BackColor = &HE0E0E0
Merkauswahl = 0
If OB1.Value = True Then Merkauswahl = 1
If OB2.Value = True Then Merkauswahl = 1
If OB3.Value = True Then Merkauswahl = 1
If Merkauswahl = 0 Then
MsgBox "Deckblatt: Keine Angebotsart ausgewählt!" & Chr(13) & Chr(13) & "Dokument kann nicht gesperrt werden!", 48, " Elektronisches Vertragsmuster Wartung 2014"
ok = False
Fehlertext$ = Fehlertext$ + "Deckblatt: Sie haben keine Angebotsart ausgewählt" & vbCrLf
OB1.BackColor = &HFF&: OB2.BackColor = &HFF&: OB3.BackColor = &HFF&
Else 'ok
OB1.BackColor = &HE0E0E0: OB2.BackColor = &HE0E0E0: OB3.BackColor = &HE0E0E0
End If
If ok = False Then
MsgBox "Felder enthielten Fehler. Diese Felder wurden rot markiert" & Chr(13) & Chr(13) & _
"Dokument kann nicht gesperrt werden!" & Chr(13) & Chr(13) & "Die Fehler sind in der folgenden Fehlerdatei <Fehlermeldung.txt.> aufgelistet.", 48, "Elektronische Angebotsaufforderung Wartung 2018"
Dim Start1 As Variant
Dim Datei As String
Dim Dat_Pfad As String
Dim fso As Object
Dim ts As Object
Dat_Pfad = ActiveDocument.Path
Datei = Dat_Pfad & "\Fehlermeldung.txt"
Set fso = CreateObject("Scripting.FileSystemObject")
Set ts = fso.OpenTextFile(Datei, 2)
ts.write Fehlertext$
ts.Close
Start1 = Shell("Notepad.exe " & Datei, 3)
Exit Sub
End If
If ok = False Then Exit Sub
AG_pruefen.BackColor = &HE0E0E0
AG_pruefen.ForeColor = &HFFFFFF
AG_pruefen.Locked = True
AG_pruefen.Caption = "Auftraggeber-Felder gesperrt"
AG_pruefen.Enabled = False
AN_pruefen.Enabled = True
AN_pruefen.Locked = False
AN_pruefen.BackColor = &H80FF&
Schliesse_AG 'Ruft das Makro zum Sperren auf
Oeffne_AN 'Ruft das Makro zum Freigeben auf
Start = 0
End Sub
Function Schliesse_AG()
xxx = Format(TB1.Text, "DD.MM.YYYY"): TB1.Text = xxx
TB1.Locked = True: TB1.BackColor = &HE0E0E0
TB2.Locked = True: TB2.BackColor = &HE0E0E0
TB4.Locked = True: TB4.BackColor = &HE0E0E0
OB1.Locked = True: OB1.BackColor = &HE0E0E0
OB2.Locked = True: OB2.BackColor = &HE0E0E0
OB3.Locked = True: OB3.BackColor = &HE0E0E0
End Function
Function Oeffne_A
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 43520 bytes |
SHA-256: e905ba2840ebfe0cb88620331a00f47d3131ddce7778d362e064ea6b1abccec8 |
|||
vbaProject_01.bin |
vba-project | OOXML VBA project: word/vbaProjectSignature.bin | 3658 bytes |
SHA-256: c05a7c7bebdd8f8f7992d69aec4e162b291b6b8afe772e2b1b028003b7313ab3 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.