MALICIOUS
392
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.003 Windows Command Shell
T1204.002 Malicious File
T1140 Deobfuscate or Decode Files or Information
The sample is a macro-enabled document (DOCM) with a Document_Open macro that triggers an obfuscated VBA loader. This loader uses CreateObject and Shell calls to download and execute a second-stage payload. The VBA script contains references to 'https://nfse.salvador.ba.gov.br/rps/' and 'https://nfse.salvador.ba.gov.br/', which are likely used as part of the payload delivery mechanism.
Heuristics 12
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usage
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://nfse.salvador.ba.gov.br/rps/
- https://nfse.salvador.ba.gov.br/
- http://tempuri.org/IConsultaLoteRPS/ConsultarLoteRPS
- http://tempuri.org/IConsultaLoteRPS/ConsultarLoteRPSComplementar
- http://tempuri.org/IConsultaNfse/ConsultarNfse
- http://tempuri.org/IConsultaNfse/ConsultarNfseComplementar
- http://tempuri.org/IConsultaNfseRPS/ConsultarNfseRPS
- http://tempuri.org/IConsultaNfseRPS/ConsultarNfseRPSComplementar
- http://tempuri.org/IConsultaSituacaoLoteRPS/ConsultarSituacaoLoteRPS
- http://tempuri.org/IEnvioLoteRPS/EnviarLoteRPS
- http://tempuri.org/IEnvioLoteRPS/EnviarLoteRPSComplementar
- http://tempuri.org/IConsultaSituacaoNfse/ConsultarSituacaoNfse
- https://nfse.salvador.ba.gov.br/nfts/ws/
- https://nfse.salvador.ba.gov.br/nfts
- http://tempuri.org/
- http://www.abrasf.org.br/ABRASF/arquivos/nfse.xsd
- https://notafse-backend.cachoeiro.es.gov.br/nfse/NfseWSService|2.04
- https://pe-petrolina-pm-nfs-backend.cloud.el.com.br/nfse/NfseWSService|2.04
- http://rj-novafriburgo-pm-nfs.cloud.el.com.br:80/NfseWSService|2.04
- https://nfe.pmvc.ba.gov.br:443/el-nfse/NfseWSService|2.04
- http://es-viana-pm-nfs.cloud.el.com.br:80/NfseWSService
- http://es-colatina-pm-nfs.cloud.el.com.br:80/NfseWSService
- http://nfse.abrasf.org.br
- http://www.abrasf.org.br/nfse.xsd
- https://ws.catalao.go.gov.br/prodataws/services/NfseWSService/|2.01
- http://services.nfse
- https://www.geisweb.net.br:443/producao/cajamar/webservice/GeisWebServiceImpl.php
- https://www.geisweb.net.br/producao/cajamar/webservice/GeisWebServiceImpl.php
- http://www.geisweb.com.br/xsd/envio_lote_rps.xsd
- http://www.geisweb.com.br/xsd/envio_lote_rps_async.xsd
- https://iss.londrina.pr.gov.br:443/ws/v1_03/sigiss_ws.php
- http://iss.londrina.pr.gov.br/ws/v1_03
- https://tributario.bauru.sp.gov.br/services/|0000
- http://pmbirigui02.smarapd.com.br:9999/smartb/services/|3
- https://aparecida.siltecnologia.com.br/tbw/services/|0000
- http://webservices.sil.com/
- https://nfe.portoalegre.rs.gov.br:443/bhiss-ws/nfse|1.0
- http://ws.bhiss.pbh.gov.br
- http://webservice.giap.com.br/WSNfsesScarlos02/nfseresources/ws/
- http://visualizar.ginfes.com.br/report/consultarNota?__report=nfs_ver4&cdVerificacao=
- https://nfse.caxias.rs.gov.br/portal/Servicos?wsdl
- http://ws.pc.gif.com.br/
- https://nfse.caxias.rs.gov.br/nfse/consultaExterna/
- https://valadares.sigiss.com.br:443/valadares/ws/sigiss_ws.php
- https://marilia.sigiss.com.br:443/marilia/ws/sigiss_ws.php
- https://nfse-ws.ecity.maringa.pr.gov.br/MaringaNfse.asmx
- http://tempuri.org
- https://nfse.goiania.go.gov.br/ws/nfse.asmx
- http://nfse.goiania.go.gov.br/ws/
- http://nfse.goiania.go.gov.br/xsd/nfse_gyn_v02.xsd
+204 more URL(s)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas4fc68c62bc8b04de22311c5eac2ecd27ababeb78538b18cd01d7a1e141de65dd |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2431246 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 8 long base64-like blob(s).
|
|||
vbaProject_00.bin2124918745ec324e4e0090267ba6906f01502e23c9c9b6fc4c0913b8bf23e84e |
vba-project | OOXML VBA project: word/vbaProject.bin | 6182400 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 8 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.