MALICIOUS
212
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is an OOXML Word document containing VBA macros. Heuristics indicate the presence of a renamed VBA project and the use of Shell() and CreateObject() functions, suggesting the execution of arbitrary code. The AutoOpen subroutine is configured to execute the Shell() function, which is a strong indicator of a downloader or dropper functionality.
Heuristics 8
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: word/vbaProjectSignatureV3.bin)
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMEDThe VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
VBA project carries a recognised code-signing signature info VBA_SIGNED_TRUSTEDThe VBA project is Authenticode-signed and the signer/issuer chain matches a recognised code-signing publisher or CA. Informational only — the signature is NOT yet verified to cover the current project bytes, so it does not (yet) reduce the verdict.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.i4i.com/ In document text (OOXML body / shared strings)
- http://www.susandoreydesigns.com/software/WordVBATechniques.pdfIn document text (OOXML body / shared strings)
- https://raw.githubusercontent.com/HealthCanada/HPFB/master/product-monograph/style-sheet/spl_canada.xslIn document text (OOXML body / shared strings)
- http://www.fiddler2.com1In document text (OOXML body / shared strings)
- http://ocsp.digicert.com0OIn document text (OOXML body / shared strings)
- http://ocsp.digicert.com0CIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://msdn.microsoft.com/en-us/library/windows/desktop/ms761392%28v=vs.85%29.aspxIn document text (OOXML body / shared strings)
- https://www.accessdata.fda.gov/spl/stylesheet/spl.xslIn document text (OOXML body / shared strings)
- http://certs.godaddy.com/repository/1301In document text (OOXML body / shared strings)
- http://ocsp.godaddy.com/05In document text (OOXML body / shared strings)
- http://crl.godaddy.com/gdroot-g2.crl0FIn document text (OOXML body / shared strings)
- https://certs.godaddy.com/repository/0In document text (OOXML body / shared strings)
- http://www.digicert.com/CPS0In document text (OOXML body / shared strings)
- http://crl3.digicert.com/sha2-assured-ts.crl02�0�.�,http://crl4.digicert.com/sha2-assured-ts.crl0��In document text (OOXML body / shared strings)
- http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0In document text (OOXML body / shared strings)
- http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0��In document text (OOXML body / shared strings)
- http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:�8�6�4http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0PIn document text (OOXML body / shared strings)
- https://www.digicert.com/CPS0In document text (OOXML body / shared strings)
- http://crl.godaddy.com/gdig2s5-4.crl0In document text (OOXML body / shared strings)
- http://certificates.godaddy.com/repository/0In document text (OOXML body / shared strings)
- http://ocsp.godaddy.com/0@In document text (OOXML body / shared strings)
+1 more URL(s)
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1195387 bytes |
SHA-256: 7b7aa2faa6aa0cf3a68000c79e90f15df5276d04c9415d3c7d38529d45260388 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'Company: Infrastructures For Information - i4i(www.i4i.com)
'Comment: Holds document level events
'Date Created: 2010.10.15
'Developer: Rob Southon
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Private Sub Document_ContentControlAfterAdd(ByVal NewContentControl As ContentControl, ByVal InUndoRedo As Boolean)
On Error Resume Next
'Fixed to #20888, #20890
If InUndoRedo Then
g_bSkipEvents = True
Exit Sub
End If
Dim oDoc As Document
Set oDoc = NewContentControl.Parent
'Remove myself if I'm not allowed - don't allow creation of a CO, CC, HD, ST inside of a CO - 12457
If NewContentControl.Tag <> "" Then 'Don't act on CCs without a tag
Dim sMyPrefix As String
Dim sParentPrefix As String
sMyPrefix = Left(NewContentControl.Tag, 3)
sParentPrefix = Left(NewContentControl.ParentContentControl.Tag, 3)
If (sMyPrefix = gc_sCCPrefixPCData Or sMyPrefix = gc_sCCPrefixStructure Or sMyPrefix = gc_sCCPrefixHighlight Or sMyPrefix = gc_sCCPrefixHeading Or sMyPrefix = gc_sCCPrefixStandardText Or sMyPrefix = gc_sCCPrefixHighlight) And (sParentPrefix = gc_sCCPrefixKeyword Or sParentPrefix = gc_sCCPrefixPCData Or sParentPrefix = gc_sCCPrefixHeading Or sParentPrefix = gc_sCCPrefixStandardText) Then
'i4i internal: defect12556
'if parent content control is "st:adverse_highlight", it shouldn't be deleted - special description in highlight for section 6
If NewContentControl.ParentContentControl.Tag <> gc_sCCPrefixStandardText + "adverse_highlight" Then
NewContentControl.Delete False
End If
Exit Sub
End If
End If
'For moving sections so we don't duplicate IDs
If g_bSkipIds = True Then Exit Sub
'Add in our GUID attributes
If g_CAttribute.GetAttributeValue(NewContentControl, gc_sAttGuid, gc_sXmlnsX4wAttVals) = "" Then
g_CAttribute.SetAttributeValue NewContentControl, gc_sAttGuid, CreateGUID, gc_sXmlNsAlicei4i, "", gc_sXmlnsX4wAttVals
End If
'16583 - set our permanent ID attribute values
If g_CAttribute.GetAttributeValue(NewContentControl, gc_sAttPermId, gc_sXmlnsX4wAttVals) = "" Then
g_CAttribute.SetAttributeValue NewContentControl, gc_sAttPermId, CreateGUID, gc_sXmlNsAlicei4i, "", gc_sXmlnsX4wAttVals
End If
End Sub
Private Sub Document_ContentControlOnEnter(ByVal ContentControl As ContentControl)
On Error GoTo PROC_ERR
If g_bSkipEvents = True Then Exit Sub
'for densemarkup - autoselect
If ContentControl.Tag = "ct:DenseMarkup" Then
selectDenseMarkupNode ContentControl
End If
If ContentControl.Tag = "cv:Materials" Then
CleanUpMaterialListEntries
End If
Dim oDoc As Document
Set oDoc = ContentControl.Parent
'i4i internal: defect12631
'Keep a flag to remember if the doc was saved because setting locks dirties the document and we don't want it to
Dim bDocSaved As Boolean
bDocSaved = oDoc.Saved
'i4i internal: defect12087
'this would cause "can't execute code in break mode" error after close IE browser
If IsError(g_ox4oRibbon) = False Then
If Not g_ox4oRibbon Is Nothing Then
g_ox4oRibbon.Invalidate
End If
Else
'We don't have control of the menus! Inform the user and close the document
If MsgBox(g_CLocalization.GetMessage("c_X4O_NOT_CONNECTED_CONFIRM_SAVE", gc_sAppName), vbYesNo + vbCritical, gc_sAppName) = vbYes Then
oDoc.Close True
Else
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 2685440 bytes |
SHA-256: a193f11b1e7427053cbbee8f08374da151b5160f20608ed677e6d00eed0e9423 |
|||
vbaProject_01.bin |
vba-project | OOXML VBA project: word/vbaProjectSignatureV3.bin | 9079 bytes |
SHA-256: fc92bbef9e141d3a8f686b09307349dc0a0c55de4a1046847607c3e507962fc1 |
|||
vbaProject_02.bin |
vba-project | OOXML VBA project: word/vbaProjectSignatureAgile.bin | 9079 bytes |
SHA-256: ac86d47f6a0746de1826d31c3363ce078e3ccd3d1b0f281315f1d363b430b2a1 |
|||
vbaProject_03.bin |
vba-project | OOXML VBA project: word/vbaProjectSignature.bin | 8964 bytes |
SHA-256: d028090fa6d52eea1d4b37f55e6180a5a30798856c70529bddfd278f1c7e8fd8 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.