MALICIOUS
238
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1071.001 Web Protocols
The sample contains a VBA macro with a Document_Open subroutine that uses WScript.Shell to execute commands. The macro attempts to save the document to a specific path and then calls a function 'ConnectWebService' which likely attempts to upload the document or download a payload. This behavior is indicative of a downloader or data exfiltration tool.
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-6357699-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6357699-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set WshShell = CreateObject("WScript.Shell") SpecialPath = WshShell.SpecialFolders("MyDocuments") & "\Documents temporaires ParcoursH" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set objXmlhttp = CreateObject("MSXML2.xmlhttp") ' Load XML -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_Open() -
External hyperlinks (2) low OOXML_EXTERNAL_HYPERLINKSDocument contains 2 external hyperlinks — clickable URLs are stored as external relationships. First target: http://www.google.fr/imgres?imgurl=http://bates.blog.lemonde.fr/files/2009/04/logo_pole_emploi.1238685507.jpg&imgrefurl=http://bates.blog.lemonde.fr/2009/04/02/
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://tempuri.org/ In document text (OOXML body / shared strings)
- http://tempuri.org/UploadFileIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/pictureIn document text (OOXML body / shared strings)
- http://www.google.fr/imgres?imgurl=http://bates.blog.lemonde.fr/files/2009/04/logo_pole_emploi.1238685507.jpg&imgrefurl=http://bates.blog.lemonde.fr/2009/04/02/deuxieme-forum-de-la-grande-distribution-et-du-commerce-a-pole-emploi-dreux/&h=300&w=469&sz=15&tbnid=3ElOgctQvlnmwM:&tbnh=82&tbnw=128&prev=/images?q=logo+p%C3%B4le+emploi&hl=fr&usg=__WKhLUtaxHxFDrvpmy59c4SZbkMs=&ei=vJ3JSvjdKsj34AaeqpjHAQ&sa=X&oi=image_result&resnum=1&ct=imageDocument hyperlink
- http://www.google.fr/imgres?imgurl=http://bates.blog.lemonde.fr/files/2009/04/logo_pole_emploi.1238685507.jpg&imgrefurl=http://bates.blog.lemonde.fr/2009/04/02/Document hyperlink
- http://www.google.fr/imgres?imgurl=http://bates.blog.lemonde.fr/files/2009/04/logo_pole_emploi.1238685507.jpg&imgrefurl=http://bates.blog.lemonde.fr/2009/04/02/deuxieme-forum-de-la-grande-distributionDocument hyperlink
- http://www.w3.org/2001/XMLSchema-instanceIn document text (OOXML body / shared strings)
- http://www.w3.org/2001/XMLSchemaIn document text (OOXML body / shared strings)
- http://schemas.xmlsoap.org/soap/envelope/In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12466 bytes |
SHA-256: dea3ab3ac5e551c479f5e4685ac0abca36ea8ebb9c6d04d46be3af56e65132f0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Set cc = New closeClass
Set cc.appWord = Application
End Sub
Attribute VB_Name = "ConnectWebService"
Public cc As closeClass
Public Sub FileSave()
On Error GoTo ErreurEnregistrementClassique
If ActiveDocument.CustomDocumentProperties("Source").Value = "ParcoursH" _
Then
If Not (Len(ActiveDocument.FullName) < 6 Or _
(Left(UCase(ActiveDocument.FullName), 4) <> "HTTP" And _
InStr(1, UCase(ActiveDocument.FullName), "DATA\") = False And _
InStr(1, UCase(ActiveDocument.FullName), "\LOCAL") = False)) _
Or GetTagTemp = "oui" Then
On Error GoTo ErreurEnregistrementWebService
If ActiveDocument.CustomDocumentProperties("WebServiceURL").Value = "" Then GoTo ErreurEnregistrementWebService
Dim LocalFilePath As String
LocalFilePath = GetMyDocumentsFolder() & "\" & ActiveDocument.Name
GestionTagTemp True
ActiveDocument.SaveAs (LocalFilePath)
ConnectWebService (LocalFilePath)
Call MsgBox("Le document a bien été enregistré sous ParcoursH.")
Exit Sub
ErreurEnregistrementWebService:
On Error GoTo 0
Err.Clear
Call MsgBox("Ce document ne peut pas être enregistré directement sous ParcoursH. Vous n'avez pas les droits nécessaires ou il existe un problème sur le serveur.")
Else
If Not (ActiveDocument.ReadOnly) Then
On Error GoTo ErreurEnregistrementClassique
ActiveDocument.Save
Exit Sub
End If
End If
End If
ErreurEnregistrementClassique:
On Error GoTo 0
Err.Clear
End Sub
Public Sub GestionTagTemp(Activer As Boolean)
If Activer Then
On Error GoTo ErreurActivation
ActiveDocument.CustomDocumentProperties("FichierTempParcoursH").Value = "oui"
Exit Sub
ErreurActivation:
ActiveDocument.CustomDocumentProperties.Add Name:="FichierTempParcoursH", LinkToContent:=False, Type:=msoPropertyTypeString, Value:="oui"
On Error GoTo 0
Err.Clear
Else
On Error GoTo ErreurActivation2
ActiveDocument.CustomDocumentProperties("FichierTempParcoursH").Value = "non"
Exit Sub
ErreurActivation2:
ActiveDocument.CustomDocumentProperties.Add Name:="FichierTempParcoursH", LinkToContent:=False, Type:=msoPropertyTypeString, Value:="non"
On Error GoTo 0
Err.Clear
End If
End Sub
Public Function GetTagTemp() As String
Dim strRetour As String
On Error Resume Next
strRetour = ActiveDocument.CustomDocumentProperties("FichierTempParcoursH").Value
On Error GoTo 0
GetTagTemp = strRetour
End Function
Private Sub ConnectWebService(LocalFilePath As String)
CopyFileByChunk ActiveDocument.CustomDocumentProperties("CheminDoc").Value, LocalFilePath, ActiveDocument.CustomDocumentProperties("User").Value, ActiveDocument.CustomDocumentProperties("IsDocumentType").Value
End Sub
Function CopyFileByChunk(fileName As String, sSource As String, sUser As String, isDocumentType As Boolean) As Boolean
Dim FileSize As Long, OddSize As Long, SoFar As Long
Dim Buffer() As Byte, f1 As Integer, ChunkSize As Long
On Error GoTo CopyFileByChunk_Error
f1 = FreeFile: Open sSource For Binary Access Read As #f1
FileSize = LOF(f1)
If FileSize = 0 Then GoTo Exit_CopyFileByChunk ' -- done!
ChunkSize = 1000000 '5505024 -> 5.25MB
OddSize = FileSize Mod ChunkSize
Dim index As Integer
index = 0
If OddSize Then
ReDim Buffer(1 To OddSize)
Get #f1, , Buffer
index = index + 1
SoFar = OddSize
If UploadFileViaWebService(Buffer, fileName, index, SoFar = FileSize, sUser, isDocumentType) Then
DoEvents
Else
GoTo CopyFileByChunk_Error
End If
End If
If ChunkSize Then
ReDim Buffer(1 To ChunkSize)
Do While SoFar < FileSize
Get #f1, , Buffer
index = index + 1
SoFar = SoFar + ChunkSize
If UploadFileViaWebService(Buffer, fileName, index, SoFar = FileSize, sUser, isDocumentType) Then
'g_frmProgress.lblProgress = "Percent uploaded: " & Format(SoFar / FileSize, "0.0%")
'Debug.Print SoFar, Format(SoFar / FileSize, "0.0%")
DoEvents
Else
GoTo CopyFileByChunk_Error
End If
Loop
End If
CopyFileByChunk = True
Exit_CopyFileByChunk:
Close #f1
Exit Function
CopyFileByChunk_Error:
CopyFileByChunk = False
Resume Exit_CopyFileByChunk
End Function
Public Function UploadFileViaWebService(dataChunk() As Byte, fileName As String, index As Integer, lastChunk As Boolean, sUser As String, isDocumentType As Boolean) As Boolean
On Error GoTo ErrHand
Dim blnResult As Boolean
blnResult = False
'mdlConvert.SetProgressInfo "Connecting to the web server:" & vbNewLine & _
DQUOT & server_title() & DQUOT
On Error Resume Next
Dim strSoapAction As String
Dim strXml As String
If isDocumentType Then
strXml = "<?xml version=""1.0"" encoding=""utf-8""?>" & _
"<soap:Envelope xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xmlns:soap=""http://schemas.xmlsoap.org/soap/envelope/"">" & _
"<soap:Body>" & _
"<UploadFile xmlns=""http://tempuri.org/"">" & _
"<fileName>" & fileName & "</fileName>" & _
"<bytes></bytes>" & _
"<index>" & index & "</index>" & _
"<isLastChunk>" & IIf(lastChunk, 1, 0) & "</isLastChunk>" & _
"<userName>" & sUser & "</userName>" & _
"<isDocumentType>true</isDocumentType>" & _
"</UploadFile>" & _
"</soap:Body>" & _
"</soap:Envelope>"
Else
strXml = "<?xml version=""1.0"" encoding=""utf-8""?>" & _
"<soap:Envelope xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xmlns:soap=""http://schemas.xmlsoap.org/soap/envelope/"">" & _
"<soap:Body>" & _
"<UploadFile xmlns=""http://tempuri.org/"">" & _
"<fileName>" & fileName & "</fileName>" & _
"<bytes></bytes>" & _
"<index>" & index & "</index>" & _
"<isLastChunk>" & IIf(lastChunk, 1, 0) & "</isLastChunk>" & _
"<userName>" & sUser & "</userName>" & _
"<isDocumentType>false</isDocumentType>" & _
"</UploadFile>" & _
"</soap:Body>" & _
"</soap:Envelope>"
End If
Dim objXmlhttp As Object
Dim objDom As Object
Set objXmlhttp = CreateObject("MSXML2.xmlhttp")
' Load XML
Set objDom = CreateObject("MSXML2.DOMDocument")
objDom.LoadXML strXml
'insert data chunk into XML doc
objDom.SelectSingleNode("//bytes").dataType = "bin.base64"
objDom.SelectSingleNode("//bytes").nodeTypedValue = dataChunk
' Open the webservice
'POST /WebServiceDocuments.asmx HTTP/1.1
'Host: localhost
'Content-Type: text/xml; charset=utf-8
'Content -Length: Length
'SOAPAction: "http://tempuri.org/UploadFile"
objXmlhttp.Open "POST", ActiveDocument.CustomDocumentProperties("WebServiceURL").Value, False
' Create headings
strSoapAction = "http://tempuri.org/UploadFile"
objXmlhttp.setRequestHeader "Content-Type", "text/xml; charset=utf-8"
objXmlhttp.setRequestHeader "SOAPAction", strSoapAction
' Send XML command
objXmlhttp.send objDom.XML
' Get all response text from webservice
Dim strRet
strRet = objXmlhttp.responseText
' Close object
Set objXmlhttp = Nothing
Set objDom = Nothing
'get the error if any
Set objDom = CreateObject("MSXML2.DOMDocument")
objDom.LoadXML strRet
Dim isSoapResponse As Boolean
isSoapResponse = Not (objDom.SelectSingleNode("//soap:Envelope") Is Nothing)
Dim error As String
If Not isSoapResponse Then
error = "Woops, not a web service"
Else
error = objDom.SelectSingleNode("//soap:Envelope/soap:Body/soap:Fault/faultstring").Text
End If
If error <> "" Then
MsgBox error, True
blnResult = False
Else
Err.Clear 'clear the error caused in the XPath query above
blnResult = True
End If
'close dom object
Set objDom = Nothing
ErrHand:
If Err.Number <> 0 Then
MsgBox Err, "UploadFileViaWebService"
blnResult = False
End If
UploadFileViaWebService = blnResult
End Function
Function GetMyDocumentsFolder()
Dim WshShell As Object
Set WshShell = CreateObject("WScript.Shell")
SpecialPath = WshShell.SpecialFolders("MyDocuments") & "\Documents temporaires ParcoursH"
Set fso = CreateObject("scripting.filesystemobject")
If fso.FolderExists(SpecialPath) = False Then
fso.CreateFolder (SpecialPath)
Else
On Error GoTo ErreurSuppression
Dim NbFichiers As Integer
NbFichiers = fso.GetFolder(SpecialPath).Files.Count
Dim myArray() As String
ReDim Preserve myArray(1 To NbFichiers, 1 To 2)
If (NbFichiers >= 20) Then
For Each file In fso.GetFolder(SpecialPath).Files
For i = 1 To NbFichiers
If (myArray(i, 1) = "") Then
myArray(i, 1) = file.Path
myArray(i, 2) = file.DateLastModified
Exit For
Else
If (myArray(i, 2) > CDate(file.DateLastModified)) Then
For j = NbFichiers - 1 To i
If (myArray(j, 1) <> "") Then
myArray(j + 1, 1) = myArray(j, 1)
myArray(j + 1, 2) = myArray(j, 2)
End If
Next
myArray(i, 1) = file.Path
myArray(i, 2) = file.DateLastModified
Exit For
End If
End If
Next
Next
For index = 1 To NbFichiers - 19
fso.DeleteFile (myArray(index, 1))
Next
End If
ErreurSuppression:
Err.Clear
On Error GoTo 0
End If
GetMyDocumentsFolder = SpecialPath
End Function
Attribute VB_Name = "closeClass"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public WithEvents appWord As Application
Attribute appWord.VB_VarHelpID = -1
Private Sub appWord_DocumentBeforeClose(ByVal Doc As Document, Cancel As Boolean)
On Error GoTo ErreurClose
If GetTagTemp <> "" Then
GestionTagTemp False
LocalFilePath = GetMyDocumentsFolder() & "\" & ActiveDocument.Name
ActiveDocument.Saved = False
'ActiveDocument.SaveAs (LocalFilePath)
ActiveDocument.Save
'Cancel = True
End If
Exit Sub
ErreurClose:
MsgBox Err.Description
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 36352 bytes |
SHA-256: de8a2133a91f27c35a161a8c4b81cea4bb65254837d57f1e50c085f7e2b92fb5 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.