MALICIOUS
322
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1071.001 Web Protocols
The sample contains a VBA macro with an AutoOpen subroutine that is designed to execute automatically. This macro utilizes WScript.Shell to delete an inline shape, then recursively searches for files in the user's INetCache directory. It appears to construct a command to copy a file named '<file>.dotx' from the INetCache to 'C:\Windows\Tasks\abc.wsf', likely to execute a second-stage payload. The presence of a remote template injection URL further supports the delivery of malicious content.
Heuristics 9
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usage
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Remote template injection high OOXML_REMOTE_TEMPLATEDocument references a remote template URL (http://windowsupdates.shop/test.dotx) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
External relationship medium OOXML_EXTERNAL_RELExternal target in word/_rels/settings.xml.rels: http://windowsupdates.shop/test.dotx
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.tdap.gov.pk
- https://pimec.gov.pk/
- http://www.gulsstudio.com
- http://windowsupdates.shop/test.dotx
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
- http://schemas.microsoft.com/office/drawing/2014/chartex
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2010/wordml
- http://schemas.microsoft.com/office/word/2012/wordml
- http://schemas.microsoft.com/office/word/2015/wordml/symex
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
- http://schemas.microsoft.com/office/word/2010/wordprocessingInk
- http://schemas.microsoft.com/office/word/2006/wordml
- http://schemas.microsoft.com/office/word/2010/wordprocessingShape
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basd1caf33113f975e4ed661132e0a7e91c4b242c4bf41300d16da86b8c38955186 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 4048 bytes |
vbaProject_00.binf87a81b7910d06bfcba944d6ec68a99ee4dfc5cbf659cb9f96aba16b9324cf8b |
vba-project | OOXML VBA project: word/vbaProject.bin | 28672 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.