MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains VBA macros, including a Document_Open macro that executes automatically when the document is opened. This macro attempts to create a toolbar and potentially download a second-stage payload from one of the embedded URLs. The presence of the 'FSKASUD' environment variable check suggests a targeted attack. The document body itself appears to be a technical document related to electrical grid connections, likely used as a lure.
Heuristics 6
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://10.18.26.142:7777/asudfsk/doc-upload In document text (OLE body)
- http://172.17.21.157:8089/asudfsk/doc-uploadIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 22245 bytes |
SHA-256: 141110768579e9f6019b2407629e0e3e1fe5992477f29a4da3867904d1971554 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "clientDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' Documents
' Author Denis Maslakov (mailto:DMaslakov@topsbi.ru), TopS Business Integrator
' 27.03.2006
Private Sub Document_Open()
OnlyClientMacroses.InitializeClient
End Sub
Private Sub Document_Close()
OnlyClientMacroses.FinalizeClient
End Sub
Attribute VB_Name = "OnlyClientMacroses"
' Client's macroses
' Author Denis Maslakov (mailto:DMaslakov@topsbi.ru), TopS Business Integrator
' 27.03.2006
Option Explicit
Private confirmationToolBar As CommandBar
Private Const DM_PWD As String = "asud_fsk"
Public Sub InitializeClient()
If Not (Environ("FSKASUD") <> "") Then ' Client
CreatesConfirmationToolBar
End If
End Sub
Public Sub FinalizeClient()
On Error Resume Next
If Not (Environ("FSKASUD") <> "") Then ' Client
If Not (confirmationToolBar Is Nothing) Then
confirmationToolBar.Delete
Set confirmationToolBar = Nothing
End If
' Horror! It is done, because created a command bar, macroses...
Application.NormalTemplate.Saved = True
' Save before...
If Not (clientDocument.ReadOnly Or clientDocument.ReadOnlyRecommended) Then
clientDocument.Save
OnlyClientMacroses.CheckinToServer
End If
End If
End Sub
Private Sub CreatesConfirmationToolBar()
Dim appWordVersion As String
Dim wordVersion As String
Dim bar As CommandBar
Dim AcceptRevButton As CommandBarButton
Dim RejectRevButton As CommandBarButton
Dim MergeDocsButton As CommandBarButton
Dim acceptControl As CommandBarControl
Dim rejectControl As CommandBarControl
Dim mergeControl As CommandBarControl
Dim iDx As Integer
On Error Resume Next
' Show only for Owner
If StrComp(getOwnerUserId(), getCurrentUserId(), vbTextCompare) = 0 Then
For Each bar In Application.CommandBars
If Not bar.BuiltIn Then bar.Delete
Next
Set confirmationToolBar = Application.CommandBars.Add("confirmationToolBar", _
Position:=msoBarTop, MenuBar:=False, Temporary:=True)
With confirmationToolBar
.NameLocal = "Рецензирование АСУД"
.Enabled = True
.Visible = True
.Protection = msoBarNoCustomize + msoBarNoChangeDock + msoBarNoMove
End With
With confirmationToolBar.Controls
Set AcceptRevButton = .Add(Type:=msoControlButton)
Set RejectRevButton = .Add(Type:=msoControlButton)
Set MergeDocsButton = .Add(Type:=msoControlButton)
End With
appWordVersion = Application.Version
iDx = InStr(appWordVersion, ".")
If iDx > 1 Then
wordVersion = Left(appWordVersion, iDx - 1)
Else
wordVersion = appWordVersion
End If
If wordVersion = "9" Then
Set acceptControl = CommandBars.FindControl(Type:=msoControlButton, ID:=1715)
Set rejectControl = CommandBars.FindControl(Type:=msoControlButton, ID:=1716)
Set mergeControl = CommandBars.FindControl(Type:=msoControlButton)
End If
If wordVersion = "11" Then
Set acceptControl = CommandBars.FindControl(Type:=msoControlButton, ID:=6240)
Set rejectControl = CommandBars.FindControl(Type:=msoControlButton, ID:=6243)
Set mergeControl = CommandBars.FindControl(Type:=msoControlButton)
End If
acceptControl.CopyFace
With AcceptRevButton
.TooltipText = "Позволяет принять все исправления сделанные другими пользователями в документе"
.Caption = "Принять исправления"
.Style = msoButtonIconAndCaption
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.