MALICIOUS
404
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains VBA macros that utilize the `URLDownloadToFile` function, indicating an attempt to download and execute a second-stage payload. The presence of `WScript.Shell` and `CreateObject` further supports this, suggesting the execution of downloaded content. The obfuscated shell command with a URL points to a downloader functionality.
Heuristics 11
-
VBA project inside OOXML medium 7 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usage
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBA
-
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded OLE object medium OOXML_OLE_OBJECTDocument contains an embedded OLE object
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://key-design-share.com/FHG_Erscheinungsbild/01_Grundelemente/1_1_Logos/ Referenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
- http://info-archiv.fraunhofer.de/cd-2009/Fraunhofer_Erscheinungsbild/01_Grundelemente/1_1_Logos/Referenced by macro
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
- http://ns.adobe.com/pdf/1.3/Referenced by macro
- http://ns.adobe.com/xap/1.0/Referenced by macro
- http://purl.org/dc/elements/1.1/Referenced by macro
- http://ns.adobe.com/xap/1.0/mm/Referenced by macro
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 45537 bytes |
SHA-256: ff0c4e61f646beacce360bac941c22ab943559df039fefe763da4e57fc34fef2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Document_New()
'## schrift überprüfen
Dim strFontName As String
strFontName = "Frutiger LT Com 45 Light"
If IsFontInstalled(strFontName) Then
Else
MsgBox strFontName & " ist n i c h t installiert! Das Dokument wird geschlossen. Bitte Schrift installieren!"
Documents.Close
Exit Sub
End If
Dim strFontName2 As String
strFontName2 = "Frutiger LT Com 55 Roman"
If IsFontInstalled(strFontName2) Then
Else
MsgBox strFontName2 & " ist n i c h t installiert! Das Dokument wird geschlossen. Bitte Schrift installieren!"
Documents.Close
Exit Sub
End If
End Sub
Attribute VB_Name = "Logotausch"
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal _
szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Function Stream_BinaryToString(Binary, CharSet)
Const adTypeText = 2
Const adTypeBinary = 1
'Create Stream object
Dim BinaryStream 'As New Stream
Set BinaryStream = CreateObject("ADODB.Stream")
'Specify stream type - we want To save text/string data.
BinaryStream.Type = adTypeBinary
'Open the stream And write text/string data To the object
BinaryStream.Open
BinaryStream.Write Binary
'Change stream type To binary
BinaryStream.Position = 0
BinaryStream.Type = adTypeText
'Specify charset For the source text (unicode) data.
If Len(CharSet) > 0 Then
BinaryStream.CharSet = CharSet
Else
BinaryStream.CharSet = "us-ascii"
End If
'Open the stream And get binary data from the object
Stream_BinaryToString = BinaryStream.ReadText
End Function
Function Logo_einstellen(pfad, eps)
' Selection.SetRange 0, 0
ActiveDocument.ActiveWindow.View.SeekView = wdSeekCurrentPageHeader
For Each sect In ActiveDocument.Sections
For Each head In sect.Headers
For Each shp In head.Shapes
' For Each shp In ActiveDocument.Shapes
If (Right(shp.AlternativeText, 17) = "Logo_ausgetauscht" Or Right(shp.AlternativeText, 4) = "Logo") Then
shp.Delete
End If
Next shp
Next head
Next sect
Dim datei As String
arr = Split(pfad, "/")
datei = arr(UBound(arr))
If (datei = "false") Then
ActiveDocument.ActiveWindow.View.SeekView = wdSeekMainDocument
Exit Function
End If
URL = pfad
Randomize
temp = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%Temp%")
pfad = temp & "\" & Int(Math.Rnd() * 10000) & datei
ret = URLDownloadToFile(0, URL, pfad, 0, 0)
'For Each sect In ActiveDocument.Sections
Set sect = ActiveDocument.Sections(1)
For Each head In sect.Headers
If (sect.Index > 0) Then
Dim neu
Set neu = head.Shapes.AddPicture(pfad, False, True)
neu.LockAspectRatio = msoTrue
neu.Width = CentimetersToPoints(6)
'neu.ScaleHeight neu.ScaleWidth, T
... (truncated)
|
|||
ooxml_oleobject_00.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject2.bin | 607232 bytes |
SHA-256: 9c690d23892c8eb1f15060bc69cc3d36709e8274113f8249796aae4e9554e6b3 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.91, consistent with packed or encrypted content.
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 172544 bytes |
SHA-256: 8e8b57a28936d5c576ae2e6720e93957fb98c33fb0771083a2b4a0e44f3c2cef |
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: word/media/image1.emf | 4784 bytes |
SHA-256: a2a44070544c416819d2d65b99f9fb3891c55371f4c4f3ffce26e6ecb7d739d0 |
|||
emf_01.emf |
ooxml-emf | OOXML EMF part: word/media/image2.emf | 5284 bytes |
SHA-256: fd8832c0b167f1e13fa0bdf070f43b11b401d0694608f77c8c4c42d2e1043fe3 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.