MALICIOUS
644
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File: User Execution
T1071.001 Web Protocols
T1105 Ingress Tool Transfer
The sample is a malicious Office document containing obfuscated VBA macros. Critical heuristics indicate the use of `Shell()`, `WScript.Shell`, and `URLDownloadToFile`, suggesting the macro's purpose is to download and execute a second-stage payload. The presence of `auto-exec` and `obfuscated_autoexec_loader` firings further supports this, indicating a dropper functionality.
Heuristics 14
-
ClamAV: Doc.Dropper.Generic-6834355-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Generic-6834355-0
-
VBA project inside OOXML medium 9 related findings OOXML_VBADocument contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: word/vbaProjectSignatureAgile.bin)
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usage
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBA
-
VBA property-stored shellcode loader critical OLE_VBA_PROPERTY_SHELLCODE_LOADERVBA auto-exec macro takes the address (VarPtr) of a byte buffer decoded from a document property, marks memory executable (VirtualProtect/VirtualAlloc), and transfers control through a callback API (e.g. SetTimer/EnumWindows). The payload is hidden in the document properties rather than the macro source — the SVCReady loader pattern, a native shellcode runner rather than a parser CVE.
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMEDThe VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
VBA project carries a recognised code-signing signature info VBA_SIGNED_TRUSTEDThe VBA project is Authenticode-signed and the signer/issuer chain matches a recognised code-signing publisher or CA. Informational only — the signature is NOT yet verified to cover the current project bytes, so it does not (yet) reduce the verdict.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://Motobit.cz Referenced by macro
- http://qvidian.com/communityReferenced by macro
- http://www.frez.co.ukReferenced by macro
- http://localhost/Qvidian/Qvidian.asmxReferenced by macro
- http://qvidian.com/webservices/Referenced by macro
- http://qvidian.com/communityAReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
- http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
- http://ns.adobe.com/xap/1.0/Referenced by macro
- http://purl.org/dc/elements/1.1/Referenced by macro
- http://ns.adobe.com/photoshop/1.0/Referenced by macro
- http://ns.adobe.com/xap/1.0/mm/Referenced by macro
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#Referenced by macro
- http://ns.adobe.com/tiff/1.0/Referenced by macro
- http://ns.adobe.com/exif/1.0/Referenced by macro
- http://schemas.microsoft.com/office/2006/01/customuiReferenced by macro
- http://www.w3.org/2001/XMLSchemaReferenced by macro
- http://www.w3.org/2001/XMLSchema-instanceReferenced by macro
- http://schemas.xmlsoap.org/soap/envelope/Referenced by macro
- http://certs.godaddy.com/repository/1301Referenced by macro
- http://ocsp.godaddy.com/05Referenced by macro
- http://crl.godaddy.com/gdroot-g2.crl0FReferenced by macro
- https://certs.godaddy.com/repository/0Referenced by macro
- http://crl.godaddy.com/gdig2s5-5.crl0Referenced by macro
- http://certificates.godaddy.com/repository/0Referenced by macro
+2 more URL(s)
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1025837 bytes |
SHA-256: 56516976c20d15fef5bcf095cc7fc166adef8e89092637908447037e658a17dc |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "thisApplication"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Public WithEvents oApp As Word.Application
Attribute oApp.VB_VarHelpID = -1
Const bTestEvents As Boolean = False
Public ignoreDocChange As Boolean
Public doAfterEvent As Boolean
Public Sub RunOpenCodeOnActiveDocument()
RunOpenCode ActiveDocument
End Sub
Private Sub RunOpenCode(ByRef thisDoc As Document)
Dim sMode As String
Dim sProcessStarted As String
Dim saveFile As String
Dim sMappingInfo As String
On Error GoTo ExitCode
'DS: some files had sant template mode properties and when used in build it blows up if we run the other actions as well
'so skip the processing if we have an active build going on.
If bActiveBuild Then
DebugMsgBox "Not running code on [" & thisDoc.FullName & "] due to build process", "RunOpenCode:"
Exit Sub
End If
Dim stubMode As String
stubMode = GetPropertyText("QvidianStubMode", thisDoc)
DebugMsgBox "Stub Operation [" & stubMode & "]", "RunOpenCode:"
gOpenViaNewEdit = False
If stubMode <> "" Then
modDocProperties.WriteProperty "QvidianStubMode", "Processed", thisDoc
Dim sServer As String
'Dim sUserID As String
Dim sJobFile As String
Dim contentCount As Integer
sServer = GetPropertyText("Server", thisDoc)
DebugMsgBox "Server in stub file is [" & sServer & "]", "RunOpenCode:"
Select Case stubMode
Case "MultiEdit"
' MAJOR BUG FOR Office 2013!!!!
ActiveWindow.View.ReadingLayout = False
' Before we do anything else, hide the text that is only required
' when the add-in is NOT installed.
ActiveWindow.Selection.WholeStory
ActiveWindow.Selection.Delete
ActiveDocument.Saved = True
sJobFile = GetPropertyText("QvidianJobFile", thisDoc)
contentCount = CInt(GetPropertyText("ContentCount", thisDoc))
DebugMsgBox "sJobFile [" & sJobFile & "] and count of [" & contentCount & "]", "RunOpenCode:"
If sJobFile <> "" Then
If processJobFile(sJobFile, contentCount) Then
MsgBox "Failed to download the Job File."
End If
Else
MsgBox "The seed file does not contain a Job File!"
End If
Case "SantWordEdit"
Case "Processed"
'already ran on this doc, ignore
'was causing multiple open requests with lots of errors associated.
End Select
DebugMsgBox "DONE WITH STUB OPERATION STUFF, WE'RE OUT OF HERE.", "RunOpenCode:"
Exit Sub
End If
sMode = GetPropertyText("SantTemplateMode", thisDoc)
sProcessStarted = GetPropertyText("ProcessStarted", thisDoc)
DebugMsgBox "Template Mode [" & sMode & "], Process Started [" & sProcessStarted & "], File [" & thisDoc.FullName & "]", "RunOpenCode:"
burstMode = False
Select Case sMode
Case "SantWordBulkLoad"
'Check if existing bookmarks are ok.
DebugMsgBox "CheckForExistingBookmarks", "RunOpenCode:"
modTools.CheckForExistingBookmarks thisDoc
End Select
Select Case sMode
Case "BulkloadLaunch", "SantWordBulkLoadActive"
'Do nothing
Case "SantR
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 4431872 bytes |
SHA-256: cdcc5246b393b7ad2c6cebfa7f4882b1cba1a73906da26d5ed3525c9f7981f46 |
|||
|
Detection
ClamAV:
Doc.Dropper.Generic-6834355-0
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
vbaProject_01.bin |
vba-project | OOXML VBA project: word/vbaProjectSignatureAgile.bin | 5835 bytes |
SHA-256: aab90304d9e8ea3472e82b45bd86f0be6e3c1a73a8b39b61565adffff9a2b64f |
|||
vbaProject_02.bin |
vba-project | OOXML VBA project: word/vbaProjectSignature.bin | 5720 bytes |
SHA-256: 04b0c0454b4f9ce68b3903a8ad84b3fbd80e0dfbfbc2dac97755d5a11cbc8450 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.