MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains VBA macros, including a Document_Open macro that utilizes Shell() and CreateObject() calls, indicating malicious intent. The document body impersonates an NHS Diabetes Prevention Programme invitation, urging the user to call a phone number or visit a URL, which is a common social engineering tactic. The VBA script likely attempts to download and execute a second-stage payload.
Heuristics 7
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://preventing-diabetes.co.uk/self-referral In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18989 bytes |
SHA-256: ce9341904ef43074bfd831f80cdf8a9fda9e9c0e648f5f4d9756a4297322411c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Dim wApp As New EventClassModule
Private Sub Document_Close()
Dim fld As MailMergeField
Dim vMerge As Boolean
On Error GoTo DocCloseErr
CustomizationContext = ActiveDocument
If Not SmartTag Is Nothing Then SmartTag.CloseHelper Me
For Each fld In ActiveDocument.MailMerge.Fields
If InStr(fld.Code, "SYSTEM") Then vMerge = True: Exit For
If InStr(fld.Code, "PRACTICE") Then vMerge = True: Exit For
If InStr(fld.Code, "PATIENT") Then vMerge = True: Exit For
If InStr(fld.Code, "REFERRAL") Then vMerge = True: Exit For
If InStr(fld.Code, "DRUG") Then vMerge = True: Exit For
If InStr(fld.Code, "MEDICAL") Then vMerge = True: Exit For
If InStr(fld.Code, "CURRENT") Then vMerge = True: Exit For
If InStr(fld.Code, "REPEATS") Then vMerge = True: Exit For
If InStr(fld.Code, "PROBLEMS") Then vMerge = True: Exit For
Next
If Not vMerge Then
MsgBox "This template will not function correctly " + vbNewLine + _
"without any Vision MergeFields. " + vbNewLine + vbNewLine + _
"Please insert at least ONE!" + vbNewLine + vbNewLine + _
"It needs to be within the main text body" + vbNewLine + _
"not a header, footer, textbox or shape.", vbCritical, "SmartTags2 - referral Template"
CommandBars("Mail Merge").Visible = True
Else
CommandBars("Mail Merge").Visible = False
End If
DocCloseErr:
End Sub
Private Sub Document_Open()
Dim MyBar As CommandBar
Dim MyPopup As CommandBarPopup
Dim MyCmd As CommandBarControl
' ***********************
' Set SmartRange = Me
' ***********************
On Error Resume Next
CustomizationContext = ActiveDocument
CommandBars("Menu Bar").Controls("&SmartTags2").Delete
CommandBars("Menu Bar").Controls("&SmartTags2").Delete
CommandBars("Menu Bar").Controls("&SmartTags3").Delete
CommandBars("Menu Bar").Controls("&SmartTags3").Delete
CommandBars("Mail Merge").Visible = True
On Error GoTo OpenDocErr
If Application.Version < 14 Then
CommandBars("Menu Bar").Controls.Add(msoControlPopup, , , CommandBars("Menu Bar").Controls.count + 1).Caption = "&SmartTags3"
Set MyPopup = CommandBars("Menu Bar").Controls("&SmartTags3")
Set MyCmd = MyPopup.Controls.Add(msoControlButton)
MyCmd.Caption = "Run Smart&Tags"
MyCmd.OnAction = "RunSmartTag"
Set MyCmd = MyPopup.Controls.Add(msoControlButton)
MyCmd.Caption = "SmartTags &Helper"
MyCmd.OnAction = "ShowTagsHelp"
End If
' Register Event Handler
Set wApp.App = Word.Application
On Error Resume Next
If Application.Visible = True Then
'Check if Vision is being used
If Dir("O:\Program\Vision.exe") <> "" Then
While VisionNotOpen
If MsgBox("Please login to Vision", vbOKCancel, "Please Start Vision") = vbCancel Then
If Application.Documents.count = 1 Then
Application.Quit SaveChanges:=wdDoNotSaveChanges
Else
Application.ActiveDocument.Close SaveChanges:=wdDoNotSaveChanges
End If
End If
Wend
Else
Exit Sub
End If
Set SmartTag = OpenSmartTags
If Not SmartTag Is Nothing Then SmartTag.ShowHelper Me
End If
OpenDocErr:
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{E032594E-E0C2-4DCB-85A3-F88B76CDFC03}{35C783A8-30EF-4AE7-8FF6-2BD87E699981}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "RibbonControl"
Option Explicit
Public myRibbon As IRibbonUI
Sub Onload(ribbon As IRibbonUI)
'Create a ribbon instance for use in this project
Set myRibbon
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.