MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1071.001 Web Protocols
The sample contains an obfuscated VBA macro with an AutoOpen subroutine, indicating it is designed to execute automatically upon opening. The script utilizes CreateObject and appears to perform decryption and display a message box, suggesting it's a downloader or part of a multi-stage attack. The presence of VBA macros and an AutoOpen function strongly points to a malicious document, likely delivered via spearphishing.
Heuristics 7
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://bytes.com/topic/access/insights/906850-aes-encryption-algorithm-vba-vbscript In document text (OOXML body / shared strings)
- http://bytes.com/topic/access/answers/940196-help-aes-encryption-algorithm-vba-vbscriptIn document text (OOXML body / shared strings)
- http://splinter.com.au/blogIn document text (OOXML body / shared strings)
- http://bytes.com/topic/access/answers/940196-help-aes-encryption-algorithm-vba-vbscript�In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://stackoverflow.com/a/30760913/5738In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 41840 bytes |
SHA-256: ffc7877ed3f118938537740d9e4b9a82c09390f75256aa7809021f8c8995cc1d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Main"
Sub AutoOpen()
Dim text As Object, pw As String, MD5 As Object
Getfg
GetPW
Set text = CreateObject("System.Text.UTF8Encoding")
Set MD5 = CreateObject("System.Security.Cryptography.MD5CryptoServiceProvider")
pw = ToHexString(MD5.ComputeHash_2(text.GetBytes_4(alter)))
Debug.Print RetrieveDecryptAES(fg, pw, 1)
MsgBox RetrieveDecryptAES(fg, pw, 1), vbOKOnly, "Recon Complete"
End Sub
Attribute VB_Name = "AES"
Function StoreEncryptAES(sMessage As String, sPassword As String, Optional iRounds As Integer = 20000) As String
StoreEncryptAES = Encode64(EncryptAES(SHA1HASH(sMessage) & ":" & sMessage, sPassword, iRounds))
End Function
' Dependency on "functions Base64" and "functions SHA1"
Function RetrieveDecryptAES(sMessage As String, sPassword As String, Optional iRounds As Integer = 20000, Optional asString As Boolean = False) As String
Dim dMessage As String
Dim hash As String
Dim separator As Integer
dMessage = DecryptAES(Decode64(sMessage), sPassword, iRounds)
If InStr(dMessage, ":") < 1 Then
If asString = True Then
RetrieveDecryptAES = "#invalidpassword"
Else
Err.Raise 640, "functions AES", "Invalid password/passphrase"
End If
End If
hash = Left(dMessage, InStr(dMessage, ":") - 1)
RetrieveDecryptAES = Right(dMessage, Len(dMessage) - (Len(hash) + 1))
If hash <> SHA1HASH(RetrieveDecryptAES) Then
If asString = True Then
RetrieveDecryptAES = "#invalidpassword"
Else
Err.Raise 640, "functions AES", "Invalid password/passphrase"
End If
End If
End Function
Function EncryptAES(sMessage As String, sPassword As String, Optional iRounds As Integer = 1) As String
EncryptAES = sMessage
Do Until iRounds < 1
EncryptAES = AES(EncryptAES, True, sPassword)
iRounds = iRounds - 1
Loop
End Function
Function DecryptAES(sMessage As String, sPassword As String, Optional iRounds As Integer = 1) As String
DecryptAES = sMessage
Do Until iRounds < 1
DecryptAES = AES(DecryptAES, False, sPassword)
iRounds = iRounds - 1
Loop
DecryptAES = nTrim2(DecryptAES)
End Function
' ###########################################################################################
' # Following code performs AES Encryption/Decryption of text
' #
' # Based on :
' # http://bytes.com/topic/access/insights/906850-aes-encryption-algorithm-vba-vbscript
' # With adjustments based on :
' # http://bytes.com/topic/access/answers/940196-help-aes-encryption-algorithm-vba-vbscript
' ###########################################################################################
Function AES(sMessage As String, isEncode As Boolean, sPassword As String) As String
Dim sbox()
Dim sboxinv()
Dim rcon()
Dim g2()
Dim g3()
Dim g9()
Dim g11()
Dim g13()
Dim g14()
g2 = Array( _
&H0, &H2, &H4, &H6, &H8, &HA, &HC, &HE, &H10, &H12, &H14, &H16, &H18, &H1A, &H1C, &H1E, _
&H20, &H22, &H24, &H26, &H28, &H2A, &H2C, &H2E, &H30, &H32, &H34, &H36, &H38, &H3A, &H3C, &H3E, _
&H40, &H42, &H44, &H46, &H48, &H4A, &H4C, &H4E, &H50, &H52, &H54, &H56, &H58, &H5A, &H5C, &H5E, _
&H60, &H62, &H64, &H66, &H68, &H6A, &H6C, &H6E, &H70, &H72, &H74, &H76, &H78, &H7A, &H7C, &H7E, _
&H80, &H82, &H84, &H86, &H88, &H8A, &H8C, &H8E, &H90, &H92, &H94, &H96, &H98, &H9A, &H9C, &H9E, _
&HA0, &HA2, &HA4, &HA6, &HA8, &HAA, &HAC, &HAE, &HB0, &HB2, &HB4, &HB6, &HB8, &HBA, &HBC, &HBE, _
&HC0, &HC2, &HC4, &HC6, &HC8, &HCA, &HCC, &HCE, &HD0, &HD2, &HD4, &HD6, &HD8, &HDA, &HDC, &HDE, _
&HE0, &HE2, &HE4, &HE6, &HE8, &HEA,
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 202240 bytes |
SHA-256: 9d11a17e47ef7017bda2fd2f941c6548e6fd65a7aeb86be8e3cd590d42aa4827 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.