MALICIOUS
62
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The sample is an Office document containing VBA macros. The macros use obfuscated declarations for functions like 'NtWriteVirtualMemory' and 'GetOverlappedResult' from 'ntdll' and 'Shlwapi.dll' respectively. This suggests an attempt to write to memory, a common technique for executing downloaded payloads. The OLE slack anomaly further indicates potential hidden or packed data within the file.
Heuristics 3
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 185,856 bytes but its declared streams total only 110,997 bytes — 74,859 bytes (40%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1460 bytes |
SHA-256: 4c09c84fb02c66466523de80d2a57c50ef2c7344973a79d7c6dec0b829c976ba |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "cystoplegia"
Attribute VB_Base = "0{5396473A-D849-43F5-B0EB-566F2263570B}{5C8232ED-6D86-4F76-A74E-CA80605CB1D0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "bulbulator"
Attribute VB_Name = "plinersd"
#If (21 - 2 + 381 + 116 - 121 + 305) > ((38 - 77 + 359) - (7 - 72 + 605) * 1) And (21 - 7 * 3) * 2 < (Win64) Then
Public Declare PtrSafe Function unauthorized _
Lib "ntdll " Alias _
"NtWriteVirtualMemory" (ByVal adapid As Any, ByVal ramify As Any, ByVal evangelist As Any, ByVal baroreceptor As Any, ByVal acutely As Any) As LongPtr
Public Declare PtrSafe Function euphorbium Lib "Shlwapi.dll " Alias "GetOverlappedResult" (ByVal chipping As Any, gangrenous As Any, categorial As Any, aerodynamics As Any) As LongPtr
#ElseIf (21 - 2 + 381 + 116 - 121 + 305) > ((38 - 77 + 359) - (7 - 72 + 605) * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Public Declare Function iceboat Lib "Shlwapi.dll " Alias "GetOverlappedResult" (ByVal diligence As Any, acanthocephala As Any, aforethought As Any, caramel As Any) As Long
Public Declare Function unauthorized _
Lib "ntdll " Alias _
"NtWriteVirtualMemory" (ByVal tonsil As Any, ByVal temperamentally As Any, ByVal inordinately As Any, ByVal afield As Any, ByVal iii As Any) As Long
#End If
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.