MALICIOUS
348
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1218.011 Rundll32
T1059.003 Windows Command Shell
T1140 Deobfuscate/Decode Files or Information
T1059.005 Visual Basic
The sample contains a Workbook_Open macro that utilizes CreateObject to execute commands via Wscript.Shell, as indicated by the 'SE_CLIPBOARD_COMMAND_LURE' and 'SE_LOLBIN_RUN_COMMAND' heuristics. The embedded document body text contains strings related to HTTP requests and execution tools like rundll32.exe, suggesting the macro downloads and executes a second-stage payload from one of the provided URLs. The ClamAV detection of 'Doc.Downloader.Emotet-10019767-0' strongly supports the Emotet family attribution.
Heuristics 10
-
ClamAV: Doc.Downloader.Emotet-10019767-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-10019767-0
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMANDDocument contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://rccgpromisedland.org/admin-assets/fonts/fontawesome/svgs/brands/e4E1oOjZXWEj.php
- https://momentsjo.com/COPYRIGHT/fUK6TkrF5j2dFc.php
- https://fantasymedia.net/deviantden.com/wp-content/themes/twentynineteen/classes/qxEJ4XFyEF.php
- https://wypozyczalnia-dragon.pl/libraries/fof/integration/joomla/filesystem/v566mU4QOL0.php
- https://ultradiademexico.com/templates/ja_purity/styles/header/blue/nDNeZQP5.php
- https://arfresa.com/globospayasoperu.com/web/wp-content/et-cache/178/088bWm9bjVQJe.php
- https://raufsana.com/ls-panel/ckeditor/plugins/magicline/images/wU1DtAWj6.php
- https://zetortcommunications.co.ke/wp-content/plugins/woocommerce/includes/abstracts/t8wJEqJD.php
- https://loveworldprograms.org/videos/fontawesome/css/FHK2joBPEd.php
- https://smarttechbv.com.br/wp-content/plugins/wp-fastest-cache/css/fonts/5kbCoM4jSnAI.php
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas23411467b84dac49f4cf8fdb5e3699f6e2c28fc5d2471d397a81bfbe58743237 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2018179 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
vbaProject_00.bin4679d997ec284bb15306f94587940377e3088571f40c1cc440eac54b1dcb64bf |
vba-project | OOXML VBA project: xl/vbaProject.bin | 4088320 bytes |
|
Detection
ClamAV:
Doc.Downloader.Emotet-10019767-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.