MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature 'Doc.Dropper.Emotet-7556670-0', indicating a high likelihood of it being an Emotet variant. The presence of a Document_Open VBA macro, which is a common execution vector for Emotet, further supports this. The macro's obfuscated nature and the GetObject call suggest it is designed to download and execute a secondary payload.
Heuristics 6
-
ClamAV: Doc.Dropper.Emotet-7556670-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Emotet-7556670-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10820 bytes |
SHA-256: 4629154ef7d900ab4a6ccdf86dbde171551b1e5153bf13e3127cee814a386830 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Xcbfczvhn"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Ofntftypq.Oefmbsxhf
End Sub
Attribute VB_Name = "Luitcruhkptxh"
Attribute VB_Base = "0{840194FF-0ECA-4B35-B4A2-05DED49759BF}{6E7BD8FE-A7AB-43AB-B7FB-4AFADE2822FF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Qcqqpgtltfkl"
Attribute VB_Base = "0{F9ED3187-C744-4DFC-9430-6B4E313602BA}{79BE980D-93F5-4EE8-B35F-AEEC2AD24343}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Wmtdlhdzwhl"
Attribute VB_Base = "0{75330957-83FC-4EC9-A26E-A81FB6643386}{67A7FA24-A1B3-4561-9789-83D3E31DAE33}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Blcbxfouzvgsr"
Attribute VB_Base = "0{C70F2D96-A758-48E2-987C-AA70380DCB39}{AA949C96-B992-4775-A320-C525BC215720}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Cqayzuxyoodc"
Attribute VB_Base = "0{E9A5E1AA-CC7B-41B1-B3ED-04149C2C84D9}{A30C2C6C-CB77-41BA-B2D0-C77C48A46DBE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Gifchsaremg"
Attribute VB_Base = "0{27804853-1208-46BC-BA36-7FB3E09146E1}{91A6AB43-AD60-43F0-8AAF-B5CFBD672F70}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Wqnltokxfhmo"
Attribute VB_Base = "0{D59F7ACC-FCF0-4879-95D7-B9645CD2D709}{71FB7431-BA36-4597-8999-39396D424FD8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Monucydt"
Attribute VB_Base = "0{9FE58382-B708-4D57-A13D-C28CA5343273}{8E2E4784-DA63-43EA-AF95-86398D12C0E6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Pjzskmos"
Attribute VB_Base = "0{F374E34C-773E-41C6-AD1C-DB3CF3D86947}{4B092C56-CF74-46AC-8BF1-200999517DF4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Biadjoftabsod"
Attribute VB_Base = "0{133BB048-F5C8-4D9C-B59B-E7C02C326806}{D864DF1B-3696-45B6-813E-1B29C8BBEC46}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Dqrdsrcdlvk"
Attribute VB_Base = "0{BC5C81D7-3833-4AFE-AC54-57720B12082F}{9711A984-DC30-46D3-8BC0-92B7DC6B5491}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.