MALICIOUS
370
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is an XLSM file containing a Workbook_Open macro that utilizes `CreateObject` and `Wscript.Shell` to download and execute a second-stage payload from a remote URL. The ClamAV detection and heuristic firings strongly indicate this is an Emotet downloader. The macro's primary function is to fetch and run a malicious executable from one of the provided URLs.
Heuristics 10
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
-
ClamAV: Doc.Downloader.Emotet-10019767-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-10019767-0
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://sincroniasdelalma-new.srcomputadoras.com/wp-content/themes/twentynineteen/template-parts/content/S1tU7zL7RBAfK.php
- https://tseboprocurement.co.za/inc/phpmailer/test_script/images/_notes/E3KYpyHWeU.php
- https://lernendeutsch.de/App/vendor/phar-io/manifest/examples/rC6SrlTXo3VNK9.php
- https://neatleedone.com/wp-content/plugins/bulk-attachment-download/jabd-downloads/1/ODsVQnOlgHO.php
- https://mtzasesores.com/wp-content/themes/invictus/templates/events/aVORUgnnJ.php
- https://consultoriaemimpermeabilizacao.com/wp-includes/js/tinymce/plugins/charmap/SUn668N8oHZI.php
- https://archampton.com/wp-content/plugins/kirki/controls/css/Ic6AlDEacA.php
- https://beta.hairshow.pt/Xkjfx6qv.php
- https://vorsocmart.com/jVdoyxAE.php
- https://greenbelt-mea.com/css/IYQWLc9dokeSK0.php
- https://sincroniasdela
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basd18b3ef68f547a62534f6140d886c0127ebcf9c4435be8ec7d339847b7073dfd |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2630723 bytes |
vbaProject_00.bin7283b8dba9ff4bb1ba2654148f08f6f3f5561996ae5e5554f432804ef1102bb1 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 5405184 bytes |
|
Detection
ClamAV:
Doc.Downloader.Emotet-10019767-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.