MALICIOUS
370
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The sample is an XLSM file containing a Workbook_Open VBA macro that utilizes CreateObject to download and execute a second-stage payload from a remote URL. The ClamAV detection 'Doc.Downloader.Emotet-10019767-0' strongly suggests Emotet family involvement. The macro's functionality aligns with downloading and executing arbitrary code, as indicated by the 'OLE_VBA_HTTP_DROP_EXEC' heuristic.
Heuristics 10
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
-
ClamAV: Doc.Downloader.Emotet-10019767-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-10019767-0
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://yolophiwe.co.za/progress/lib/lightbox/css/HIYRmK7Zz5StRsU.php
- https://navigator.fun/wp-content/plugins/refer-a-friend-for-woocommerce-by-wpgens/public/js/mCB8abRB2.php
- https://inhousecare.org/GNyTpi4kVJrip.php
- https://test399.estore.vlinkhosting.com/keO6l8CTVAVBY.php
- https://lernendeutsch.de/App/vendor/phar-io/manifest/examples/rC6SrlTXo3VNK9.php
- https://sellobsoleteinventories.com/images/favicon/0mJUsyWM8dOk6.php
- https://quicklane.ae/llKTfaRKu9cHNme.php
- https://serdalpecel.com.tr/css/fonts/font-awesome/css/smUU2T8ExE4p.php
- https://espgamerica.com/vendor/rvsitebuilder/core/fonts/vendor/Od8ptePPjMagXHZ.php
- https://yolophiwe.co.za/progress/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas95ae03ec839f542869e0d5be8767e42fb78645d00a8b17e4c7f3621048705884 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2643801 bytes |
vbaProject_00.bind9245575d40f15adc0b8380b89fde29b519201ddb5b779c9d7555e819ccb7b94 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 5386240 bytes |
|
Detection
ClamAV:
Doc.Downloader.Emotet-10019767-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.